Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Engine 2.3.2
-
None
Description
Sling uses resolver.getUserID() to set the HttpContext.REMOTE_USER on the request object which used later to the instantiation of the Principal object.
Sling should use the rep:principalName instead of resolver.getUserID().
// org.apache.sling.auth.core.impl.SlingAuthenticator /** * Sets the request attributes required by the OSGi HttpContext interface * specification for the <code>handleSecurity</code> method. In addition the * {@link SlingAuthenticator#REQUEST_ATTRIBUTE_RESOLVER} request attribute * is set to the ResourceResolver. */ private void setAttributes(final ResourceResolver resolver, final String authType, final HttpServletRequest request) { // HttpService API required attributes request.setAttribute(HttpContext.REMOTE_USER, resolver.getUserID()); request.setAttribute(HttpContext.AUTHENTICATION_TYPE, authType); // resource resolver for down-stream use request.setAttribute(REQUEST_ATTRIBUTE_RESOLVER, resolver); log.debug( "setAttributes: ResourceResolver stored as request attribute: user={}", resolver.getUserID()); }
Below jrAuthorizable is NULL when the userID(node name) is not equals to rep:principalName property. This is a sample code to reproduce the issue in a servlet.
final Principal principal = request.getUserPrincipal(); final org.apache.jackrabbit.api.security.user.UserManager jrUserManager = request.getResourceResolver().adaptTo(org.apache.jackrabbit.api.security.user.UserManager.class); final org.apache.jackrabbit.api.security.user.Authorizable jrAuthorizable = jrUserManager.getAuthorizable(principal);
Basically to reproduce the issue, create a user, change the rep:principalName, login with the userID, use the api to get a Authorizable object with using the request.getUserPrincipal();