[
https://issues.apache.org/jira/browse/JCRVLT-515?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Konrad Windszus updated JCRVLT-515:
-----------------------------------
Description: Currently the AdminPermissionChecker only evaluates the
session-bound user id in
https://github.com/kwin/jackrabbit-filevault/blob/49e3c2179c18e0552e49b0671843d85d045ebf48/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/AdminPermissionChecker.java#L54.
This does not work well with principal based login (like with Sling Service
Authentication) as in general only the first principal is returned (in case it
is backed by a real JCR user). Instead one should leverage
{{org.apache.jackrabbit.api.security.principal.PrincipalManager}} to retrieve
all principals bound to the session and check that at least one is the
administrator. (was: Currently the AdminPermissionChecker only evaluates the
session-bound user id in
https://github.com/kwin/jackrabbit-filevault/blob/49e3c2179c18e0552e49b0671843d85d045ebf48/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/AdminPermissionChecker.java#L54.
This does not work well with principal based login (like with Sling Service
Authentication) as in general only the principal is returned (in case it is
backed by a real JCR user). Instead one should leverage
{{org.apache.jackrabbit.api.security.principal.PrincipalManager}} to retrieve
all principals bound to the session and check that at least one is configured
to have the access.)
> AdminPermissionChecker should evaluate all principals bound to the Session
> --------------------------------------------------------------------------
>
> Key: JCRVLT-515
> URL: https://issues.apache.org/jira/browse/JCRVLT-515
> Project: Jackrabbit FileVault
> Issue Type: Improvement
> Components: vlt
> Reporter: Konrad Windszus
> Priority: Major
> Fix For: 3.4.12
>
>
> Currently the AdminPermissionChecker only evaluates the session-bound user id
> in
> https://github.com/kwin/jackrabbit-filevault/blob/49e3c2179c18e0552e49b0671843d85d045ebf48/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/AdminPermissionChecker.java#L54.
> This does not work well with principal based login (like with Sling Service
> Authentication) as in general only the first principal is returned (in case
> it is backed by a real JCR user). Instead one should leverage
> {{org.apache.jackrabbit.api.security.principal.PrincipalManager}} to retrieve
> all principals bound to the session and check that at least one is the
> administrator.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
