Jackrabbit Content Repository
  1. Jackrabbit Content Repository
  2. JCR-3021

AbstractRepositoryService.createSessionInfo should handle null credentials

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Invalid
    • Affects Version/s: 2.3
    • Fix Version/s: 2.3
    • Component/s: jackrabbit-spi-commons
    • Labels:
      None

      Activity

      Michael Dürig created issue -
      Michael Dürig committed 1146116 (1 file)
      Reviews: none

      JCR-3021: AbstractRepositoryService.createSessionInfo should handle null credentials

      Hide
      Michael Dürig added a comment -

      Fixed at revision 1146116

      Show
      Michael Dürig added a comment - Fixed at revision 1146116
      Michael Dürig made changes -
      Field Original Value New Value
      Status Open [ 1 ] Resolved [ 5 ]
      Fix Version/s 2.3.0 [ 12315901 ]
      Resolution Fixed [ 1 ]
      Hide
      angela added a comment - - edited

      i am not convinced that this change according to the specification which states:

      > 4.2.2 Guest Credentials
      > GuestCredentials is used to acquire an anonymous session.

      and

      > 4.2.4 External Authentication
      > By providing a signature of Repository.login that does not require
      > Credentials, the content repository allows for authorization and authentication
      > to be handled by JAAS (or another external mechanism) if the implementer so
      > chooses.
      > To use such an external mechanism to create sessions with end-user identity,
      > invocations of the Repository.login method that do not specify Credentials
      > (i.e., either a null Credentials is passed or a signature without the
      > Credentials parameter is used) should obtain the identity of the already-
      > authenticated user through that external mechanism.

      IMO having null credentials mapped to anonymous login is not correct. we
      use to have that in jackrabbit-core for backwards compatibility but i would
      rather not add this to the SPI.

      Show
      angela added a comment - - edited i am not convinced that this change according to the specification which states: > 4.2.2 Guest Credentials > GuestCredentials is used to acquire an anonymous session. and > 4.2.4 External Authentication > By providing a signature of Repository.login that does not require > Credentials, the content repository allows for authorization and authentication > to be handled by JAAS (or another external mechanism) if the implementer so > chooses. > To use such an external mechanism to create sessions with end-user identity, > invocations of the Repository.login method that do not specify Credentials > (i.e., either a null Credentials is passed or a signature without the > Credentials parameter is used) should obtain the identity of the already- > authenticated user through that external mechanism. IMO having null credentials mapped to anonymous login is not correct. we use to have that in jackrabbit-core for backwards compatibility but i would rather not add this to the SPI.
      angela made changes -
      Resolution Fixed [ 1 ]
      Status Resolved [ 5 ] Reopened [ 4 ]
      Hide
      Michael Dürig added a comment -

      Ack. I wasn't aware of this section. I'll revert the change.

      Show
      Michael Dürig added a comment - Ack. I wasn't aware of this section. I'll revert the change.
      Michael Dürig committed 1148415 (1 file)
      Reviews: none

      JCR-3021: AbstractRepositoryService.createSessionInfo should handle null credentials

      Hide
      Michael Dürig added a comment -

      Reverted changes in revision 1148415.

      Show
      Michael Dürig added a comment - Reverted changes in revision 1148415.
      Michael Dürig made changes -
      Status Reopened [ 4 ] Resolved [ 5 ]
      Resolution Invalid [ 6 ]
      Jukka Zitting made changes -
      Status Resolved [ 5 ] Closed [ 6 ]

        People

        • Assignee:
          Michael Dürig
          Reporter:
          Michael Dürig
        • Votes:
          0 Vote for this issue
          Watchers:
          0 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved:

            Development