You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Ilyas Türkben (JIRA)" <ji...@apache.org> on 2014/06/03 15:24:01 UTC

[jira] [Created] (SLING-3633) Sling uses wrong value for Principal object

Ilyas Türkben created SLING-3633:
------------------------------------

             Summary: Sling uses wrong value for Principal object
                 Key: SLING-3633
                 URL: https://issues.apache.org/jira/browse/SLING-3633
             Project: Sling
          Issue Type: Bug
          Components: Authentication
            Reporter: Ilyas Türkben


Sling uses resolver.getUserID() to set the HttpContext.REMOTE_USER on the request object which used later to the instantiation of the Principal object.

Sling should use the rep:principalName instead of resolver.getUserID().

{code:java}
 // org.apache.sling.auth.core.impl.SlingAuthenticator.java
    /**
     * Sets the request attributes required by the OSGi HttpContext interface
     * specification for the <code>handleSecurity</code> method. In addition the
     * {@link SlingAuthenticator#REQUEST_ATTRIBUTE_RESOLVER} request attribute
     * is set to the ResourceResolver.
     */
    private void setAttributes(final ResourceResolver resolver, final String authType,
            final HttpServletRequest request) {

        // HttpService API required attributes
        request.setAttribute(HttpContext.REMOTE_USER, resolver.getUserID());
        request.setAttribute(HttpContext.AUTHENTICATION_TYPE, authType);

        // resource resolver for down-stream use
        request.setAttribute(REQUEST_ATTRIBUTE_RESOLVER, resolver);

        log.debug(
            "setAttributes: ResourceResolver stored as request attribute: user={}",
            resolver.getUserID());
    }
{code}

Below *jrAuthorizable is NULL* when the userID(node name) is not equals to rep:principalName property. This is a sample code to reproduce the issue in a servlet.
{code:java}
      final Principal principal = request.getUserPrincipal();
      final org.apache.jackrabbit.api.security.user.UserManager jrUserManager = request.getResourceResolver().adaptTo(org.apache.jackrabbit.api.security.user.UserManager.class);
      final org.apache.jackrabbit.api.security.user.Authorizable jrAuthorizable = jrUserManager.getAuthorizable(principal);
{code}


Basically to reproduce the issue, create a user, change the rep:principalName,  login with the userID, use the api to get a Authorizable object with using the  request.getUserPrincipal();



--
This message was sent by Atlassian JIRA
(v6.2#6252)