[jira] Commented: (JCR-2355) Support easy pre-authenticated login

Thu, 15 Oct 2009 04:12:59 -0700 

    [ 
https://issues.apache.org/jira/browse/JCR-2355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12766015#action_12766015
 ] 

Alexander Klimetschek commented on JCR-2355:
--------------------------------------------

Ahem, this can be a security breach! This attribute 
"trust_credentials_attribute" on SimpleCredentials basically works as a (very 
simple) master password. Hence this patch implicitly trusts the calling code, 
but if the repository is available eg. via RMI, anyone could connect to it and 
log in as any user, because that attribute can be set over RMI (afaik).

A big -1. It should rather be easy to write a special login module that can be 
set by configuration and handles SSO things and co.



> Support easy pre-authenticated login
> ------------------------------------
>
>                 Key: JCR-2355
>                 URL: https://issues.apache.org/jira/browse/JCR-2355
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core
>    Affects Versions: 2.0-alpha11
>            Reporter: Felix Meschberger
>             Fix For: 2.0-alpha12
>
>         Attachments: JCR-2355.patch
>
>
> Some applications authenticate users themselves and just need to access the 
> repository on behalf of these pre-authenticated users.
> Examples of such pre-authentications include SSO solutions or web 
> applications using a web-based authentication protocol not easily 
> implementable in a JAAS LoginModule, for example OpenID or similar.
> In such situations a password may not be provided in SimpleCredentials and 
> thus regular login with user name and password is not possible.
> Therefore I propose the enhancement of the AbstractLoginModule to allow for 
> setting a specific attribute in the SimpleCredentials attribute map. If this 
> attribute is set, authentication and login succeeds and a session for the 
> user named in the SimpleCredentials is created.
> As a starter we might just check for the presence of the attribute.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to