From dev-return-88228-archive-asf-public=cust-asf.ponee.io@sling.apache.org Wed May 2 12:08:04 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 31AA718065D for ; Wed, 2 May 2018 12:08:04 +0200 (CEST) Received: (qmail 67643 invoked by uid 500); 2 May 2018 10:08:02 -0000 Mailing-List: contact dev-help@sling.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@sling.apache.org Delivered-To: mailing list dev@sling.apache.org Received: (qmail 67632 invoked by uid 99); 2 May 2018 10:08:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 May 2018 10:08:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 57EDF1A06DF for ; Wed, 2 May 2018 10:08:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -101.511 X-Spam-Level: X-Spam-Status: No, score=-101.511 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id MgWJ95479-Pe for ; Wed, 2 May 2018 10:08:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 260545F568 for ; Wed, 2 May 2018 10:08:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 61DC2E0257 for ; Wed, 2 May 2018 10:08:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 222942129C for ; Wed, 2 May 2018 10:08:00 +0000 (UTC) Date: Wed, 2 May 2018 10:08:00 +0000 (UTC) From: "Carsten Ziegeler (JIRA)" To: dev@sling.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (SLING-3524) ResourceResolver.clone(null) should not share the same JCR session MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/SLING-3524?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Carsten Ziegeler updated SLING-3524: ------------------------------------ Component/s: API > ResourceResolver.clone(null) should not share the same JCR session > ------------------------------------------------------------------ > > Key: SLING-3524 > URL: https://issues.apache.org/jira/browse/SLING-3524 > Project: Sling > Issue Type: Improvement > Components: API, JCR, ResourceResolver > Affects Versions: Resource Resolver 1.0.6 > Reporter: Alexander Klimetschek > Priority: Major > Fix For: API 2.18.2, JCR Resource 3.0.10, Resource Resolver 1.6.2 > > Time Spent: 50m > Remaining Estimate: 0h > > {{ResourceResolver.clone()}} will reuse the same JCR session in case it was created by passing an existing session using {{JcrResourceConstants.AUTHENTICATION_INFO_SESSION}}. If you need a clone of the resource resolver to pass into a new, separate thread, and use {{ResourceResolver.clone(null)}}, you will actually share the session, but this is not obvious. The problem is that a JCR session cannot be shared across threads. > The javadocs of clone() say "the same credential data is used as was used to create this instance". > There are a few problems with this: > - seeing the session object itself as "credential data" is unintuitive > - in my code, I have no idea what the original credential data was, so I don't know what kind of credential data it was to make the right decision > - since sharing a JCR session is to be avoided at all times, the resource resolver should prevent one from this > A solution would be if a plain {{ResourceResolver.clone(null)}} would return a session that impersonated itself, abstracting this from the resource resolver user. Additionally, it might be worth looking that clone always returns a new session, unless specifically stated. -- This message was sent by Atlassian JIRA (v7.6.3#76005)