On Mon, 2024-07-29 at 12:21 +0200, Konrad Windszus wrote: > Probably Angela could explain better but it seems that it is due to > https://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html#pre-authentication-without-repository-involvement > . >
Then my suggestion would be to wait for Oak to tackle this first. I did add preauthenticated principal support for the bundle, but looking in Git I noticed that the Subject.doAsPrivileged calls were used from the initial revision to implement loginAdministrative. https://github.com/apache/sling-org-apache-sling-jcr-oak-server/commit/f33f7c2354695ead57720dc09ca972744cc8924c#diff-75f6bbd16da0366dc6efb706cb1cdc57fe7bf7a6efc1ba627bce15ea7f0285dbR256 For now, I think we have two 'easy' ways out: 1. Start requiring Java 21 2. Have different code paths depending on the Java version. This can be implemented via reflection or multi-release jars ( [1] ). But I would wait for Oak first, perhaps they can solve the problem directly :-) Thanks, Robert [1]: https://docs.osgi.org/specification/osgi.core/8.0.0/framework.module.html#framework.module-multireleasejar > Konrad > > > On 29. Jul 2024, at 10:26, Robert Munteanu <[email protected]> > > wrote: > > > > Hi Konrad, > > > > On Wed, 2024-07-24 at 14:26 +0200, Konrad Windszus wrote: > > > Hi, > > > > > > Carsten mentioned this topic in the Felix Dev mailing list but > > > Sling > > > is affected as well: > > > https://lists.apache.org/thread/37ll81kn39fd60jw9p3jz4dwy0z4w4hh > > > > > > Particularly the module > > > https://github.com/apache/sling-org-apache-sling-jcr-oak-server s > > > uffe > > > rs from deprecations, as it uses javax.security.auth.Subject > > > which > > > has been modified and partially deprecated in Java 17/21 > > > ( > > > https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax > > > /s > > > ecurity/auth/Subject.html). > > > The replacement > > > https://docs.oracle.com/en/java/javase/21/docs/api/java.base/javax/security/auth/Subject.html#callAs(javax.security.auth.Subject,java.util.concurrent.Callable) > > > is only available since Java 18 though… > > > > > > Any suggestion how and when to tackle this? > > > > I skimmed the code and it's not entirely clear to me why we need to > > use > > Subject.doAsPrivileged. Is this because the Oak code we are calling > > needs to understand who the caller is and expects that information > > in a > > Subject? > > > > Thanks, > > Robert >
