Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Won't Fix
-
Resource Resolver 1.2.4
-
None
-
None
Description
When processing events or jobs the corresponding session that triggered the event is usually lost. This leads to event handlers and job processors often using administrative sessions to do their work. As per the effort of eliminating all loginAdministrative use, there must be an alternative solution. There preferred approach to solve this problem:
- Pass a serialization of the event-causing Subject in the event payload, and create a ResourceResolver based on that subject (e.g. using JAAS doAsPrivileged in the ResourceResolverFactory).
- Pros: "Clean" implementation from a security POV. Avoids re-authentication. Operates with the original privileges. Security relevant code transparent to the consumer of the event.
- Cons: Needs refactoring. Security relevant code transparent to the consumer of the event (might also lead to problems).
Above approach is currently only partially implementable, as repository events may be swallowed due to oak compressing commits upon encountering certain loads, thus eliminating particular events or aggregating an event under a different user than the "sub-event".
Attachments
Issue Links
- is blocked by
-
-
- Open
-