[
https://issues.apache.org/jira/browse/SLING-5006?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Konrad Windszus updated SLING-5006:
-----------------------------------
Description:
With SLING-3854 a {{ServiceUserValidator}} interface was introduced. Basically
all OSGi services implementing that interface may decide whether certain users
can be used as backing user for a call to
{{ResourceResolverFactory.getServiceResolver(...)}}. The only implementation of
that in Sling is {{JcrSystemUserValidator}} which only allows to use JCR system
users.
The list of all those services is bound in the {{ServiceUserMapperImpl}}
dynamically.
If you for example want to use that service to relax the policy being
introduced with SLING-3854 (to e.g. allow all users as service users) you may
register your own service just returning {{true}} for all users in the only
method {{isValid}}. Unfortunately you don't know when your
{{ServiceUserValidator}} service is bound (due to the dynamic restart behaviour
of services). Therefore other services cannot rely on the fact that your own
{{ServiceUserValidator}} is being available at a certain point in time and
therefore their call to {{ResourceResolverFactory.getServiceResolver(...)}} may
fail, if they rely on a non-System JCR user. Therefore this mechanism is not
suitable to disable the enforcing of JCR system users.
Instead I would propose the following:
# allow to configure the {{ServiceUserMapper}} via an OSGi property named
{{allowOnlySystemUsers}} which by default should be {{true}}.
# within the method {{ServiceUserMapperImpl.isValidUser}} you either allow all
users or call {{JcrSystemUserValidator.isValidUser}} (in case
{{allowOnlySystemUsers}} is {{true}}).
Only that way it would be possible to reliable enable all users as service
users which is especially helpful during development of a certain feature
(although this is probably not a config you would set on a production instance).
was:
With SLING-3854 a {{ServiceUserValidator}} interface was introduced. Basically
all OSGi services implementing that interface may decide whether certain users
can be used as backing user for a call to
{{ResourceResolverFactory.getServiceResolver(...)}}. The only implementation of
that in Sling is {{JcrSystemUserValidator}} which only allows to use JCR system
users.
The list of all those services is bound in the {{ServiceUserMapperImpl}}
dynamically.
If you for example want to use that service to relax the policy being
introduced with SLING-3854 (to e.g. allow all users as service users) you may
register your own service just returning {{true}} for all users in the only
method {{isValid}}. Unfortunately you don't know when your
{{ServiceUserValidator}} service is bound (due to the dynamic restart behaviour
of services). Therefore other services cannot rely on the fact that your own
{{ServiceUserValidator}} is being available at a certain point in time and
therefore their call to {{ResourceResolverFactory.getServiceResolver(...)}} may
fail, if they rely on a non-System JCR user. Therefore this mechanism is not
suitable to disable the enforcing of JCR system users.
Instead I would propose the following:
# allow to configure the {{ServiceUserMapper}} via an OSGi property named
{{allowOnlySystemUsers}} which by default should be {{true}}.
# within the method {{ServiceUserMapperImpl.isValidUser}} you either allow all
users or call {{JcrSystemUserValidator.isValidUser}} (in case
{{allowOnlySystemUsers}} is {{true}}).
Only that way it would be possible to reliable enable all users as system users
which is especially helpful during development of a certain feature (although
this is probably not a config you would set on a production intance).
> Allow to enable the usage of regular JCR users for service resolvers
> --------------------------------------------------------------------
>
> Key: SLING-5006
> URL: https://issues.apache.org/jira/browse/SLING-5006
> Project: Sling
> Issue Type: Improvement
> Components: Service User Mapper
> Reporter: Konrad Windszus
>
> With SLING-3854 a {{ServiceUserValidator}} interface was introduced.
> Basically all OSGi services implementing that interface may decide whether
> certain users can be used as backing user for a call to
> {{ResourceResolverFactory.getServiceResolver(...)}}. The only implementation
> of that in Sling is {{JcrSystemUserValidator}} which only allows to use JCR
> system users.
> The list of all those services is bound in the {{ServiceUserMapperImpl}}
> dynamically.
> If you for example want to use that service to relax the policy being
> introduced with SLING-3854 (to e.g. allow all users as service users) you may
> register your own service just returning {{true}} for all users in the only
> method {{isValid}}. Unfortunately you don't know when your
> {{ServiceUserValidator}} service is bound (due to the dynamic restart
> behaviour of services). Therefore other services cannot rely on the fact that
> your own {{ServiceUserValidator}} is being available at a certain point in
> time and therefore their call to
> {{ResourceResolverFactory.getServiceResolver(...)}} may fail, if they rely on
> a non-System JCR user. Therefore this mechanism is not suitable to disable
> the enforcing of JCR system users.
> Instead I would propose the following:
> # allow to configure the {{ServiceUserMapper}} via an OSGi property named
> {{allowOnlySystemUsers}} which by default should be {{true}}.
> # within the method {{ServiceUserMapperImpl.isValidUser}} you either allow
> all users or call {{JcrSystemUserValidator.isValidUser}} (in case
> {{allowOnlySystemUsers}} is {{true}}).
> Only that way it would be possible to reliable enable all users as service
> users which is especially helpful during development of a certain feature
> (although this is probably not a config you would set on a production
> instance).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
