Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-8763

LoginContextProviderImpl uses any subject found in the AccessControlContext.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Invalid
    • None
    • None
    • security-spi
    • None

    Description

      LoginContextProviderImpl#getLoginContext(...) extracts the most recent subject from the AccessControlContext and then uses it for either a PreAuthContext or a JaasLoginContext. This is wrong, because there is no reason to assume that such a subject has anything to do with Oak. It particularly hurts when it's readonly, because JAAS will then silently fail to add principals and credentials.
      We would need a way to identify pre-authenticated subjects and subjects that are not pre-authenticated should not be used to create a JaasLoginContext.

      Attachments

        1. OAK-8763.patch
          1 kB
          Manfred Baedke
        2. OAK-8763-tests.patch
          3 kB
          Manfred Baedke

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. OAK-8710 AbstractLoginModule#logout() must not remove 'foreign' principals/credentials

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              angela Angela Schreiber
              baedke Manfred Baedke
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: