jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jukka Zitting (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JCR-2358) Prefer JAAS configuration if present
Date Fri, 16 Oct 2009 10:09:33 GMT

    [ https://issues.apache.org/jira/browse/JCR-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12766496#action_12766496

Jukka Zitting commented on JCR-2358:

Disagreed. If someone has explicitly configured some authentication mechanism in repository.xml,
then IMHO the repository should always use that. Enabling JAAS authentication is then as simple
as removing any explicit authentication configuration in repository.xml.

The problem with preferring JAAS over local configuration is that it's notoriously difficult
to get the JAAS configuration exactly right. The JAAS configuration parser has no logging
and will simply ignore a configuration file if it contains even a minor syntax error. This
could easily cause Jackrabbit to fall back to the local configuration and cause all sorts
of security issues. If we don't have that fallback, then a misconfigured or otherwise missing
JAAS configuration is easily detected as the repository can throw an exception and simply
refuse to start up.

> Prefer JAAS configuration if present
> ------------------------------------
>                 Key: JCR-2358
>                 URL: https://issues.apache.org/jira/browse/JCR-2358
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core
>    Affects Versions: 1.6.0
>            Reporter: Marcel Reutegger
>            Priority: Minor
> Contrary to JavaDoc the AuthContextProvider prefers the local configuration in repository.xml.
When the class was first introduced in 1.5, the implementation did what was documented, but
then JCR-1977 was reported. I think we shouldn't have fixed it that way. Prefering JAAS over
the local configuration makes sense IMO and works well if Configuration.getAppConfigurationEntry()
is correctly implemented and behaves as specified/expected.
> I suggest we revert to the 1.5 preference sequence and introduce a parameter that instructs
the AuthContextProvider to ignore the JAAS configuration (as a workaround for the buggy application

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message