[
https://issues.apache.org/jira/browse/OAK-3392?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14738888#comment-14738888
]
Francesco Mari commented on OAK-3392:
-------------------------------------
This issue blocks OAK-3201. The new proposed approach for the
{{SecurityProviderImpl}}, i.e. don't register the component unless every
required dependency is loaded, implies that security configurations may exist
without an implementation of {{SecurityProvider}} already registered in the
framework.
> Security shouldn't be bound to a SecurityProvider
> -------------------------------------------------
>
> Key: OAK-3392
> URL: https://issues.apache.org/jira/browse/OAK-3392
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.3.5
> Reporter: Francesco Mari
> Assignee: Francesco Mari
>
> {{ConfigurationBase}}, the base class for security configurations, allows a
> {{SecurityProvider}} to be injected in a security configuration at will. This
> mechanism is used to implement a basic form dependency injection in
> {{SecurityProviderImpl}}, where every configuration receives a the instance
> of {{SecurityProviderImpl}} that is currently using it.
> This mechanism is problematic in a dynamic scenario like OSGi, where a
> security configuration can be loaded independently from the
> {{SecurityProvider}} that is using it. Moreover, if multiple implementations
> of {{SecurityProvider}} are available, it is impossible to determine which
> instance of {{SecurityProvider}} will be injected in the security
> configuration.
> I suggest to remove the reference to a {{SecurityProvider}} in the security
> configurations. If a {{SecurityProvider}} is needed, it should be instead
> passed as parameter in the appropriate methods.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
