[jira] Commented: (JCR-2358) Prefer JAAS configuration if present

[angela (JIRA)]

[ 
https://issues.apache.org/jira/browse/JCR-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12768683#action_12768683
 ] 

angela commented on JCR-2358:
-

i fixed the javadoc with rev. 828684

> Prefer JAAS configuration if present
> 
>
> Key: JCR-2358
> URL: https://issues.apache.org/jira/browse/JCR-2358
> Project: Jackrabbit Content Repository
>  Issue Type: Improvement
>  Components: jackrabbit-core
>Affects Versions: 1.6.0
>Reporter: Marcel Reutegger
>Priority: Minor
>
> Contrary to JavaDoc the AuthContextProvider prefers the local configuration 
> in repository.xml. When the class was first introduced in 1.5, the 
> implementation did what was documented, but then JCR-1977 was reported. I 
> think we shouldn't have fixed it that way. Prefering JAAS over the local 
> configuration makes sense IMO and works well if 
> Configuration.getAppConfigurationEntry() is correctly implemented and behaves 
> as specified/expected.
> I suggest we revert to the 1.5 preference sequence and introduce a parameter 
> that instructs the AuthContextProvider to ignore the JAAS configuration (as a 
> workaround for the buggy application servers).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JCR-2358) Prefer JAAS configuration if present

[angela (JIRA)]

[ 
https://issues.apache.org/jira/browse/JCR-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12768682#action_12768682
 ] 

angela commented on JCR-2358:
-

i fixed the javadoc in rev. 828684

> Prefer JAAS configuration if present
> 
>
> Key: JCR-2358
> URL: https://issues.apache.org/jira/browse/JCR-2358
> Project: Jackrabbit Content Repository
>  Issue Type: Improvement
>  Components: jackrabbit-core
>Affects Versions: 1.6.0
>Reporter: Marcel Reutegger
>Priority: Minor
>
> Contrary to JavaDoc the AuthContextProvider prefers the local configuration 
> in repository.xml. When the class was first introduced in 1.5, the 
> implementation did what was documented, but then JCR-1977 was reported. I 
> think we shouldn't have fixed it that way. Prefering JAAS over the local 
> configuration makes sense IMO and works well if 
> Configuration.getAppConfigurationEntry() is correctly implemented and behaves 
> as specified/expected.
> I suggest we revert to the 1.5 preference sequence and introduce a parameter 
> that instructs the AuthContextProvider to ignore the JAAS configuration (as a 
> workaround for the buggy application servers).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JCR-2358) Prefer JAAS configuration if present

[Felix Meschberger (JIRA)]

[ 
https://issues.apache.org/jira/browse/JCR-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12766544#action_12766544
 ] 

Felix Meschberger commented on JCR-2358:


I concurr with Jukka, that we should not revert the behaviour. It should be an 
explicit decision to use external JAAS as opposed to internal configuration. 
Maybe we could even add an option to the login module configuration, which says 
"use JAAS".

If this "use JAAS" option is not set and configuration missing, this would be a 
configuration error.
If this "use JAAS" options is set, JAAS is used and any existing configuration 
in repository.xml would be ignored. And if in this case the JAAS configuration 
cannot be loaded, this would again be a configuration error.

> Prefer JAAS configuration if present
> 
>
> Key: JCR-2358
> URL: https://issues.apache.org/jira/browse/JCR-2358
> Project: Jackrabbit Content Repository
>  Issue Type: Improvement
>  Components: jackrabbit-core
>Affects Versions: 1.6.0
>Reporter: Marcel Reutegger
>Priority: Minor
>
> Contrary to JavaDoc the AuthContextProvider prefers the local configuration 
> in repository.xml. When the class was first introduced in 1.5, the 
> implementation did what was documented, but then JCR-1977 was reported. I 
> think we shouldn't have fixed it that way. Prefering JAAS over the local 
> configuration makes sense IMO and works well if 
> Configuration.getAppConfigurationEntry() is correctly implemented and behaves 
> as specified/expected.
> I suggest we revert to the 1.5 preference sequence and introduce a parameter 
> that instructs the AuthContextProvider to ignore the JAAS configuration (as a 
> workaround for the buggy application servers).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JCR-2358) Prefer JAAS configuration if present

