[ http://issues.apache.org/jira/browse/JCR-351?page=all ]
Jukka Zitting updated JCR-351:
------------------------------
Attachment: null-credentials.patch
Attached a patch that fixes this issue by defaulting to anonymous access when
no credentials are given in Session.login() and JAAS is not configured. I also
added a defaultUserId configuration option to SimpleLoginModule that allows
null credentials to be mapped to some other user than anonymous.
The patch contains the following changes:
* RepositoryImpl: Pass null Credentials to a LoginModule for interpretation
rather than directly throwing an exception when a JAAS Subject is not available.
* SimpleLoginModule: Default to anonymous access when null Credentials are
given. Added (disabled by default) a defaultUserId property for using some
other user than anonymous by default.
* repository.xml: Added a note about the new defaultUserId property and a
commented out example on how to use it.
The only impact on existing environments is that null Credentials will now be
passed to configured LoginModules with CredentialsCallback.setCallback(null)
instead of explicitly throwing a LoginException when a JAAS Subject is not
available.
I'd like to have this issue as well included in 1.0, as it considerably helps
to simplify initial setup. Please comment if you see any problems with this
approach or think that the change is too risky for inclusion in 1.0.
> Default to anonymous access when no Credentials are given
> ---------------------------------------------------------
>
> Key: JCR-351
> URL: http://issues.apache.org/jira/browse/JCR-351
> Project: Jackrabbit
> Type: Improvement
> Components: security
> Versions: 0.9
> Reporter: Jukka Zitting
> Assignee: Jukka Zitting
> Priority: Minor
> Attachments: null-credentials.patch
>
> Even though JCR-348 made easier to start a Jackrabbit repository with default
> configuration, the user still needs to take care of the JAAS configuration.
> It would be more user-friendly to log a warning and default to superuser
> access rather than throwing a LoginException when JAAS has not been
> configured. This behaviour should be limited to only default credential
> logins (Session.login() with null Credentials) and it should be possible to
> disable it with a configuration option. We could even have this behaviour
> disabled by default, but enabled in the configuration file used with the
> JCR-348 automatic configuration.
> This is a case against the "secure by default" design principle, but I think
> that in this case the benefits in easier setup outweight the security
> drawbacks, especially if coupled with the above restrictions and a clear
> documentation note about the insecure default.
> [Update: As mentioned by Stefan, this is not a JAAS configuration issue but
> a problem in handling null Credentials. A more proper alternative for
> superuser access would be to default to anonymous access when credentials are
> not given.]
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
