[
https://issues.apache.org/jira/browse/SLING-3179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13868845#comment-13868845
]
Tobias Bocanegra commented on SLING-3179:
-----------------------------------------
bq. I don't see how this is adding security other than reintroducing the
TrustedInfo again, just with different and more complex code.
yes, but on a different level. IMO the JCR resource provider must come with a
LoginModule counterpart that establishes the trust.
bq. complex doAs() logic, which really exposes internal JCR/repository user
logic
this is how JAAS works and also referred to in
[Repository.login()|http://www.day.com/maven/javax.jcr/javadocs/jcr-2.0/javax/jcr/Repository.html#login(javax.jcr.Credentials,
java.lang.String)]. AFAICS, the only problem is the population of the subject
and that's why I'd prefer the LoginModule approach.
> Implement solution to the Authentication Handler Credential Validation Problem
> ------------------------------------------------------------------------------
>
> Key: SLING-3179
> URL: https://issues.apache.org/jira/browse/SLING-3179
> Project: Sling
> Issue Type: Bug
> Components: API, JCR, ResourceResolver
> Affects Versions: JCR Base 2.1.2, API 2.4.2, Resource Resolver 1.0.6
> Reporter: Felix Meschberger
> Assignee: Antonio Sanso
> Attachments: SLING-3179.diff, SLING-3179.patch
>
>
> The proposal [Solving the Authentication Handler Credential Validation
> Problem|https://cwiki.apache.org/confluence/display/SLING/Solving+the+Authentication+Handler+Credential+Validation+Problem]
> should be implemented.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