[Marcel Reutegger (JIRA)]

[ 
https://issues.apache.org/jira/browse/JCR-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12766510#action_12766510
 ] 

Marcel Reutegger commented on JCR-2358:
---

I see your point about the issues with JAAS configuration files. I also faced 
them several times. Though, I have to say, that's also our fault, because of 
code such as:

// check if jaas-loginModule or fallback is configured
Configuration logins = null;
try {
logins = Configuration.getConfiguration();
} catch (Exception e) {
// means no JAAS configuration file OR no permission to read it
}

You'd get syntax errors as an exception, but we ignore them :-/

But still, it is difficult to distinguish between syntax errors and e.g. no 
configuration at all. In both cases you get a SecurityException, only differing 
in their message.


> Prefer JAAS configuration if present
> 
>
> Key: JCR-2358
> URL: https://issues.apache.org/jira/browse/JCR-2358
> Project: Jackrabbit Content Repository
>  Issue Type: Improvement
>  Components: jackrabbit-core
>Affects Versions: 1.6.0
>Reporter: Marcel Reutegger
>Priority: Minor
>
> Contrary to JavaDoc the AuthContextProvider prefers the local configuration 
> in repository.xml. When the class was first introduced in 1.5, the 
> implementation did what was documented, but then JCR-1977 was reported. I 
> think we shouldn't have fixed it that way. Prefering JAAS over the local 
> configuration makes sense IMO and works well if 
> Configuration.getAppConfigurationEntry() is correctly implemented and behaves 
> as specified/expected.
> I suggest we revert to the 1.5 preference sequence and introduce a parameter 
> that instructs the AuthContextProvider to ignore the JAAS configuration (as a 
> workaround for the buggy application servers).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JCR-2358) Prefer JAAS configuration if present

[Jukka Zitting (JIRA)]

[ 
https://issues.apache.org/jira/browse/JCR-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12766496#action_12766496
 ] 

Jukka Zitting commented on JCR-2358:


Disagreed. If someone has explicitly configured some authentication mechanism 
in repository.xml, then IMHO the repository should always use that. Enabling 
JAAS authentication is then as simple as removing any explicit authentication 
configuration in repository.xml.

The problem with preferring JAAS over local configuration is that it's 
notoriously difficult to get the JAAS configuration exactly right. The JAAS 
configuration parser has no logging and will simply ignore a configuration file 
if it contains even a minor syntax error. This could easily cause Jackrabbit to 
fall back to the local configuration and cause all sorts of security issues. If 
we don't have that fallback, then a misconfigured or otherwise missing JAAS 
configuration is easily detected as the repository can throw an exception and 
simply refuse to start up.

> Prefer JAAS configuration if present
> 
>
> Key: JCR-2358
> URL: https://issues.apache.org/jira/browse/JCR-2358
> Project: Jackrabbit Content Repository
>  Issue Type: Improvement
>  Components: jackrabbit-core
>Affects Versions: 1.6.0
>Reporter: Marcel Reutegger
>Priority: Minor
>
> Contrary to JavaDoc the AuthContextProvider prefers the local configuration 
> in repository.xml. When the class was first introduced in 1.5, the 
> implementation did what was documented, but then JCR-1977 was reported. I 
> think we shouldn't have fixed it that way. Prefering JAAS over the local 
> configuration makes sense IMO and works well if 
> Configuration.getAppConfigurationEntry() is correctly implemented and behaves 
> as specified/expected.
> I suggest we revert to the 1.5 preference sequence and introduce a parameter 
> that instructs the AuthContextProvider to ignore the JAAS configuration (as a 
> workaround for the buggy application servers).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.