[jira] [Comment Edited] (SLING-3854) Add configuration option to restrict service user mapper to system users
[
https://issues.apache.org/jira/browse/SLING-3854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14328780#comment-14328780
]
Marius Petria edited comment on SLING-3854 at 2/20/15 10:30 AM:
Hi [~asanso], is there any reason for which the validation is done at mapping
time not at registration time? That could potentially introduce some
performance problems especially if the validator is hitting the repository.
EDIT: Also, regarding switching to a service user in JcrSystemUserValidator
this will not be very easy probably as it looks like it will cause an infinite
loop.
was (Author: mpetria):
Hi [~asanso], is there any reason for which the validation is done at mapping
time not at registration time? That could potentially introduce some
performance problems especially if the validator is hitting the repository.
Add configuration option to restrict service user mapper to system users
Key: SLING-3854
URL: https://issues.apache.org/jira/browse/SLING-3854
Project: Sling
Issue Type: Improvement
Components: Service User Mapper
Reporter: angela
Assignee: Antonio Sanso
Fix For: Service User Mapper 1.1.0, JCR Resource 2.5.0
Attachments: SLING-3854-patch2.txt, SLING-3854.patch
JCR-3802 introduces the concept of system users that distinct from regular
user accounts and never have a password set. the API extensions include to
following ability to discover if a given User is actually a system user:
{{User.isSystemUser}}.
It would be good if the service user mapping had a configuration option that
would restrict the mapping to dedicated service users i.e. to users which are
defined to be system users in case sling is running on a JCR repository that
implements jackrabbit API.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Comment Edited] (SLING-3854) Add configuration option to restrict service user mapper to system users
[
https://issues.apache.org/jira/browse/SLING-3854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14327341#comment-14327341
]
Antonio Sanso edited comment on SLING-3854 at 2/19/15 12:26 PM:
committed jcr resource part in r1660869
for the record. In order to leave the jcr api low enough the {{isSystemUser}}
has been implemented using reflection
was (Author: asanso):
committed jcr resource part in r1660869
Add configuration option to restrict service user mapper to system users
Key: SLING-3854
URL: https://issues.apache.org/jira/browse/SLING-3854
Project: Sling
Issue Type: Improvement
Components: Service User Mapper
Reporter: angela
Assignee: Antonio Sanso
Fix For: Service User Mapper 1.1.0, JCR Resource 2.5.0
Attachments: SLING-3854-patch2.txt, SLING-3854.patch
JCR-3802 introduces the concept of system users that distinct from regular
user accounts and never have a password set. the API extensions include to
following ability to discover if a given User is actually a system user:
{{User.isSystemUser}}.
It would be good if the service user mapping had a configuration option that
would restrict the mapping to dedicated service users i.e. to users which are
defined to be system users in case sling is running on a JCR repository that
implements jackrabbit API.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Comment Edited] (SLING-3854) Add configuration option to restrict service user mapper to system users
[
https://issues.apache.org/jira/browse/SLING-3854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14312394#comment-14312394
]
Antonio Sanso edited comment on SLING-3854 at 2/9/15 4:18 PM:
--
[~anchela] thanks a lot for your patch.
I have seen it introduce a {{loginAdministrative(null);}} call. Is this
intended?
cc [~fmeschbe]
was (Author: asanso):
[~anchela] thanks a lot for your patch.
I have seen it introduce a {{loginAdministrative(null);}} call. Is this
intended?
Add configuration option to restrict service user mapper to system users
Key: SLING-3854
URL: https://issues.apache.org/jira/browse/SLING-3854
Project: Sling
Issue Type: Improvement
Components: Service User Mapper
Reporter: angela
Assignee: Antonio Sanso
Attachments: SLING-3854.patch
JCR-3802 introduces the concept of system users that distinct from regular
user accounts and never have a password set. the API extensions include to
following ability to discover if a given User is actually a system user:
{{User.isSystemUser}}.
It would be good if the service user mapping had a configuration option that
would restrict the mapping to dedicated service users i.e. to users which are
defined to be system users in case sling is running on a JCR repository that
implements jackrabbit API.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Comment Edited] (SLING-3854) Add configuration option to restrict service user mapper to system users
[
https://issues.apache.org/jira/browse/SLING-3854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14098577#comment-14098577
]
angela edited comment on SLING-3854 at 8/15/14 2:37 PM:
wouldn't that have a negative impact on performance if you execute the
validation for each call?
i would just validate it upon registration and make that pluggable... e.g. with
a ServiceUserValidator interface and with a reference in the mapper that can
deal with multiple implementations... then people may also be able to use this
concept with their custom login modules, their custom principal provider, their
custom way of providing service users that may or may not be stored in the
repository... specially with third party integrations i am not convinced that
creating service users that then read third party credentials from the
repository content is really a perfect setup... why shouldn't we be able in the
future to make sure such a third party integration registers the service-user
and provide it's private authentication mechanism and providing the service
user with all information that is needed to deal with the third party
integration... without having to store credentials in a place that is
potentially not properly secured, with an extra service user that need to be
able to read these credentials and so forth... i didn't yet think about in all
details but my gut feeling tells me that this should be easily extensible in
the future... like we do nowadays with bundles that provide both a Sling
AuthenticationHandler and a pluggable LoginModule that establish trust by using
bundle private information.
was (Author: anchela):
wouldn't that have a negative impact on performance if you execute the
validation for each call?
i would just validate it upon registration and make that pluggable... e.g. with
a ServiceUserValidator interface and with a reference in the mapper that can
deal with multiple implementations... then people may also be able to use this
concept with their custom login modules, their custom principal provider, their
custom way of providing service users that may or may not be stored in the
repository... specially with third party integrations i am not convinced that
creating service users that then read third party credentials from the
repository content is really a perfect setup... why shouldn't we be able in the
future to make sure such a third party integration registers the service-user
and provide it's private authentication mechanism and providing the service
user with all information that is needed to deal with the third party
integration... without having to store credentials in a place that is
potentially not properly security, with an extra service user that need to be
able to read these credentials and so forth... i didn't yet think about in all
details but my gut feeling tells me that this should be easily extensible in
the future... like we do nowadays with bundles that provide both a Sling
AuthenticationHandler and a pluggable LoginModule that establish trust by using
bundle private information.
Add configuration option to restrict service user mapper to system users
Key: SLING-3854
URL: https://issues.apache.org/jira/browse/SLING-3854
Project: Sling
Issue Type: Improvement
Components: Service User Mapper
Reporter: angela
JCR-3802 introduces the concept of system users that distinct from regular
user accounts and never have a password set. the API extensions include to
following ability to discover if a given User is actually a system user:
{{User.isSystemUser}}.
It would be good if the service user mapping had a configuration option that
would restrict the mapping to dedicated service users i.e. to users which are
defined to be system users in case sling is running on a JCR repository that
implements jackrabbit API.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
