[
https://issues.apache.org/jira/browse/OAK-8763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16985023#comment-16985023
]
Angela Schreiber commented on OAK-8763:
---------------------------------------
[~baedke], IMO the repository must not mandate how a pre-authenticated subject
is generated. in this scenario it the responsibility to make sure the the
subject is properly populated and measures have been taken to verify the
validity of the authentication attempt is outside of the scope of the
repository.
> LoginContextProviderImpl uses any subject found in the AccessControlContext.
> ----------------------------------------------------------------------------
>
> Key: OAK-8763
> URL: https://issues.apache.org/jira/browse/OAK-8763
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: security-spi
> Reporter: Manfred Baedke
> Assignee: Angela Schreiber
> Priority: Major
> Attachments: OAK-8763-tests.patch, OAK-8763.patch
>
>
> LoginContextProviderImpl#getLoginContext(...) extracts the most recent
> subject from the AccessControlContext and then uses it for either a
> PreAuthContext or a JaasLoginContext. This is wrong, because there is no
> reason to assume that such a subject has anything to do with Oak. It
> particularly hurts when it's readonly, because JAAS will then silently fail
> to add principals and credentials.
> We would need a way to identify pre-authenticated subjects and subjects that
> are not pre-authenticated should not be used to create a JaasLoginContext.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
