[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[ https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13868919#comment-13868919 ] Felix Meschberger commented on SLING-2762: -- [~alexander.klimetschek] I fear Sling is not in a position to answer you question :-) AbstractSlingRepository#login violates JCR spec --- Key: SLING-2762 URL: https://issues.apache.org/jira/browse/SLING-2762 Project: Sling Issue Type: Bug Components: JCR Reporter: Antonio Sanso Assignee: Antonio Sanso AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec. The API [0] says If credentials is null, it is assumed that authentication is handled by a mechanism external to the repository itself (for example, through the JAAS framework) and that the repository implementation exists within a context (for example, an application server) that allows it to handle authorization of the request for access to the specified workspace. while the implementation looks like {code} ... if (credentials == null) { credentials = getAnonCredentials(this.anonUser); } ... {code} [0] http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29 -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[ https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13868615#comment-13868615 ] Alexander Klimetschek commented on SLING-2762: -- BTW, regarding the null login in JCR allowing the context to define the user freely: I hope Jackrabbit/Oak has an option to turn that off and it is off by default. Otherwise things like loginByService() are not adding any security, just a little convenience to configure the mappings in a central place (which probably will evolve into a pluggable setting anyway, since otherwise a deployment of a new feature would always require update of that central configuration anyway or you are forced to add a fallback to admin for unconfigured services, which would be a bad outcome...). AbstractSlingRepository#login violates JCR spec --- Key: SLING-2762 URL: https://issues.apache.org/jira/browse/SLING-2762 Project: Sling Issue Type: Bug Components: JCR Reporter: Antonio Sanso Assignee: Antonio Sanso AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec. The API [0] says If credentials is null, it is assumed that authentication is handled by a mechanism external to the repository itself (for example, through the JAAS framework) and that the repository implementation exists within a context (for example, an application server) that allows it to handle authorization of the request for access to the specified workspace. while the implementation looks like {code} ... if (credentials == null) { credentials = getAnonCredentials(this.anonUser); } ... {code} [0] http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29 -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[ https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13846274#comment-13846274 ] Antonio Sanso commented on SLING-2762: -- I'd be inclined to apply the patch included by [~fmeschbe] and [~anchela] in https://cwiki.apache.org/confluence/display/SLING/Solving+the+Authentication+Handler+Credential+Validation+Problem namely {code} if (credentials == null) { if (Subject.getSubject(AccessController.getContext()) != null) { return getRepository().login(null, workspace); } else { // TODO: getAnonCredentials(this.anonUser) should not be used for anonymous access return getRepository().login(new GuestCredentials(), workspace); } } else { return getRepository().login(credentials, workspace); } {code} WDYT? AbstractSlingRepository#login violates JCR spec --- Key: SLING-2762 URL: https://issues.apache.org/jira/browse/SLING-2762 Project: Sling Issue Type: Bug Components: JCR Reporter: Antonio Sanso AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec. The API [0] says If credentials is null, it is assumed that authentication is handled by a mechanism external to the repository itself (for example, through the JAAS framework) and that the repository implementation exists within a context (for example, an application server) that allows it to handle authorization of the request for access to the specified workspace. while the implementation looks like {code} ... if (credentials == null) { credentials = getAnonCredentials(this.anonUser); } ... {code} [0] http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29 -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[ https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13846283#comment-13846283 ] Felix Meschberger commented on SLING-2762: -- [~asanso] Yes. Will you also take care of the patch provided by Tim for SLING-3179 ? Thanks. AbstractSlingRepository#login violates JCR spec --- Key: SLING-2762 URL: https://issues.apache.org/jira/browse/SLING-2762 Project: Sling Issue Type: Bug Components: JCR Reporter: Antonio Sanso AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec. The API [0] says If credentials is null, it is assumed that authentication is handled by a mechanism external to the repository itself (for example, through the JAAS framework) and that the repository implementation exists within a context (for example, an application server) that allows it to handle authorization of the request for access to the specified workspace. while the implementation looks like {code} ... if (credentials == null) { credentials = getAnonCredentials(this.anonUser); } ... {code} [0] http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29 -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[ https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13846290#comment-13846290 ] Antonio Sanso commented on SLING-2762: -- bq. Will you also take care of the patch provided by Tim for SLING-3179 ? yes I can try :) AbstractSlingRepository#login violates JCR spec --- Key: SLING-2762 URL: https://issues.apache.org/jira/browse/SLING-2762 Project: Sling Issue Type: Bug Components: JCR Reporter: Antonio Sanso AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec. The API [0] says If credentials is null, it is assumed that authentication is handled by a mechanism external to the repository itself (for example, through the JAAS framework) and that the repository implementation exists within a context (for example, an application server) that allows it to handle authorization of the request for access to the specified workspace. while the implementation looks like {code} ... if (credentials == null) { credentials = getAnonCredentials(this.anonUser); } ... {code} [0] http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29 -- This message was sent by Atlassian JIRA (v6.1.4#6159)
