Hi,
When looking at some problems I have been having with pooled sessions and
administrative logins I noticed the following.
The Admin password for the repository is set in the properties of the server
bundle. Its required to create the repository in the first instance, and then
is used for every admin login. I have some concerns.
1. Since the webconsole pulgins can get properties for all bundles, then it
must be possible for any bundle to get the configuration properties of the
server bundle and hence the admin password. I haven't tried, but would it be
possible to use a JSP page to get the admin password ? Although we trust the
code in the JVM, that feels wrong.
2. Changing the admin password requires that all JVM instances are reconfigured
at the same time, although once the password is changed all loginAdministrative
operations break until the server bundle is reconfigured.
IMHO, it would be better to use special credentials to identify the
administrative logins bound to the admin user.
eg
public final class AdministrativeCredentials implements Credentials { ... }
public final class GuestCredentials implements Credentials { ... }
both private to the server bundle and only use by the SlingRepository impl.
WDYT ?
Ian
