Hi, On 25.01.2010 15:02, Jukka Zitting wrote: > Hi, > > On Mon, Jan 25, 2010 at 9:45 AM, <[email protected]> wrote: >> + Session loginAdministrative(String workspace) throws LoginException, >> + NoSuchWorkspaceException, RepositoryException; > > I quite dislike this method, as it essentially gives all clients the > ability to access the repository as administrators. There's no way for > the repository implementation to verify that the client is doing the > right thing.
Well, yes. On the other hand in Sling this method proved quite useful (not polluting tons of code with keeping some shared secret). In a safe environment such a method should probably be JAAS guarded any way and I would assume that remote repository implementations would also be implemented as a simple "throw new LoginException()". > > I'd rather see such functionality exposed through normal credentials > with some shared secret, The share secret exactly has the issues noted above: Multiple code poitns must independently be configured with the shared secret, should this ever be modified. > or alternatively through the > RepositoryManager interface for which we already solved the > "administrator-only" access problem. I will look into this solution. Thanks for the pointer. Regards Felix
