You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2011/07/19 17:02:59 UTC
[jira] [Reopened] (JCR-3021)
AbstractRepositoryService.createSessionInfo should handle null credentials
[ https://issues.apache.org/jira/browse/JCR-3021?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela reopened JCR-3021:
-------------------------
i am not convinced that this change according to the specification which states:
> 4.2.2 Guest Credentials
> GuestCredentials is used to acquire an anonymous session.
and
> 4.2.4 External Authentication
> By providing a signature of Repository.login that does not require
> Credentials, the content repository allows for authorization and authentication
> to be handled by JAAS (or another external mechanism) if the implementer so
> chooses.
> To use such an external mechanism to create sessions with end-user identity,
> invocations of the Repository.login method that do not specify Credentials
> (i.e., either a null Credentials is passed or a signature without the
> Credentials parameter is used) should obtain the identity of the already-
> authenticated user through that external mechanism.
IMO having null credentials mapped to anonymous login is not correct. we
use to have that in jackrabbit-core for backwards compatibility but i would
rather add this to the SPI.
> AbstractRepositoryService.createSessionInfo should handle null credentials
> --------------------------------------------------------------------------
>
> Key: JCR-3021
> URL: https://issues.apache.org/jira/browse/JCR-3021
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-spi-commons
> Affects Versions: 2.3.0
> Reporter: Michael Dürig
> Assignee: Michael Dürig
> Fix For: 2.3.0
>
>
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira