You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Ilyas Türkben (JIRA)" <ji...@apache.org> on 2014/06/03 15:24:01 UTC
[jira] [Created] (SLING-3633) Sling uses wrong value for Principal
object
Ilyas Türkben created SLING-3633:
------------------------------------
Summary: Sling uses wrong value for Principal object
Key: SLING-3633
URL: https://issues.apache.org/jira/browse/SLING-3633
Project: Sling
Issue Type: Bug
Components: Authentication
Reporter: Ilyas Türkben
Sling uses resolver.getUserID() to set the HttpContext.REMOTE_USER on the request object which used later to the instantiation of the Principal object.
Sling should use the rep:principalName instead of resolver.getUserID().
{code:java}
// org.apache.sling.auth.core.impl.SlingAuthenticator.java
/**
* Sets the request attributes required by the OSGi HttpContext interface
* specification for the <code>handleSecurity</code> method. In addition the
* {@link SlingAuthenticator#REQUEST_ATTRIBUTE_RESOLVER} request attribute
* is set to the ResourceResolver.
*/
private void setAttributes(final ResourceResolver resolver, final String authType,
final HttpServletRequest request) {
// HttpService API required attributes
request.setAttribute(HttpContext.REMOTE_USER, resolver.getUserID());
request.setAttribute(HttpContext.AUTHENTICATION_TYPE, authType);
// resource resolver for down-stream use
request.setAttribute(REQUEST_ATTRIBUTE_RESOLVER, resolver);
log.debug(
"setAttributes: ResourceResolver stored as request attribute: user={}",
resolver.getUserID());
}
{code}
Below *jrAuthorizable is NULL* when the userID(node name) is not equals to rep:principalName property. This is a sample code to reproduce the issue in a servlet.
{code:java}
final Principal principal = request.getUserPrincipal();
final org.apache.jackrabbit.api.security.user.UserManager jrUserManager = request.getResourceResolver().adaptTo(org.apache.jackrabbit.api.security.user.UserManager.class);
final org.apache.jackrabbit.api.security.user.Authorizable jrAuthorizable = jrUserManager.getAuthorizable(principal);
{code}
Basically to reproduce the issue, create a user, change the rep:principalName, login with the userID, use the api to get a Authorizable object with using the request.getUserPrincipal();
--
This message was sent by Atlassian JIRA
(v6.2#6252)