[
https://issues.apache.org/jira/browse/OAK-8763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16978606#comment-16978606
]
Manfred Baedke edited comment on OAK-8763 at 11/20/19 5:20 PM:
---------------------------------------------------------------
[~angela],
bq. i don't necessarily agree with your statement that the context provider
messes up the subject upon login
Call it whatever you like. It either doesn't use the correct subject or it
doesn't use the subject correctly.
bq. [0]
http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html
Thx, that looks about right.
bq. see also OAK-8710 for some additional comments regarding reproducibility
Well, maybe we can start discussing the issue even if it's not easily
reproduced.
If needed, it'd reproducible as communicated off Jira.
I'd really like to learn what you think about it.
was (Author: baedke):
[~angela],
bq. i don't necessarily agree with your statement that the context provider
messes up the subject upon login
Call it whatever you like. It either doesn't use the correct subject or it
doesn't use the subject correctly.
bq. [0]
http://jackrabbit.apache.org/oak/docs/security/authentication/preauthentication.html
Thx, that looks about right.
bq. see also OAK-8710 for some additional comments regarding reproducibility
Well, maybe we can start discussing the issue even if it's not easily
reproduced.
If needed, it'd reproducible as communicated of Jira.
I'd really like to learn what you think about it.
> LoginContextProviderImpl uses any subject found in the AccessControlContext.
> ----------------------------------------------------------------------------
>
> Key: OAK-8763
> URL: https://issues.apache.org/jira/browse/OAK-8763
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: security-spi
> Reporter: Manfred Baedke
> Assignee: Angela Schreiber
> Priority: Major
> Attachments: OAK-8763.patch
>
>
> LoginContextProviderImpl#getLoginContext(...) extracts the most recent
> subject from the AccessControlContext and then uses it for either a
> PreAuthContext or a JaasLoginContext. This is wrong, because there is no
> reason to assume that such a subject has anything to do with Oak. It
> particularly hurts when it's readonly, because JAAS will then silently fail
> to add principals and credentials.
> We would need a way to identify pre-authenticated subjects and subjects that
> are not pre-authenticated should not be used to create a JaasLoginContext.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
