You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Alexander Klimetschek (JIRA)" <ji...@apache.org> on 2016/01/20 01:44:39 UTC
[jira] [Updated] (OAK-3899) TokenLoginModule ignores shared key
javax.security.auth.login.name
[ https://issues.apache.org/jira/browse/OAK-3899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexander Klimetschek updated OAK-3899:
---------------------------------------
Description:
The TokenLoginModule and specifically [TokenProviderImpl only look at SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165] when creating a token.
However, in certain situations, such as the ExternalLoginModule, the SimpleCredentials are used but don't have a user id as the real user id is determined not by the caller of repository.login(), but by the external identity provider (and the credentials might not include any kind of user id, say an opaque token from an external service). In this case, getUserID() returns null and the token implementation fails to create a token and return it in the ".token" attribute of the credentials.
Instead, the TokenLoginModule should look at the shared "javax.security.auth.login.name" parameter, which can de-facto override a SimpleCredentials.getUserID(), as it happens in the ExternalLoginModule.
was:
The TokenLoginModule and specifically [TokenProviderImpl only look at SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165] when creating a token.
However, in certain situations, such as the ExternalLoginModule, the SimpleCredentials are used but don't have a user id as the real user id is determined not by the caller of repository.login(), but by the external identity provider (and the credentials might not include any kind of user id, say an opaque token from an external service). In this case, getUserID() returns null and the token implementation fails to create a token and return it in the ".token" attribute of the credentials.
> TokenLoginModule ignores shared key javax.security.auth.login.name
> ------------------------------------------------------------------
>
> Key: OAK-3899
> URL: https://issues.apache.org/jira/browse/OAK-3899
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
> Affects Versions: 1.3.14
> Reporter: Alexander Klimetschek
>
> The TokenLoginModule and specifically [TokenProviderImpl only look at SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165] when creating a token.
> However, in certain situations, such as the ExternalLoginModule, the SimpleCredentials are used but don't have a user id as the real user id is determined not by the caller of repository.login(), but by the external identity provider (and the credentials might not include any kind of user id, say an opaque token from an external service). In this case, getUserID() returns null and the token implementation fails to create a token and return it in the ".token" attribute of the credentials.
> Instead, the TokenLoginModule should look at the shared "javax.security.auth.login.name" parameter, which can de-facto override a SimpleCredentials.getUserID(), as it happens in the ExternalLoginModule.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)