[jira] Commented: (JCR-2355) Support easy pre-authenticated login

Thu, 15 Oct 2009 04:24:58 -0700 

    [ 
https://issues.apache.org/jira/browse/JCR-2355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12766020#action_12766020
 ] 

Felix Meschberger commented on JCR-2355:
----------------------------------------

I agree that the security might be hampered with when this is used unknowningly.

Still, it must explicitly be enabled on a repository configuration level and 
the default is, that it is not enabled.

I am perfectly ok to raise the requirements for the attribute above the basic 
presence. For example, we could say, the attribute must be set to a session 
which has certain access rights. This would limit the use of this functionality 
to code, which already has access to the repository at a certain level.

On another you raised your veto. Do you stand by this veto ? In this case, 
since you are a member of the PMC, I would have to remove the code again.

> Support easy pre-authenticated login
> ------------------------------------
>
>                 Key: JCR-2355
>                 URL: https://issues.apache.org/jira/browse/JCR-2355
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core
>    Affects Versions: 2.0-alpha11
>            Reporter: Felix Meschberger
>             Fix For: 2.0-alpha12
>
>         Attachments: JCR-2355.patch
>
>
> Some applications authenticate users themselves and just need to access the 
> repository on behalf of these pre-authenticated users.
> Examples of such pre-authentications include SSO solutions or web 
> applications using a web-based authentication protocol not easily 
> implementable in a JAAS LoginModule, for example OpenID or similar.
> In such situations a password may not be provided in SimpleCredentials and 
> thus regular login with user name and password is not possible.
> Therefore I propose the enhancement of the AbstractLoginModule to allow for 
> setting a specific attribute in the SimpleCredentials attribute map. If this 
> attribute is set, authentication and login succeeds and a session for the 
> user named in the SimpleCredentials is created.
> As a starter we might just check for the presence of the attribute.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to