You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2013/07/17 11:22:49 UTC
[jira] [Commented] (OAK-793) Authentication: Document changes wrt.
Jackrabbit
[ https://issues.apache.org/jira/browse/OAK-793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13710893#comment-13710893 ]
angela commented on OAK-793:
----------------------------
1) Null Login
-------------------------------------------------------------------------------
As of Oak 1.0 Repository#login() and Repository#login(null, wspName) is no longer
treated as guest login. This behavior of Jackrabbit-core is violating
the specification which defines that null-login should be used for those cases
where the authentication process is handled outside of the repository (-> see
pre-authentication below).
In order to get a full backwards compatible behavior OAK provides a specific
GuestLoginModule [0] that can be added to the JAAS (or corresponding OSGI) configuration.
Example JAAS Configuration:
{code}
jackrabbit.oak {
org.apache.jackrabbit.oak.spi.security.authentication.GuestLoginModule optional;
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl required;
};
{code}
2) Pre-Authentication in the LoginContextProvider
-------------------------------------------------------------------------------
Like in Jackrabbit-core the repository internal authentication verification can
be skipped by calling Repository#login() or Repository#login(null, wspName).
In this case the repository implementation expects the verification to be
performed prior to the login call.
This behavior is provided by the default implementation of the LoginContextProvider [1]
which expects a Subject to be available with the current java.security.AccessControlContext.
However, in contrast to Jackrabbit-core the current implementation does not
try to extend the pre-authenticated subject but skips the internal verification
step altogether.
Since the LoginContextProvider is a configurable with the authentication setup
OAK users also have the following options by providing a custom LoginContextProvider:
- Disable pre-authentication by not trying to retrieve a pre-authenticated Subject.
- Add support for extending the pre-authenticated Subject by always passing the Subject to the JaasLoginContext
- Dropping JAAS altogether by providing a custom implementation of the
org.apache.jackrabbit.oak.spi.security.authentication.LoginContext [2] interface.
3) Impersonation
-------------------------------------------------------------------------------
The OAK implementation of Session#impersonate no longer uses SimpleCredentials to
transport the original Subject but rather performs the login with dedicated
ImpersonationCredentials [3].
With this change the impersonation feature no longer relies on SimpleCredentials
being passed to Session#impersonate call. Instead the specified credentials are
passed to a new instance of ImpersonationCredentials delegating the evaluation and
validation of the specified Credentials to the configured login module(s).
This modification will not affect applications that used JCR API to impersonate
a given session. However the following example which 'manually' builds impersonation
credentials the way jackrabbit core was handling it will no longer work to
impersonate an existing session:
{code}
SessionImpl sImpl = (SessionImpl) mySession;
SimpleCredentials jrImpCreds = new SimpleCredentials("someUserId, new char[0]);
creds.setAttribute(SecurityConstants.IMPERSONATOR_ATTRIBUTE, sImpl.getSubject());
Session impersonated = sImpl.getRepository().login(jrImpCreds, sImpl.getWorkspace().getName());
{code}
4) References
-------------------------------------------------------------------------------
[0] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/GuestLoginModule.java
[1] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContextProvider.java
[2] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/LoginContext.java
[3] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/ImpersonationCredentials.java
> Authentication: Document changes wrt. Jackrabbit
> ------------------------------------------------
>
> Key: OAK-793
> URL: https://issues.apache.org/jira/browse/OAK-793
> Project: Jackrabbit Oak
> Issue Type: Sub-task
> Components: jcr
> Reporter: angela
> Assignee: angela
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira