Bertrand Delacretaz wrote
> Hi,
>
> For the SLING-5135 I had to remove the code marked with "THIS IS NOW
> REMOVED" below, in CommonResourceResolverFactoryImpl, is that ok with
> whoever wrote that code (Carsten as per the history)?
>
> if ( passedAuthenticationInfo != null ) {
> authenticationInfo.putAll(passedAuthenticationInfo);
> // make sure there is no leaking of service bundle and info props
> authenticationInfo.remove(ResourceProvider.AUTH_SERVICE_BUNDLE); //
> THIS IS NOW REMOVED
> authenticationInfo.remove(SUBSERVICE);
> }
>
> It's needed to pass the calling bundle down to JcrProviderStateFactory
> which calls loginAdministrative and needs to check the whitelisting of
> that bundle first.
>
I think it's fine to remove the lines for the admin resolver, but not
for a plain resolver.
In addition, we should filter these values in ResourceResolverControl
for getting the attributes, otherwise the using bundle can be fetch from
the attributes. Currently that code just filters the password.
Regards
Carsten
--
Carsten Ziegeler
Adobe Research Switzerland
cziege...@apache.org
