hi *,
I (finally) started to give a look into the Authentication Handler Credential
Validation tracked in [0].
I kind of like the overall design I would have a question regarding the String
IDENTIFIED = "user.identified"; property.
I was wondering if we do need this property or we can replace with something
like AuthenticationInfo with empty ResourceResolverFactory.PASSWORD and present
ResourceResolverFactory.USER
Having this property is not a big deal but since we do already "threat"
SimpleCredential differently in the JcrResourceProviderFactory this might be
IMHO feasible.
At the end of the day a pre-authenticated user is someone that knows his
username but not his repository password so it would not be too wrong
conceptually.
From the other hand I already fear somebody doing something like
new AuthenticationInfo(HttpServletRequest.FORM_AUTH,
user,getPassword());
and for some unexpected reason getPassword is null.
Said that also using the repository somebody can have
repository.login(getCredentials()); with getCredentials() being null
Moreover we can still partially prevent this continuing using the privilege
escalation guard.
WDYT? just a thought keeping the String IDENTIFIED = "user.identified";
property would not be a big deal as well….
regards
antonio
[0]
https://cwiki.apache.org/confluence/display/SLING/Solving+the+Authentication+Handler+Credential+Validation+Problem
