Hi all,
JCR-2851 introduced token based authentication support which allows for
password-less access if only a known token is available.
On creation of the token all SimpleCredentials attributes are copied to
the token node. These attributes must be matched on subsequent requests
with attributes from the TokenCredentials object supplied.
I propose to extend the attribute support as follows:
* Attributes are either optional or mandatory. Optional attributes
present in the SimpleCredentials object are just stored in the
token node but are not matched on subsequent requests. Mandatory
attributes must be existing as secondary validation mechanisms
in subsequent requests.
* When creating the Session from the SimpleCredentials (on first
access creating the token) only the optional attributes (plus the
token value of course) are copied to the Session attributes. The
mandatory attributes are not copied.
* When creating the Session from the TokenCredentials (on subsequent
access validating the supplied token and mandatory attributes) the
optional attributes stored in the token node are copied to the
Session attributes while (again) the mandatory attributes are not
copied.
This allows for preventing to leak mandatory attributes into the Session
but also allows for using the token node as a temporary store for
informational attributes.
WDYT ?
Regards
Felix
