[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[
https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13868919#comment-13868919
]
Felix Meschberger commented on SLING-2762:
--
[~alexander.klimetschek] I fear Sling is not in a position to answer you
question :-)
AbstractSlingRepository#login violates JCR spec
---
Key: SLING-2762
URL: https://issues.apache.org/jira/browse/SLING-2762
Project: Sling
Issue Type: Bug
Components: JCR
Reporter: Antonio Sanso
Assignee: Antonio Sanso
AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec.
The API [0] says
If credentials is null, it is assumed that authentication is handled by a
mechanism external to the repository itself (for example, through the JAAS
framework) and that the repository implementation exists within a context
(for example, an application server) that allows it to handle authorization
of the request for access to the specified workspace.
while the implementation looks like
{code}
...
if (credentials == null) {
credentials = getAnonCredentials(this.anonUser);
}
...
{code}
[0]
http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[
https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13868615#comment-13868615
]
Alexander Klimetschek commented on SLING-2762:
--
BTW, regarding the null login in JCR allowing the context to define the user
freely: I hope Jackrabbit/Oak has an option to turn that off and it is off by
default. Otherwise things like loginByService() are not adding any security,
just a little convenience to configure the mappings in a central place (which
probably will evolve into a pluggable setting anyway, since otherwise a
deployment of a new feature would always require update of that central
configuration anyway or you are forced to add a fallback to admin for
unconfigured services, which would be a bad outcome...).
AbstractSlingRepository#login violates JCR spec
---
Key: SLING-2762
URL: https://issues.apache.org/jira/browse/SLING-2762
Project: Sling
Issue Type: Bug
Components: JCR
Reporter: Antonio Sanso
Assignee: Antonio Sanso
AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec.
The API [0] says
If credentials is null, it is assumed that authentication is handled by a
mechanism external to the repository itself (for example, through the JAAS
framework) and that the repository implementation exists within a context
(for example, an application server) that allows it to handle authorization
of the request for access to the specified workspace.
while the implementation looks like
{code}
...
if (credentials == null) {
credentials = getAnonCredentials(this.anonUser);
}
...
{code}
[0]
http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[
https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13846274#comment-13846274
]
Antonio Sanso commented on SLING-2762:
--
I'd be inclined to apply the patch included by [~fmeschbe] and [~anchela] in
https://cwiki.apache.org/confluence/display/SLING/Solving+the+Authentication+Handler+Credential+Validation+Problem
namely
{code}
if (credentials == null) {
if (Subject.getSubject(AccessController.getContext()) != null) {
return getRepository().login(null, workspace);
} else {
// TODO: getAnonCredentials(this.anonUser) should not be used for
anonymous access
return getRepository().login(new GuestCredentials(), workspace);
}
} else {
return getRepository().login(credentials, workspace);
}
{code}
WDYT?
AbstractSlingRepository#login violates JCR spec
---
Key: SLING-2762
URL: https://issues.apache.org/jira/browse/SLING-2762
Project: Sling
Issue Type: Bug
Components: JCR
Reporter: Antonio Sanso
AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec.
The API [0] says
If credentials is null, it is assumed that authentication is handled by a
mechanism external to the repository itself (for example, through the JAAS
framework) and that the repository implementation exists within a context
(for example, an application server) that allows it to handle authorization
of the request for access to the specified workspace.
while the implementation looks like
{code}
...
if (credentials == null) {
credentials = getAnonCredentials(this.anonUser);
}
...
{code}
[0]
http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[
https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13846283#comment-13846283
]
Felix Meschberger commented on SLING-2762:
--
[~asanso] Yes. Will you also take care of the patch provided by Tim for
SLING-3179 ? Thanks.
AbstractSlingRepository#login violates JCR spec
---
Key: SLING-2762
URL: https://issues.apache.org/jira/browse/SLING-2762
Project: Sling
Issue Type: Bug
Components: JCR
Reporter: Antonio Sanso
AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec.
The API [0] says
If credentials is null, it is assumed that authentication is handled by a
mechanism external to the repository itself (for example, through the JAAS
framework) and that the repository implementation exists within a context
(for example, an application server) that allows it to handle authorization
of the request for access to the specified workspace.
while the implementation looks like
{code}
...
if (credentials == null) {
credentials = getAnonCredentials(this.anonUser);
}
...
