[
https://issues.apache.org/jira/browse/JCR-4050?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15693911#comment-15693911
]
angela commented on JCR-4050:
-----------------------------
[~olli], i have to say that i am pretty surprised to see the repo-init tool to
allow for creation of regular users. i distinctly remember the initial idea was
to provide a tool to create service users and that me and other security
engineers strongly suggested to not expand that to regular users. i am not sure
I understand what would be the use case for creating regular users during the
repo init. and apart from that, if users were to be pre-created based on a
configuration that can be share by different installations, i would strongly
recommend to create them without password. writing the pw to the provision
model really sounds like a very bad idea.
/cc [~bdelacretaz]
> Allow creation of users with existing password hashes in UserManager
> ---------------------------------------------------------------------
>
> Key: JCR-4050
> URL: https://issues.apache.org/jira/browse/JCR-4050
> Project: Jackrabbit Content Repository
> Issue Type: New Feature
> Components: jackrabbit-api, jackrabbit-core, security
> Reporter: Jeffrey Bornemann
> Priority: Minor
>
> We utilize the UserManager API within Grabbit for syncing authorizable nodes
> between servers.
> Unfortunately, when it comes to syncing users, and specifically setting
> passwords from existing users; we have no public API facing way to create
> users with existing password hashes. We currently have to resort to using
> reflection, grabbing internal tree objects, and a bunch of nastiness that we
> would love to avoid with this change.
> Other consumers may also find this useful.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
