You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Marius Petria (JIRA)" <ji...@apache.org> on 2015/11/02 15:02:27 UTC
[jira] [Comment Edited] (SLING-5006) Allow to enable the usage of
regular JCR users for service resolvers
[ https://issues.apache.org/jira/browse/SLING-5006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14985225#comment-14985225 ]
Marius Petria edited comment on SLING-5006 at 11/2/15 2:02 PM:
---------------------------------------------------------------
As the validators are invoked everytime a mapping is requested, I think at least in theory they can be dynamic so there is no guarantee that a mapping won't switch from valid to invalid or viceversa even if the validator stays the same. So maybe services should not be informed about this, they will just start to fail for subsequent mapping requests. EDIT: On the other hand the "dynamic" service validator is an extreme case, so I think restarting everything on a validator change is OK.
was (Author: mpetria):
As the validators are invoked everytime a mapping is requested, I think at least in theory they can be dynamic so there is no guarantee that a mapping won't switch from valid to invalid or viceversa even if the validator stays the same. So basically I do not think that services should be informed about this, they will just start to fail for subsequent mapping requests.
> Allow to enable the usage of regular JCR users for service resolvers
> --------------------------------------------------------------------
>
> Key: SLING-5006
> URL: https://issues.apache.org/jira/browse/SLING-5006
> Project: Sling
> Issue Type: Improvement
> Components: Service User Mapper
> Affects Versions: Service User Mapper 1.2.0, JCR Resource 2.5.6
> Reporter: Konrad Windszus
> Assignee: Konrad Windszus
> Fix For: Service User Mapper 1.2.2, JCR Resource 2.6.0
>
> Attachments: SLING-5006-serviceusermapper-v01.diff, SLING-5006-uservalidator-v01.diff
>
>
> With SLING-3854 a {{ServiceUserValidator}} interface was introduced. Basically all OSGi services implementing that interface may decide whether certain users can be used as backing user for a call to {{ResourceResolverFactory.getServiceResolver(...)}}. The only implementation of that in Sling is {{JcrSystemUserValidator}} which only allows to use JCR system users.
> The list of all those services is bound in the {{ServiceUserMapperImpl}} dynamically.
> If you for example want to use that service to relax the policy being introduced with SLING-3854 (to e.g. allow all users as service users) you may register your own service just returning {{true}} for all users in the only method {{isValid}}. Unfortunately you don't know when your {{ServiceUserValidator}} service is bound (due to the dynamic restart behaviour of services). Therefore other services cannot rely on the fact that your own {{ServiceUserValidator}} is being available at a certain point in time and therefore their call to {{ResourceResolverFactory.getServiceResolver(...)}} may fail, if they rely on a non-System JCR user. Therefore this mechanism is not suitable to disable the enforcing of JCR system users.
> Instead I would propose the following:
> # allow to configure the {{JcrSystemUserValidator}} via an OSGi property named {{allowOnlySystemUsers}} which by default should be {{true}}.
> # within the method {{JcrSystemUserValidator.isValidUser}} you either allow all users or leave the current logic in place (in case {{allowOnlySystemUsers}} is {{true}}).
> Only that way it would be possible to reliably allow all users as service users which is especially helpful during development of a certain feature (although this is probably not a config you would set on a production instance).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)