Hi Lars, I see your point, I don't see right now how a general approach could look like. However, the creator of a job could add the subject as a property to the job and the consumer can use this value to create a resource resolver based on that value. But I think this has to be done on a job by job base.
Or do you see a general mechanism which always gets the subject of the sender? Carsten 2014-05-13 17:21 GMT+02:00 Lars Krapf <[email protected]>: > Hello list > > When processing events and jobs, the corresponding subject triggering > the event usually gets lost. This lead to event handlers / job consumers > often operating with administrative sessions/resolvers to do their work, > which in turn can lead to privilege escalations. > > A possible solution to this problem could be to add a serialization of > the event-triggering subject (if available) as a property to the event > by default, so the handlers could easily recreate the session by using > JAAS doAsPrivileged(). > > Would that make sense? > > Best greetings > Lars > -- Carsten Ziegeler [email protected]
