[jira] Commented: (SLING-1282) Adminisrative logins depend on password in the code or config

Sat, 23 Jan 2010 07:00:39 -0800 

    [ 
https://issues.apache.org/jira/browse/SLING-1282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12804089#action_12804089
 ] 

Felix Meschberger commented on SLING-1282:
------------------------------------------

> Jackrabbit binds directly to SImpleCredentials which is final. 

Yes, this is a problem with the 1.6 branch. It is better in 2.0 which has a new 
method supportsCredentials(Credentials) which may be overwritten to support 
extended credentials.

Looking at the patch, I think it looks basically ok but is not backwards 
compatible: Extensions of the AbstractSlingRepository will break. Thus I would 
suggest we keep the passwords in the AbstractSlingRepository and provide 
default implementations for the getAdministrativeCredentials and 
getAnonymousCredentials method. The embedded repository bundle, could then 
overwrite these implementations using the new credentials (thus simply ignoring 
the passwords, not nice for now, but probably best we can do at this moment).

> Adminisrative logins depend on password in the code or config
> -------------------------------------------------------------
>
>                 Key: SLING-1282
>                 URL: https://issues.apache.org/jira/browse/SLING-1282
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>    Affects Versions: JCR Jackrabbit Server 2.0.6
>            Reporter: Ian Boston
>            Assignee: Ian Boston
>             Fix For: JCR Jackrabbit Server 2.0.6
>
>
> Administrative logins use SimpleCredentials which means that they have to 
> have a password. Although this is a configuration parameter changing the 
> admin password creates some JVM timing difficulties especially when operating 
> in a cluster. (JVMs would probably need to be restarted with new config 
> immediately after changing the admin password.)
> It would be better to use special credentials to indicate internal logins to 
> the repository (eg public final class AdministrativeCredentials implements 
> Credentials)
> same is true for Anon/Guest users, although less important.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to