[
https://issues.apache.org/jira/browse/SLING-1287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger closed SLING-1287.
------------------------------------
Close after release
> Impersonation cookie must be quoted to support some special characters
> ----------------------------------------------------------------------
>
> Key: SLING-1287
> URL: https://issues.apache.org/jira/browse/SLING-1287
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Auth Core 1.0.0
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.0
>
>
> The Sling authenticator supports transparent impersonation of another user
> using a so called "sudo" parameter. Using this parameter causes the
> authenticator to set a sudo cookie, which is inspected in future requests to
> decide on whether to further impersonate requests or not.
> The problem is, that the character set of cookie values is limited by RFC
> 2109 defining that a cookie value must be token or quoted-string according
> to RFC-2616:
> token = 1*<any CHAR except CTLs or separators>
> separators = "(" | ")" | "<" | ">" | "@"
> | "," | ";" | ":" | "\" | <">
> | "/" | "[" | "]" | "?" | "="
> | "{" | "}" | SP | HT
> quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
> qdtext = <any TEXT except <">>
> If the sudo user name contains an "@" sign (such as an email address), the
> value is not a token any longer and must be properly quoted.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
