[jira] [Commented] (OAK-1404) Pre-Authenticated login does not propagate principals in subject to AuthInfo class.

Thu, 06 Feb 2014 22:54:37 -0800 

    [ 
https://issues.apache.org/jira/browse/OAK-1404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13894244#comment-13894244
 ] 

Tobias Bocanegra commented on OAK-1404:
---------------------------------------

workaround for system subject:

{code}
--- 
a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/SystemSubject.java
+++ 
b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/SystemSubject.java
@@ -16,9 +16,13 @@
  */
 package org.apache.jackrabbit.oak.spi.security.authentication;

+import java.security.Principal;
 import java.util.Collections;
+import java.util.Set;
+
 import javax.security.auth.Subject;

+import org.apache.jackrabbit.oak.api.AuthInfo;
 import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;

 /**
@@ -34,6 +38,8 @@ public final class SystemSubject {
     private SystemSubject() {}

     private static Subject createSystemSubject() {
-        return new Subject(true, 
Collections.singleton(SystemPrincipal.INSTANCE), 
Collections.<Object>emptySet(), Collections.<Object>emptySet());
+        Set<? extends Principal> principals = 
Collections.singleton(SystemPrincipal.INSTANCE);
+        AuthInfo info = new AuthInfoImpl("system", null, principals);
+        return new Subject(true, principals, Collections.singleton(info), 
Collections.<Object>emptySet());
     }
 }
{code}

But I think this should be solved globally. Somehow it's wrong to put the 
AutoInfo class as public credential in the Subject and provide principals 
others than those of the subject. If the goal of the public credentials is to 
transport the authenticated userid and the attributes we might only include 
those into the info.

> Pre-Authenticated login does not propagate principals in subject to AuthInfo 
> class.
> -----------------------------------------------------------------------------------
>
>                 Key: OAK-1404
>                 URL: https://issues.apache.org/jira/browse/OAK-1404
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.15
>            Reporter: Tobias Bocanegra
>
> Example:
> {code}
> systemSession = Subject.doAs(SystemSubject.INSTANCE, new 
> PrivilegedExceptionAction<ContentSession>() {
>     @Override
>     public ContentSession run() throws LoginException, 
> NoSuchWorkspaceException {
>         return repository.login(null, null);
>     }
> });
> {code}
> Produces a session with no permissions.
> I think there are 2 issues:
> 1. Pre-Authenticated logins do not set an AuthInfo to the public credentials 
> of the Subject.
> 2. the AbstractAccessControlManager uses the AuthInfo.getPrincipals() to 
> retrieve them. IMO, the principals should always match those of the subject 
> and be retrieved from there.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to