[OAK-7952] JCR System users do no longer consider group ACEs of groups they are member of - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Invalid
Affects Version/s: 1.8.3
Fix Version/s: None
Component/s: core
Labels:
None

Description

In Oak 1.8.3 the JCR system users (~~JCR-3802~~) do no longer consider the access control entries bound to a group principal (belonging to a group they are member of). Only direct ACEs seem to be considered.
I used the attached simple servlet to test read access of an existing service-user "workflow-service". Unfortunately it throws a javax.jcr.PathNotFoundException although the service user should inherit read access to the accessed path via its group membership. It works flawlessly in case the system user has direct read access to that path.

Some more information about SlingRepository.createServiceSession(...). Internally the service user implementation does a lookup of the actual service user name and then does impersonation from a new admin session (https://github.com/apache/sling-org-apache-sling-jcr-base/blob/de884b669836aacb2666da1e7bae1a6735de3bdb/src/main/java/org/apache/sling/jcr/base/AbstractSlingRepository2.java#L197)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OAK-7952_test-servlet.java
10/Dec/18 12:48
1 kB
Konrad Windszus

Issue Links

relates to

JCR-3802 User Management: API for System Users

Closed

SLING-6963 Service user declaration based on principal names

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Konrad Windszus

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 10/Dec/18 12:47

Updated:: 11/Dec/18 18:22

Resolved:: 11/Dec/18 08:36