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[ https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13796529#comment-13796529 ] Felix Meschberger commented on SLING-2762: -- Linking to the generic issue implementing the preauthentication problem proposal (https://cwiki.apache.org/confluence/display/SLING/Solving+the+Authentication+Handler+Credential+Validation+Problem) AbstractSlingRepository#login violates JCR spec --- Key: SLING-2762 URL: https://issues.apache.org/jira/browse/SLING-2762 Project: Sling Issue Type: Bug Components: JCR Reporter: Antonio Sanso AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec. The API [0] says If credentials is null, it is assumed that authentication is handled by a mechanism external to the repository itself (for example, through the JAAS framework) and that the repository implementation exists within a context (for example, an application server) that allows it to handle authorization of the request for access to the specified workspace. while the implementation looks like {code} ... if (credentials == null) { credentials = getAnonCredentials(this.anonUser); } ... {code} [0] http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29 -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[ https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13590525#comment-13590525 ] angela commented on SLING-2762: --- apart from violating the spec this also pretty awkward as the 'anonymous' in sling represents the unauthenticated user. login as such with other credentials that javax.jcr.GuestCredentials doesn't make sense IMHO. it's actually an oddity (or bug) in jackrabbit core that it was (actually is) possible to login with SimpleCredentials build for the anonymous user that has not been fixed in order not to break backwards compatibility. as of oak that special handling for the anonymous user will not be supported any more and the built-in anonymous user will not have a password property any more... so login(new SimpleCredentials(anonymous, ) will no longer work. instead login(new GuestCredentials) will succeed if a valid anonymous user exists. similarly, login(null) will no longer be converted into an anonymous-login by default. to ease migration and provide a backwards compatible setup there exists a separate loginmodule implementation that will populate the shared-state with guestcredentials in case of null-login. hope that helps AbstractSlingRepository#login violates JCR spec --- Key: SLING-2762 URL: https://issues.apache.org/jira/browse/SLING-2762 Project: Sling Issue Type: Bug Components: JCR Reporter: Antonio Sanso AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec. The API [0] says If credentials is null, it is assumed that authentication is handled by a mechanism external to the repository itself (for example, through the JAAS framework) and that the repository implementation exists within a context (for example, an application server) that allows it to handle authorization of the request for access to the specified workspace. while the implementation looks like {code} ... if (credentials == null) { credentials = getAnonCredentials(this.anonUser); } ... {code} [0] http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec
[ https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13590609#comment-13590609 ] Felix Meschberger commented on SLING-2762: -- GuestCredentials Remember this Sling implementations dates back to JCR 1 where there was no GuestCredentials and we never adapted this code. login(null) support Thanks for the update. For Sling which wraps its own Repository wrapper around the actual Repository we can still implement the support. As I tried to bring the discussion to the list, I propose replace the respective code with something similar to this: if (credentials == null) { if (!hasAccessControlContext || !hasSubject) { credentials = new GuestCredentials(); } } This allows for backwards compatibility (where generally there will be no AccessControlContext with a Subject) while at the same time allow for Subject based authentication. AbstractSlingRepository#login violates JCR spec --- Key: SLING-2762 URL: https://issues.apache.org/jira/browse/SLING-2762 Project: Sling Issue Type: Bug Components: JCR Reporter: Antonio Sanso AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec. The API [0] says If credentials is null, it is assumed that authentication is handled by a mechanism external to the repository itself (for example, through the JAAS framework) and that the repository implementation exists within a context (for example, an application server) that allows it to handle authorization of the request for access to the specified workspace. while the implementation looks like {code} ... if (credentials == null) { credentials = getAnonCredentials(this.anonUser); } ... {code} [0] http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira