Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-1350

Inconsistent Principal Validation between API and Import behavior

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 0.16
    • core, jcr
    • None

    Description

      the JCR access control management mandates that adding a new ACE includes validating if the specified principal is known to the repository.

      however, the ac-imported in jackrabbit and oak is more relaxed wrt that validation and allows to create ACE even for unknown principals. this basically leaves us with an inconsistent behavior between xml-import and calls to ac-management API directly.

      in order to fix that i would suggest the following approach:

      • make the import behavior configurable with the flags defined by o.a.j.oak.spi.xml.ImportBehavior
      • apply the same login when validating a new ACE created by calling the regular JCR API
      • change the default behavior in the importer to match the behavior required by the specification (would be ABORT, currently is BESTEFFORT).

      i will adjust the test-cases accordingly and update the documentation.
      as far as our adobe products are concerned i will makes sure the configuration is still set to BESTEFFORT.

      Attachments

        Issue Links

          is required by

          Improvement - An improvement or enhancement to an existing feature or task. JCRVLT-25 Implement AccessControllHandling MERGE and MERGE_PRESERVE

          • Major - Major loss of function.
          • Closed

          Activity

            People

              angela Angela Schreiber
              angela Angela Schreiber
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: