hi konrad, yes, you are right. when using the format with [], the resulting resource resolver / session will get a subject that aggregates the specified principals and only those.
adding a group principal name will only work if you disable the JcrSystemUserValidator. but from a security point of view i would not recommend this. system users and their permissions should IMHO be considered part of the application, while permissions of groups like everyone may change independent of the code that delegates tasks to a system-sessions. this opens the door for privilege escalations. hope that helps angela ________________________________ From: Konrad Windszus <[email protected]> Sent: Monday, December 5, 2022 10:58 To: [email protected] <[email protected]> Subject: Re: Principal names used in org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl and "everyone" group EXTERNAL: Use caution when clicking on links or opening attachments. To answer my own question: Even the "everyone" group membership is not considered (if not explicitly added as principal name to the config). Konrad On 2022/12/02 19:01:57 Konrad Windszus wrote: > Hi, > With https://issues.apache.org/jira/browse/SLING-6963 > <https://issues.apache.org/jira/browse/SLING-6963> the support for principal > names has been added to the Service User Mapper. > That in general does not consider group memberships. > What about the special group “everyone” > (https://jackrabbit.apache.org/oak/docs/security/user/membership.html#everyone-group-and-everyone-as-member > > <https://jackrabbit.apache.org/oak/docs/security/user/membership.html#everyone-group-and-everyone-as-member>). > Are the rights inherited in this case? > > I have seen weird effects were the rights are only inherited sometimes… > > Thanks for clarification. > Konrad
