Uploaded image for project: 'Jackrabbit Content Repository'
  1. Jackrabbit Content Repository
  2. JCR-3718

Inconsistent Principal Validation between API and Import behavior

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.7.3
    • Fix Version/s: 2.7.4
    • Component/s: security
    • Labels:
      None

      Description

      the JCR access control management mandates that adding a new ACE includes validating if the specified principal is known to the repository.

      however, the ac-importer in jackrabbit is more relaxed with validation and allows to create ACE even for unknown principals. this basically leaves us with an inconsistent behavior between xml-import and calls to ac-management API directly.

      also note, that principal validation is only done when applying and ACL via API but not when removing a principal.

      in order to fix that i would suggest the following approach:

      • add a new configuration parameter to the ACLProvider: "allow-unknown-principals"
      • make the import behavior independent of the principal manager
      • respect this configuration when checking the ACL templates

      this will change the default behavior of the XML import of access controlled content. as this is a problem for backward compatibility, we additionally add a "importBehavior" property to the ACL importer that has a default "besteffort" import mode where the principals check is bypassed (as in the current implementation)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                tripod Tobias Bocanegra
                Reporter:
                tripod Tobias Bocanegra
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: