On 16.01.2014, at 05:19, Carsten Ziegeler <[email protected]> wrote:
> Eagerly waiting for a patch which implements this :) He he :) This isn’t meant as something we should have soon - it is meant as a goal to guide around the jcr login mechanism discussion. One opinion is: ah, don’t care, once code is running in the JVM, consider everything exploited, so we can put JCR authentication and convenience mechanisms everywhere. My opinion is: no, write that authentication code with a clear boundary in mind (JCR), sling/application level code can’t just login as anyone on JCR unless the internal repository authenticates it. So that later my above vision is simpler to reach. As a side effect, code and security configuration becomes clearer (having to configure authentication both in Sling and Jackrabbit is just confusing). Otherwise I don’t even know why we removed the TrustedInfo in the first place. Cheers, Alex
