[jira] [Comment Edited] (JCRVLT-515) AdminPermissionChecker should evaluate all principals bound to the Session

Tue, 20 Apr 2021 08:06:07 -0700 


    [ 
https://issues.apache.org/jira/browse/JCRVLT-515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17325884#comment-17325884
 ] 

Konrad Windszus edited comment on JCRVLT-515 at 4/20/21, 3:05 PM:
------------------------------------------------------------------

Obviously not from the JCR API. But my question was about this class 
specifically: 
https://github.com/apache/jackrabbit-oak/blob/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java.
 But I see that this is not even exported in 
https://github.com/apache/jackrabbit-oak/blob/77f243b8b810f7c611d1b1cd9b06abfc5e546446/oak-jcr/pom.xml#L160.
Is the Oak API not thought for consumers? Is all access there supposed to be 
done via either JCR or Jackrabbit API?

Sometimes the repository has been constructed by some other party (e.g. in the 
context of Sling) and the only API being available is JCR and Jackrabbit API.


was (Author: kwin):
Obviously not from the JCR API. But my question was about this class 
specifically: 
https://github.com/apache/jackrabbit-oak/blob/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java.
 But I see that this is not even exported in 
https://github.com/apache/jackrabbit-oak/blob/77f243b8b810f7c611d1b1cd9b06abfc5e546446/oak-jcr/pom.xml#L160.
Is the Oak API not thought for consumers? Is all access there supposed to be 
done via either JCR or Jackrabbit API?

> AdminPermissionChecker should evaluate all principals bound to the Session
> --------------------------------------------------------------------------
>
>                 Key: JCRVLT-515
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-515
>             Project: Jackrabbit FileVault
>          Issue Type: Improvement
>          Components: vlt
>            Reporter: Konrad Windszus
>            Priority: Major
>             Fix For: 3.4.12
>
>
> Currently the AdminPermissionChecker only evaluates the session-bound user id 
> in 
> https://github.com/kwin/jackrabbit-filevault/blob/49e3c2179c18e0552e49b0671843d85d045ebf48/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/AdminPermissionChecker.java#L54.
>  This does not work well with principal based login (like with Sling Service 
> Authentication) as in general only the first principal is returned (in case 
> it is backed by a real JCR user). Instead one should leverage 
> {{org.apache.jackrabbit.api.security.principal.PrincipalManager}} to retrieve 
> all principals bound to the session and check that at least one is the 
> administrator.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to