jackrabbit-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (JCR-3293) AbstractLoginModule: get rid of trust_credentials_attribute
Date Thu, 07 Nov 2013 13:37:18 GMT

    [ https://issues.apache.org/jira/browse/JCR-3293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13815960#comment-13815960

angela commented on JCR-3293:

exactly... just a minor detail: i would use repository.login(workspaceName) instead.

note that the nature of the subject pretty much depends on the setup of the repository in
particular on the access control / permission management. the standard setup requires that
the subject of a given session gets the complete set of principals set which are then used
to evaluate the effective permissions. in this situation the principal management (or the
internal principal provider) acts as link between the user on one side and the permission
eval on the other.

> AbstractLoginModule: get rid of trust_credentials_attribute
> -----------------------------------------------------------
>                 Key: JCR-3293
>                 URL: https://issues.apache.org/jira/browse/JCR-3293
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-core
>    Affects Versions: 2.4
>            Reporter: angela
> based on JCR-2355 we added a very simplistic way to indicate to the login module that
the given credentials have
> been preauthenticated. as already stated in the original issue this poses a major security
issue as it leaves the
> repository access untrusted.
> i would like to raise those security concern again and would therefore like to get rid
of that hack in the long run.
> the suggested procedure:
> - deprecate the attribute (immediately)
> - log a warning if it is used (immediately)
> - document how to fix code that is currently relying on that attribute
> - remove support altogether for the next major release

This message was sent by Atlassian JIRA

View raw message