You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Georg Henzler <gh...@apache.org> on 2019/11/25 07:25:03 UTC
Service authentication with principals-only (and without system user)
Hi all,
since quite a while it's possible to configure principals instead of a
user for service authentication [1]. IMHO this suggests that an actual
authorizable should not be required anymore, but testing it showed that
this is explicitly checked and forbidden [2]. Now looking at how the
code hooks into oak [3], at least on Sling side there seems little
reason for this requirement. On oak side there are obvious places where
"some user id" is needed [4] but maybe this could be auto-generated?
Could somebody clarify why a backing service user is needed and if
(maybe :)) it would be possible to work towards getting rid of this
requirement?
-Georg
[1]
https://issues.apache.org/jira/browse/SLING-6963
https://sling.apache.org/documentation/the-sling-engine/service-authentication.html#service-user-mappings
[2]
https://github.com/apache/sling-org-apache-sling-jcr-resource/blob/541c918ef0869c9ff88b86ab96235ef07740c643/src/main/java/org/apache/sling/jcr/resource/internal/JcrSystemUserValidator.java#L219
[3]
https://github.com/apache/sling-org-apache-sling-jcr-base/blob/e8fe5e004b5af1802bb2a76dbbb583a437f848ee/src/main/java/org/apache/sling/jcr/base/AbstractSlingRepository2.java#L242
[4]
https://docs.adobe.com/docs/en/spec/javax.jcr/javadocs/jcr-2.0/javax/jcr/Session.html#getUserID()