[
http://issues.apache.org/jira/browse/JCR-351?page=comments#action_12370186 ]
Jukka Zitting commented on JCR-351:
-----------------------------------
The problem with SimpleLoginModule (and in fact any AccessManager that would
want to provide some default access level) is that it only works if the user
has provided a Credentials instance to the Session.login() method. If you use
empty Session.login() signature, that would be the reasonable default for cases
where you have not specified any explicit user accounts, RepositoryImpl.login()
will throw an LoginException saying "No Subject associated with
AccessControlContext".
This example class:
import javax.jcr.*;
import org.apache.jackrabbit.core.TransientRepository;
public class Example {
public static void main(String[] args) {
try {
Repository repository = new TransientRepository();
Session session = repository.login();
session.logout();
} catch (Exception e) {
e.printStackTrace();
}
}
}
will output:
javax.jcr.LoginException: No Subject associated with AccessControlContext
at
org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1064)
at
org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:319)
at
org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:371)
at Example.main(Example.java:7)
When run without JAAS configuration.
> Default to superuser access when JAAS is not configured
> -------------------------------------------------------
>
> Key: JCR-351
> URL: http://issues.apache.org/jira/browse/JCR-351
> Project: Jackrabbit
> Type: Improvement
> Components: security
> Versions: 0.9
> Reporter: Jukka Zitting
> Priority: Minor
>
> Even though JCR-348 made easier to start a Jackrabbit repository with default
> configuration, the user still needs to take care of the JAAS configuration.
> It would be more user-friendly to log a warning and default to superuser
> access rather than throwing a LoginException when JAAS has not been
> configured. This behaviour should be limited to only default credential
> logins (Session.login() with null Credentials) and it should be possible to
> disable it with a configuration option. We could even have this behaviour
> disabled by default, but enabled in the configuration file used with the
> JCR-348 automatic configuration.
> This is a case against the "secure by default" design principle, but I think
> that in this case the benefits in easier setup outweight the security
> drawbacks, especially if coupled with the above restrictions and a clear
> documentation note about the insecure default.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
