Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.4
-
None
-
None
Description
based on JCR-2355 we added a very simplistic way to indicate to the login module that the given credentials have
been preauthenticated. as already stated in the original issue this poses a major security issue as it leaves the
repository access untrusted.
i would like to raise those security concern again and would therefore like to get rid of that hack in the long run.
the suggested procedure:
- deprecate the attribute (immediately)
- log a warning if it is used (immediately)
- document how to fix code that is currently relying on that attribute
- remove support altogether for the next major release