[
https://issues.apache.org/jira/browse/SLING-3633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14019638#comment-14019638
]
Felix Meschberger commented on SLING-3633:
------------------------------------------
Updated component to be Engine (since this happens to be an issue in the
HttpServletRequest.getUserPrincipal() implementation of the Engine.
The fix version includes the next Engine bundle for the
ResourceResolver.adaptTo(Principal) call and the next JCR Resource bundle for
the Principal adapter implementation.
> Sling uses wrong value for Principal object
> -------------------------------------------
>
> Key: SLING-3633
> URL: https://issues.apache.org/jira/browse/SLING-3633
> Project: Sling
> Issue Type: Bug
> Components: Engine
> Affects Versions: Engine 2.3.2
> Reporter: Ilyas Türkben
> Assignee: Antonio Sanso
> Fix For: JCR Resource 2.3.8, Engine 2.3.4
>
>
> Sling uses resolver.getUserID() to set the HttpContext.REMOTE_USER on the
> request object which used later to the instantiation of the Principal object.
> Sling should use the rep:principalName instead of resolver.getUserID().
> {code:java}
> // org.apache.sling.auth.core.impl.SlingAuthenticator
> /**
> * Sets the request attributes required by the OSGi HttpContext interface
> * specification for the <code>handleSecurity</code> method. In addition
> the
> * {@link SlingAuthenticator#REQUEST_ATTRIBUTE_RESOLVER} request attribute
> * is set to the ResourceResolver.
> */
> private void setAttributes(final ResourceResolver resolver, final String
> authType,
> final HttpServletRequest request) {
> // HttpService API required attributes
> request.setAttribute(HttpContext.REMOTE_USER, resolver.getUserID());
> request.setAttribute(HttpContext.AUTHENTICATION_TYPE, authType);
> // resource resolver for down-stream use
> request.setAttribute(REQUEST_ATTRIBUTE_RESOLVER, resolver);
> log.debug(
> "setAttributes: ResourceResolver stored as request attribute:
> user={}",
> resolver.getUserID());
> }
> {code}
> Below *jrAuthorizable is NULL* when the userID(node name) is not equals to
> rep:principalName property. This is a sample code to reproduce the issue in a
> servlet.
> {code:java}
> final Principal principal = request.getUserPrincipal();
> final org.apache.jackrabbit.api.security.user.UserManager jrUserManager
> =
> request.getResourceResolver().adaptTo(org.apache.jackrabbit.api.security.user.UserManager.class);
> final org.apache.jackrabbit.api.security.user.Authorizable
> jrAuthorizable = jrUserManager.getAuthorizable(principal);
> {code}
> Basically to reproduce the issue, create a user, change the
> rep:principalName, login with the userID, use the api to get a Authorizable
> object with using the request.getUserPrincipal();
--
This message was sent by Atlassian JIRA
(v6.2#6252)
