You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Jukka Zitting (JIRA)" <ji...@apache.org> on 2006/03/13 14:45:39 UTC
[jira] Created: (JCR-351) Default to superuser access when JAAS is
not configured
Default to superuser access when JAAS is not configured
-------------------------------------------------------
Key: JCR-351
URL: http://issues.apache.org/jira/browse/JCR-351
Project: Jackrabbit
Type: Improvement
Components: security
Versions: 0.9
Reporter: Jukka Zitting
Priority: Minor
Even though JCR-348 made easier to start a Jackrabbit repository with default configuration, the user still needs to take care of the JAAS configuration. It would be more user-friendly to log a warning and default to superuser access rather than throwing a LoginException when JAAS has not been configured. This behaviour should be limited to only default credential logins (Session.login() with null Credentials) and it should be possible to disable it with a configuration option. We could even have this behaviour disabled by default, but enabled in the configuration file used with the JCR-348 automatic configuration.
This is a case against the "secure by default" design principle, but I think that in this case the benefits in easier setup outweight the security drawbacks, especially if coupled with the above restrictions and a clear documentation note about the insecure default.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (JCR-351) Default to anonymous access when no
Credentials are given
Posted by "Jukka Zitting (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/JCR-351?page=all ]
Jukka Zitting updated JCR-351:
------------------------------
Attachment: null-credentials.patch
Attached a patch that fixes this issue by defaulting to anonymous access when no credentials are given in Session.login() and JAAS is not configured. I also added a defaultUserId configuration option to SimpleLoginModule that allows null credentials to be mapped to some other user than anonymous.
The patch contains the following changes:
* RepositoryImpl: Pass null Credentials to a LoginModule for interpretation rather than directly throwing an exception when a JAAS Subject is not available.
* SimpleLoginModule: Default to anonymous access when null Credentials are given. Added (disabled by default) a defaultUserId property for using some other user than anonymous by default.
* repository.xml: Added a note about the new defaultUserId property and a commented out example on how to use it.
The only impact on existing environments is that null Credentials will now be passed to configured LoginModules with CredentialsCallback.setCallback(null) instead of explicitly throwing a LoginException when a JAAS Subject is not available.
I'd like to have this issue as well included in 1.0, as it considerably helps to simplify initial setup. Please comment if you see any problems with this approach or think that the change is too risky for inclusion in 1.0.
> Default to anonymous access when no Credentials are given
> ---------------------------------------------------------
>
> Key: JCR-351
> URL: http://issues.apache.org/jira/browse/JCR-351
> Project: Jackrabbit
> Type: Improvement
> Components: security
> Versions: 0.9
> Reporter: Jukka Zitting
> Assignee: Jukka Zitting
> Priority: Minor
> Attachments: null-credentials.patch
>
> Even though JCR-348 made easier to start a Jackrabbit repository with default configuration, the user still needs to take care of the JAAS configuration. It would be more user-friendly to log a warning and default to superuser access rather than throwing a LoginException when JAAS has not been configured. This behaviour should be limited to only default credential logins (Session.login() with null Credentials) and it should be possible to disable it with a configuration option. We could even have this behaviour disabled by default, but enabled in the configuration file used with the JCR-348 automatic configuration.
> This is a case against the "secure by default" design principle, but I think that in this case the benefits in easier setup outweight the security drawbacks, especially if coupled with the above restrictions and a clear documentation note about the insecure default.
> [Update: As mentioned by Stefan, this is not a JAAS configuration issue but a problem in handling null Credentials. A more proper alternative for superuser access would be to default to anonymous access when credentials are not given.]
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Resolved: (JCR-351) Default to anonymous access when no
Credentials are given
Posted by "Jukka Zitting (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/JCR-351?page=all ]
Jukka Zitting resolved JCR-351:
-------------------------------
Fix Version: 1.0
Resolution: Fixed
Patch committed in revision 386415. Merged in the 1.0 branch in revision 386416.
> Default to anonymous access when no Credentials are given
> ---------------------------------------------------------
>
> Key: JCR-351
> URL: http://issues.apache.org/jira/browse/JCR-351
> Project: Jackrabbit
> Type: Improvement
> Components: security
> Versions: 0.9
> Reporter: Jukka Zitting
> Assignee: Jukka Zitting
> Priority: Minor
> Fix For: 1.0
> Attachments: null-credentials.patch
>
> Even though JCR-348 made easier to start a Jackrabbit repository with default configuration, the user still needs to take care of the JAAS configuration. It would be more user-friendly to log a warning and default to superuser access rather than throwing a LoginException when JAAS has not been configured. This behaviour should be limited to only default credential logins (Session.login() with null Credentials) and it should be possible to disable it with a configuration option. We could even have this behaviour disabled by default, but enabled in the configuration file used with the JCR-348 automatic configuration.
> This is a case against the "secure by default" design principle, but I think that in this case the benefits in easier setup outweight the security drawbacks, especially if coupled with the above restrictions and a clear documentation note about the insecure default.
