Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-7952

JCR System users do no longer consider group ACEs of groups they are member of

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Invalid
    • 1.8.3
    • None
    • core
    • None

    Description

      In Oak 1.8.3 the JCR system users (JCR-3802) do no longer consider the access control entries bound to a group principal (belonging to a group they are member of). Only direct ACEs seem to be considered.
      I used the attached simple servlet to test read access of an existing service-user "workflow-service". Unfortunately it throws a javax.jcr.PathNotFoundException although the service user should inherit read access to the accessed path via its group membership. It works flawlessly in case the system user has direct read access to that path.

      Some more information about SlingRepository.createServiceSession(...). Internally the service user implementation does a lookup of the actual service user name and then does impersonation from a new admin session (https://github.com/apache/sling-org-apache-sling-jcr-base/blob/de884b669836aacb2666da1e7bae1a6735de3bdb/src/main/java/org/apache/sling/jcr/base/AbstractSlingRepository2.java#L197)

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            kwin Konrad Windszus
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Issue deployment