[
https://issues.apache.org/jira/browse/JCR-3293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13815960#comment-13815960
]
angela commented on JCR-3293:
-----------------------------
exactly... just a minor detail: i would use repository.login(workspaceName)
instead.
note that the nature of the subject pretty much depends on the setup of the
repository in particular on the access control / permission management. the
standard setup requires that the subject of a given session gets the complete
set of principals set which are then used to evaluate the effective
permissions. in this situation the principal management (or the internal
principal provider) acts as link between the user on one side and the
permission eval on the other.
> AbstractLoginModule: get rid of trust_credentials_attribute
> -----------------------------------------------------------
>
> Key: JCR-3293
> URL: https://issues.apache.org/jira/browse/JCR-3293
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core
> Affects Versions: 2.4
> Reporter: angela
>
> based on JCR-2355 we added a very simplistic way to indicate to the login
> module that the given credentials have
> been preauthenticated. as already stated in the original issue this poses a
> major security issue as it leaves the
> repository access untrusted.
> i would like to raise those security concern again and would therefore like
> to get rid of that hack in the long run.
> the suggested procedure:
> - deprecate the attribute (immediately)
> - log a warning if it is used (immediately)
> - document how to fix code that is currently relying on that attribute
> - remove support altogether for the next major release
--
This message was sent by Atlassian JIRA
(v6.1#6144)
