[
https://issues.apache.org/jira/browse/SLING-3633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ilyas Türkben updated SLING-3633:
---------------------------------
Description:
Sling uses resolver.getUserID() to set the HttpContext.REMOTE_USER on the
request object which used later to the instantiation of the Principal object.
Sling should use the rep:principalName instead of resolver.getUserID().
{code:java}
// org.apache.sling.auth.core.impl.SlingAuthenticator
/**
* Sets the request attributes required by the OSGi HttpContext interface
* specification for the <code>handleSecurity</code> method. In addition the
* {@link SlingAuthenticator#REQUEST_ATTRIBUTE_RESOLVER} request attribute
* is set to the ResourceResolver.
*/
private void setAttributes(final ResourceResolver resolver, final String
authType,
final HttpServletRequest request) {
// HttpService API required attributes
request.setAttribute(HttpContext.REMOTE_USER, resolver.getUserID());
request.setAttribute(HttpContext.AUTHENTICATION_TYPE, authType);
// resource resolver for down-stream use
request.setAttribute(REQUEST_ATTRIBUTE_RESOLVER, resolver);
log.debug(
"setAttributes: ResourceResolver stored as request attribute:
user={}",
resolver.getUserID());
}
{code}
Below *jrAuthorizable is NULL* when the userID(node name) is not equals to
rep:principalName property. This is a sample code to reproduce the issue in a
servlet.
{code:java}
final Principal principal = request.getUserPrincipal();
final org.apache.jackrabbit.api.security.user.UserManager jrUserManager =
request.getResourceResolver().adaptTo(org.apache.jackrabbit.api.security.user.UserManager.class);
final org.apache.jackrabbit.api.security.user.Authorizable jrAuthorizable
= jrUserManager.getAuthorizable(principal);
{code}
Basically to reproduce the issue, create a user, change the rep:principalName,
login with the userID, use the api to get a Authorizable object with using the
request.getUserPrincipal();
was:
Sling uses resolver.getUserID() to set the HttpContext.REMOTE_USER on the
request object which used later to the instantiation of the Principal object.
Sling should use the rep:principalName instead of resolver.getUserID().
{code:java}
// org.apache.sling.auth.core.impl.SlingAuthenticator.java
/**
* Sets the request attributes required by the OSGi HttpContext interface
* specification for the <code>handleSecurity</code> method. In addition the
* {@link SlingAuthenticator#REQUEST_ATTRIBUTE_RESOLVER} request attribute
* is set to the ResourceResolver.
*/
private void setAttributes(final ResourceResolver resolver, final String
authType,
final HttpServletRequest request) {
// HttpService API required attributes
request.setAttribute(HttpContext.REMOTE_USER, resolver.getUserID());
request.setAttribute(HttpContext.AUTHENTICATION_TYPE, authType);
// resource resolver for down-stream use
request.setAttribute(REQUEST_ATTRIBUTE_RESOLVER, resolver);
log.debug(
"setAttributes: ResourceResolver stored as request attribute:
user={}",
resolver.getUserID());
}
{code}
Below *jrAuthorizable is NULL* when the userID(node name) is not equals to
rep:principalName property. This is a sample code to reproduce the issue in a
servlet.
{code:java}
final Principal principal = request.getUserPrincipal();
final org.apache.jackrabbit.api.security.user.UserManager jrUserManager =
request.getResourceResolver().adaptTo(org.apache.jackrabbit.api.security.user.UserManager.class);
final org.apache.jackrabbit.api.security.user.Authorizable jrAuthorizable
= jrUserManager.getAuthorizable(principal);
{code}
Basically to reproduce the issue, create a user, change the rep:principalName,
login with the userID, use the api to get a Authorizable object with using the
request.getUserPrincipal();
> Sling uses wrong value for Principal object
> -------------------------------------------
>
> Key: SLING-3633
> URL: https://issues.apache.org/jira/browse/SLING-3633
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Reporter: Ilyas Türkben
>
> Sling uses resolver.getUserID() to set the HttpContext.REMOTE_USER on the
> request object which used later to the instantiation of the Principal object.
> Sling should use the rep:principalName instead of resolver.getUserID().
> {code:java}
> // org.apache.sling.auth.core.impl.SlingAuthenticator
> /**
> * Sets the request attributes required by the OSGi HttpContext interface
> * specification for the <code>handleSecurity</code> method. In addition
> the
> * {@link SlingAuthenticator#REQUEST_ATTRIBUTE_RESOLVER} request attribute
> * is set to the ResourceResolver.
> */
> private void setAttributes(final ResourceResolver resolver, final String
> authType,
> final HttpServletRequest request) {
> // HttpService API required attributes
> request.setAttribute(HttpContext.REMOTE_USER, resolver.getUserID());
> request.setAttribute(HttpContext.AUTHENTICATION_TYPE, authType);
> // resource resolver for down-stream use
> request.setAttribute(REQUEST_ATTRIBUTE_RESOLVER, resolver);
> log.debug(
> "setAttributes: ResourceResolver stored as request attribute:
> user={}",
> resolver.getUserID());
> }
> {code}
> Below *jrAuthorizable is NULL* when the userID(node name) is not equals to
> rep:principalName property. This is a sample code to reproduce the issue in a
> servlet.
> {code:java}
> final Principal principal = request.getUserPrincipal();
> final org.apache.jackrabbit.api.security.user.UserManager jrUserManager
> =
> request.getResourceResolver().adaptTo(org.apache.jackrabbit.api.security.user.UserManager.class);
> final org.apache.jackrabbit.api.security.user.Authorizable
> jrAuthorizable = jrUserManager.getAuthorizable(principal);
> {code}
> Basically to reproduce the issue, create a user, change the
> rep:principalName, login with the userID, use the api to get a Authorizable
> object with using the request.getUserPrincipal();
--
This message was sent by Atlassian JIRA
(v6.2#6252)
