[
https://issues.apache.org/jira/browse/SLING-12093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17774518#comment-17774518
]
Konrad Windszus commented on SLING-12093:
-----------------------------------------
[~cziegeler] I guess this is a regression of the introduction of the
{{ResourceProvider}} SPI. The SPI probably needs to be adjusted slightly for
resource providers to be consulted before exposing authentication info from the
ResourceResolver.
> ResourceResolver.getAttribute(...) might return sensitive information
> ---------------------------------------------------------------------
>
> Key: SLING-12093
> URL: https://issues.apache.org/jira/browse/SLING-12093
> Project: Sling
> Issue Type: Improvement
> Components: ResourceResolver
> Affects Versions: Resource Resolver 1.11.0
> Reporter: Konrad Windszus
> Priority: Major
>
> The method {{ResourceResolver.getAttribute(...)}} retrieves a named attribute
> from either
> - the underlying resource provider or
> - the authentication info passed to the factory
> In addition it filters out some attributes supposed to contain sensitive
> information
> (https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/d9e90e455c0f71e84414bb09c83d7e678f1a788e/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java#L400)
> Although there is some JCR specific authentication info filtered in
> https://github.com/apache/sling-org-apache-sling-jcr-resource/blob/685c50921085941f4cbb1a3ccdbf90bad0605527/src/main/java/org/apache/sling/jcr/resource/internal/helper/jcr/JcrResourceProvider.java#L676,
> this is not-effective as the authentication info is retrieved without
> consulting any resource provider.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
