Affects Version/s: 2.4
Fix Version/s: None
based on JCR 2355 we added a very simplistic way to indicate to the login module that the given credentials have
been preauthenticated. as already stated in the original issue this poses a major security issue as it leaves the
repository access untrusted.
i would like to raise those security concern again and would therefore like to get rid of that hack in the long run.
the suggested procedure:
- deprecate the attribute (immediately)
- log a warning if it is used (immediately)
- document how to fix code that is currently relying on that attribute
- remove support altogether for the next major release