[jira] [Comment Edited] (OAK-8763) LoginContextProviderImpl uses any subject found in the AccessControlContext.

Manfred Baedke (Jira) Wed, 20 Nov 2019 07:18:00 -0800


    [ 
https://issues.apache.org/jira/browse/OAK-8763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16978504#comment-16978504
 ]


Manfred Baedke edited comment on OAK-8763 at 11/20/19 3:16 PM:
---------------------------------------------------------------

[~angela],

bq. i am not convinced that replacing a read-only subject by a new, writable 
one is really correct

The patch is obviously not meant to be a final solution.
The reasoning is that logout will return false in cases where it should return 
true. See 
https://issues.apache.org/jira/browse/OAK-8763?focusedCommentId=16973480&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16973480.
I will add a test, but I'd really like to know your opinion on how to fix the 
problem.

If replacing a readonly subject is not correct, what would be correct instead?



was (Author: baedke):
[~angela],

bq. i am not convinced that replacing a read-only subject by a new, writable 
one is really correct

The patch is obviously not meant to be a final solution.
The reasoning is that logout will return false in cases where it should return 
true. See 
https://issues.apache.org/jira/browse/OAK-8763?focusedCommentId=16973480&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16973480.
I will add a test, but I'd really like to know your opinion on how to fix the 
problem.


> LoginContextProviderImpl uses any subject found in the AccessControlContext.
> ----------------------------------------------------------------------------
>
>                 Key: OAK-8763
>                 URL: https://issues.apache.org/jira/browse/OAK-8763
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: security-spi
>            Reporter: Manfred Baedke
>            Assignee: Angela Schreiber
>            Priority: Major
>         Attachments: OAK-8763.patch
>
>
> LoginContextProviderImpl#getLoginContext(...) extracts the most recent 
> subject from the AccessControlContext and then uses it for either a 
> PreAuthContext or a JaasLoginContext. This is wrong, because there is no 
> reason to assume that such a subject has anything to do with Oak. It 
> particularly hurts when it's readonly, because JAAS will then silently fail 
> to add principals and credentials.
> We would need a way to identify pre-authenticated subjects and subjects that 
> are not pre-authenticated should not be used to create a JaasLoginContext.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (OAK-8763) LoginContextProviderImpl uses any subject found in the AccessControlContext.

Reply via email to