jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Klimetschek (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JCR-2355) Support easy pre-authenticated login
Date Thu, 15 Oct 2009 11:12:32 GMT

    [ https://issues.apache.org/jira/browse/JCR-2355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12766015#action_12766015
] 

Alexander Klimetschek commented on JCR-2355:
--------------------------------------------

Ahem, this can be a security breach! This attribute "trust_credentials_attribute" on SimpleCredentials
basically works as a (very simple) master password. Hence this patch implicitly trusts the
calling code, but if the repository is available eg. via RMI, anyone could connect to it and
log in as any user, because that attribute can be set over RMI (afaik).

A big -1. It should rather be easy to write a special login module that can be set by configuration
and handles SSO things and co.



> Support easy pre-authenticated login
> ------------------------------------
>
>                 Key: JCR-2355
>                 URL: https://issues.apache.org/jira/browse/JCR-2355
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core
>    Affects Versions: 2.0-alpha11
>            Reporter: Felix Meschberger
>             Fix For: 2.0-alpha12
>
>         Attachments: JCR-2355.patch
>
>
> Some applications authenticate users themselves and just need to access the repository
on behalf of these pre-authenticated users.
> Examples of such pre-authentications include SSO solutions or web applications using
a web-based authentication protocol not easily implementable in a JAAS LoginModule, for example
OpenID or similar.
> In such situations a password may not be provided in SimpleCredentials and thus regular
login with user name and password is not possible.
> Therefore I propose the enhancement of the AbstractLoginModule to allow for setting a
specific attribute in the SimpleCredentials attribute map. If this attribute is set, authentication
and login succeeds and a session for the user named in the SimpleCredentials is created.
> As a starter we might just check for the presence of the attribute.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message