[
https://issues.apache.org/jira/browse/SLING-10281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17325869#comment-17325869
]
Konrad Windszus commented on SLING-10281:
-----------------------------------------
"Supported tree" is the area where principal-based access control is supported,
configured via
https://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/principalbased/Filter.html
and in OSGi context via PID {{
org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.FilterProviderImpl}}.
That part hasn't really changed though. It never worked there, but with
SLING-9449 was just ignored and now leads to an exception (i.e. preventing the
repository from starting up).
The different behaviour can be seen e.g. in
https://github.com/apache/sling-org-apache-sling-jcr-repoinit/pull/14/files#diff-3d14a072a6c806a780386eb77cf96ad4e75b1959093dd46da8a3d500ab681148R473
(i.e. exception expected instead of warn).
I would appreciate a comment directly on the PR to make it clear, where you
would see changes necessary.
> Revert changes from SLING-9449
> ------------------------------
>
> Key: SLING-10281
> URL: https://issues.apache.org/jira/browse/SLING-10281
> Project: Sling
> Issue Type: Bug
> Components: Repoinit
> Affects Versions: Repoinit JCR 1.1.34
> Reporter: Konrad Windszus
> Assignee: Konrad Windszus
> Priority: Major
> Fix For: Repoinit JCR 1.1.36
>
> Time Spent: 4h 40m
> Remaining Estimate: 0h
>
> As highlighted in the last comment of SLING-9449, repoinit should use
> exceptions when some statements cannot be applied (as that leads to an
> undesired repository state). In the worst case it could lead to privilege
> escalation
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