{code}
[0]
http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[
https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13846290#comment-13846290
]
Antonio Sanso commented on SLING-2762:
--
bq. Will you also take care of the patch provided by Tim for SLING-3179 ?
yes I can try :)
AbstractSlingRepository#login violates JCR spec
---
Key: SLING-2762
URL: https://issues.apache.org/jira/browse/SLING-2762
Project: Sling
Issue Type: Bug
Components: JCR
Reporter: Antonio Sanso
AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec.
The API [0] says
If credentials is null, it is assumed that authentication is handled by a
mechanism external to the repository itself (for example, through the JAAS
framework) and that the repository implementation exists within a context
(for example, an application server) that allows it to handle authorization
of the request for access to the specified workspace.
while the implementation looks like
{code}
...
if (credentials == null) {
credentials = getAnonCredentials(this.anonUser);
}
...
{code}
[0]
http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[
https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13796529#comment-13796529
]
Felix Meschberger commented on SLING-2762:
--
Linking to the generic issue implementing the preauthentication problem
proposal
(https://cwiki.apache.org/confluence/display/SLING/Solving+the+Authentication+Handler+Credential+Validation+Problem)
AbstractSlingRepository#login violates JCR spec
---
Key: SLING-2762
URL: https://issues.apache.org/jira/browse/SLING-2762
Project: Sling
Issue Type: Bug
Components: JCR
Reporter: Antonio Sanso
AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec.
The API [0] says
If credentials is null, it is assumed that authentication is handled by a
mechanism external to the repository itself (for example, through the JAAS
framework) and that the repository implementation exists within a context
(for example, an application server) that allows it to handle authorization
of the request for access to the specified workspace.
while the implementation looks like
{code}
...
if (credentials == null) {
credentials = getAnonCredentials(this.anonUser);
}
...
{code}
[0]
http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[
https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13590525#comment-13590525
]
angela commented on SLING-2762:
---
apart from violating the spec this also pretty awkward as the 'anonymous' in
sling represents the unauthenticated user.
login as such with other credentials that javax.jcr.GuestCredentials doesn't
make sense IMHO.
it's actually an oddity (or bug) in jackrabbit core that it was (actually is)
possible to login with SimpleCredentials build for the
anonymous user that has not been fixed in order not to break backwards
compatibility.
as of oak that special handling for the anonymous user will not be supported
any more and the built-in anonymous user
will not have a password property any more... so login(new
SimpleCredentials(anonymous, ) will no longer work.
instead login(new GuestCredentials) will succeed if a valid anonymous user
exists.
similarly, login(null) will no longer be converted into an anonymous-login by
default. to ease migration and provide a
backwards compatible setup there exists a separate loginmodule implementation
that will populate the shared-state
with guestcredentials in case of null-login.
hope that helps
AbstractSlingRepository#login violates JCR spec
---
Key: SLING-2762
URL: https://issues.apache.org/jira/browse/SLING-2762
Project: Sling
Issue Type: Bug
Components: JCR
Reporter: Antonio Sanso
AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec.
The API [0] says
If credentials is null, it is assumed that authentication is handled by a
mechanism external to the repository itself (for example, through the JAAS
framework) and that the repository implementation exists within a context
(for example, an application server) that allows it to handle authorization
of the request for access to the specified workspace.
while the implementation looks like
{code}
...
if (credentials == null) {
credentials = getAnonCredentials(this.anonUser);
}
...
{code}
[0]
http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[
https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13590609#comment-13590609
]
Felix Meschberger commented on SLING-2762:
--
GuestCredentials
Remember this Sling implementations dates back to JCR 1 where there was no
GuestCredentials and we never adapted this code.
login(null) support
Thanks for the update. For Sling which wraps its own Repository wrapper around
the actual Repository we can still implement the support.
As I tried to bring the discussion to the list, I propose replace the
respective code with something similar to this:
if (credentials == null) {
if (!hasAccessControlContext || !hasSubject) {
credentials = new GuestCredentials();
}
}
This allows for backwards compatibility (where generally there will be no
AccessControlContext with a Subject) while at the same time allow for Subject
based authentication.
AbstractSlingRepository#login violates JCR spec
---
Key: SLING-2762
URL: https://issues.apache.org/jira/browse/SLING-2762
Project: Sling
Issue Type: Bug
Components: JCR
Reporter: Antonio Sanso
AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec.
The API [0] says
If credentials is null, it is assumed that authentication is handled by a
mechanism external to the repository itself (for example, through the JAAS
framework) and that the repository implementation exists within a context
(for example, an application server) that allows it to handle authorization
of the request for access to the specified workspace.
while the implementation looks like
{code}
...
if (credentials == null) {
credentials = getAnonCredentials(this.anonUser);
}
...
{code}
[0]
http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
