[
https://issues.apache.org/jira/browse/JCR-2895?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela updated JCR-2895:
------------------------
Component/s: security
jackrabbit-core
> SessionImpl#getSubject() should return an unmodifiable subject
> --------------------------------------------------------------
>
> Key: JCR-2895
> URL: https://issues.apache.org/jira/browse/JCR-2895
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core, security
> Reporter: angela
> Assignee: angela
>
> for security reasons the subject exposed by SessionImpl#getSubject() should
> be unmodifiable or at least changes made
> to it should not be modify the subject hold by the session.
> currently i see the following options to get there:
> a: set readonly flag on the subject associated with the session
> b: getSubject() returns a new instance of Subject having the same
> characteristics as the subject associated with the session
> c: getSubject() returns a new but readonly Subject instance
> my preferred solution was c as
> - it doesn't change the characteristics of the subject
> - the unmodifiable status is transparent to the caller since modifying the
> subject fails without forcing the api consumer
> to read the javadoc to know why changing the subject is not reflected on
> the session itself (that would be a drawback of b).
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
