jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] [Issue Comment Edited] (JCR-3021) AbstractRepositoryService.createSessionInfo should handle null credentials
Date Tue, 19 Jul 2011 15:46:57 GMT

    [ https://issues.apache.org/jira/browse/JCR-3021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13067771#comment-13067771
] 

angela edited comment on JCR-3021 at 7/19/11 3:45 PM:
------------------------------------------------------

i am not convinced that this change according to the specification which states:

> 4.2.2 Guest Credentials 
> GuestCredentials is used to acquire an anonymous session. 

and

> 4.2.4 External Authentication 
> By providing a signature of Repository.login that does not require 
> Credentials, the content repository allows for authorization and authentication 
> to be handled by JAAS (or another external mechanism) if the implementer so 
> chooses. 
> To use such an external mechanism to create sessions with end-user identity, 
> invocations of the Repository.login method that do not specify Credentials 
> (i.e., either a null Credentials is passed or a signature without the 
> Credentials parameter is used) should obtain the identity of the already- 
> authenticated user through that external mechanism.

IMO having null credentials mapped to anonymous login is not correct. we
use to have that in jackrabbit-core for backwards compatibility but i would
rather not add this to the SPI.

      was (Author: anchela):
    i am not convinced that this change according to the specification which states:

> 4.2.2 Guest Credentials 
> GuestCredentials is used to acquire an anonymous session. 

and

> 4.2.4 External Authentication 
> By providing a signature of Repository.login that does not require 
> Credentials, the content repository allows for authorization and authentication 
> to be handled by JAAS (or another external mechanism) if the implementer so 
> chooses. 
> To use such an external mechanism to create sessions with end-user identity, 
> invocations of the Repository.login method that do not specify Credentials 
> (i.e., either a null Credentials is passed or a signature without the 
> Credentials parameter is used) should obtain the identity of the already- 
> authenticated user through that external mechanism.

IMO having null credentials mapped to anonymous login is not correct. we
use to have that in jackrabbit-core for backwards compatibility but i would
rather add this to the SPI.
  
> AbstractRepositoryService.createSessionInfo should handle null credentials
> --------------------------------------------------------------------------
>
>                 Key: JCR-3021
>                 URL: https://issues.apache.org/jira/browse/JCR-3021
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-spi-commons
>    Affects Versions: 2.3.0
>            Reporter: Michael Dürig
>            Assignee: Michael Dürig
>             Fix For: 2.3.0
>
>


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

Mime
View raw message