[JCR-3293] AbstractLoginModule: get rid of trust_credentials_attribute - ASF JIRA

Attach files

Attach Screenshot

Add vote

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 2.4
Fix Version/s: None
Component/s: jackrabbit-core
Labels:
None

Description

based on ~~JCR-2355~~ we added a very simplistic way to indicate to the login module that the given credentials have
been preauthenticated. as already stated in the original issue this poses a major security issue as it leaves the
repository access untrusted.

i would like to raise those security concern again and would therefore like to get rid of that hack in the long run.
the suggested procedure:

deprecate the attribute (immediately)
log a warning if it is used (immediately)
document how to fix code that is currently relying on that attribute
remove support altogether for the next major release

Attachments

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Unassigned

Reporter:: Angela Schreiber

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 17/Apr/12 08:05

Updated:: 01/Sep/14 02:39

Agile

View on Board

AbstractLoginModule: get rid of trust_credentials_attribute

Details

Description

Attachments

Attachments

Activity

People

Dates

Agile

Slack

Issue deployment