[
https://issues.apache.org/jira/browse/SLING-2944?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger updated SLING-2944:
-------------------------------------
Attachment: serviceusermapper.tgz
SLING-2944.patch
Proposed patch against existing bundles (Sling API, Sling JCR API, JCR Base,
Jackrabbit Server, JCR Resource Provider, Resource Resovler) and package of the
new Service User Mapper bundle (MD5 2e8e5d920e9ce8a175c562d18dc49eed; will be
svn cp-ed from
http://svn.apache.org/repos/asf/sling/whiteboard/fmeschbe/deprecate_login_administrative/serviceusermapper).
The notable changes are the introduction of the new
ResourceResolverFactory.getServiceResourceresolver and
SlingRepository.loginService methods and deprecation of the former
administrative login methods.
In addition the ResourceProviderFactory and SlingRepository services are now
registered as service factories to be able to get the calling bundle. This
required some refactoring in the AbstractSlingRepository causing extensions to
be adapted, too (the registerService method is now final and two methods are
added to provide custom registration properties and registration interfaces).
> Replace administrative login by service-based login
> ---------------------------------------------------
>
> Key: SLING-2944
> URL: https://issues.apache.org/jira/browse/SLING-2944
> Project: Sling
> Issue Type: New Feature
> Components: API, JCR, ResourceResolver, Service User Mapper
> Affects Versions: JCR Resource 2.2.8, JCR Jackrabbit Server 2.1.0, JCR
> Base 2.1.2, JCR API 2.1.0, API 2.4.2, Resource Resolver 1.0.6
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Service User Mapper 1.0.0, JCR Resource 2.3.0, JCR
> Jackrabbit Server 2.2.0, JCR Base 2.1.4, JCR API 2.2.0, API 2.5.0, Resource
> Resolver 1.1.0
>
> Attachments: serviceusermapper.tgz, SLING-2944.patch
>
>
> From the start Sling tried to solve the problem of providing services access
> to the repository and resource tree without having to hard code and configure
> any passwords. This was done first with the
> SlingRepository.loginAdministrative and later with the
> ResourceResolverFactory.getAdministrativeResourceResolver methods.
> Over time this mechanism proved to be the hammer to hit all nails.
> Particularly these methods while truly useful have the disadvantage of
> providing full administrative privileges to services where just some specific
> kind of privilege would be enough.
> For example for the JSP compiler it would be enough to be able to read the
> JSP source scripts and write the Java classes out to the JSP compiler's
> target location. Other access is not required. Similarly to manage users user
> management privileges are enough and no access to /content is really required.
> To solve this problem a new API for Service Authentication has been proposed
> at https://cwiki.apache.org/confluence/display/SLING/Service+Authentication.
> The prototype of which is implemented in
> http://svn.apache.org/repos/asf/sling/whiteboard/fmeschbe/deprecate_login_administrative.
> This issue is about merging the prototype code back into trunk and thus fully
> implementing the feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