> [Update: As mentioned by Stefan, this is not a JAAS configuration issue but a problem in handling null Credentials. A more proper alternative for superuser access would be to default to anonymous access when credentials are not given.]
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (JCR-351) Default to superuser access when JAAS
is not configured
Posted by "Stefan Guggisberg (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/JCR-351?page=comments#action_12370183 ]
Stefan Guggisberg commented on JCR-351:
---------------------------------------
the JAAS configuration is not required. the automatic configuration should default to:
<LoginModule class="org.apache.jackrabbit.core.security.SimpleLoginModule"/>
SimpleLoginModule used with SimpleAccessManager provides full read/write access
for arbitrary credentials, out of the box.
> Default to superuser access when JAAS is not configured
> -------------------------------------------------------
>
> Key: JCR-351
> URL: http://issues.apache.org/jira/browse/JCR-351
> Project: Jackrabbit
> Type: Improvement
> Components: security
> Versions: 0.9
> Reporter: Jukka Zitting
> Priority: Minor
>
> Even though JCR-348 made easier to start a Jackrabbit repository with default configuration, the user still needs to take care of the JAAS configuration. It would be more user-friendly to log a warning and default to superuser access rather than throwing a LoginException when JAAS has not been configured. This behaviour should be limited to only default credential logins (Session.login() with null Credentials) and it should be possible to disable it with a configuration option. We could even have this behaviour disabled by default, but enabled in the configuration file used with the JCR-348 automatic configuration.
> This is a case against the "secure by default" design principle, but I think that in this case the benefits in easier setup outweight the security drawbacks, especially if coupled with the above restrictions and a clear documentation note about the insecure default.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (JCR-351) Default to anonymous access when no
Credentials are given
Posted by "Jukka Zitting (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/JCR-351?page=all ]
Jukka Zitting updated JCR-351:
------------------------------
Summary: Default to anonymous access when no Credentials are given (was: Default to superuser access when JAAS is not configured)
Description:
Even though JCR-348 made easier to start a Jackrabbit repository with default configuration, the user still needs to take care of the JAAS configuration. It would be more user-friendly to log a warning and default to superuser access rather than throwing a LoginException when JAAS has not been configured. This behaviour should be limited to only default credential logins (Session.login() with null Credentials) and it should be possible to disable it with a configuration option. We could even have this behaviour disabled by default, but enabled in the configuration file used with the JCR-348 automatic configuration.
This is a case against the "secure by default" design principle, but I think that in this case the benefits in easier setup outweight the security drawbacks, especially if coupled with the above restrictions and a clear documentation note about the insecure default.
[Update: As mentioned by Stefan, this is not a JAAS configuration issue but a problem in handling null Credentials. A more proper alternative for superuser access would be to default to anonymous access when credentials are not given.]
was:
Even though JCR-348 made easier to start a Jackrabbit repository with default configuration, the user still needs to take care of the JAAS configuration. It would be more user-friendly to log a warning and default to superuser access rather than throwing a LoginException when JAAS has not been configured. This behaviour should be limited to only default credential logins (Session.login() with null Credentials) and it should be possible to disable it with a configuration option. We could even have this behaviour disabled by default, but enabled in the configuration file used with the JCR-348 automatic configuration.
This is a case against the "secure by default" design principle, but I think that in this case the benefits in easier setup outweight the security drawbacks, especially if coupled with the above restrictions and a clear documentation note about the insecure default.
Assign To: Jukka Zitting
> Default to anonymous access when no Credentials are given
> ---------------------------------------------------------
>
> Key: JCR-351
> URL: http://issues.apache.org/jira/browse/JCR-351
> Project: Jackrabbit
> Type: Improvement
> Components: security
> Versions: 0.9
> Reporter: Jukka Zitting
> Assignee: Jukka Zitting
> Priority: Minor
>
> Even though JCR-348 made easier to start a Jackrabbit repository with default configuration, the user still needs to take care of the JAAS configuration. It would be more user-friendly to log a warning and default to superuser access rather than throwing a LoginException when JAAS has not been configured. This behaviour should be limited to only default credential logins (Session.login() with null Credentials) and it should be possible to disable it with a configuration option. We could even have this behaviour disabled by default, but enabled in the configuration file used with the JCR-348 automatic configuration.
> This is a case against the "secure by default" design principle, but I think that in this case the benefits in easier setup outweight the security drawbacks, especially if coupled with the above restrictions and a clear documentation note about the insecure default.
> [Update: As mentioned by Stefan, this is not a JAAS configuration issue but a problem in handling null Credentials. A more proper alternative for superuser access would be to default to anonymous access when credentials are not given.]
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (JCR-351) Default to superuser access when JAAS
is not configured
Posted by "Jukka Zitting (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/JCR-351?page=comments#action_12370186 ]
Jukka Zitting commented on JCR-351:
-----------------------------------
The problem with SimpleLoginModule (and in fact any AccessManager that would want to provide some default access level) is that it only works if the user has provided a Credentials instance to the Session.login() method. If you use empty Session.login() signature, that would be the reasonable default for cases where you have not specified any explicit user accounts, RepositoryImpl.login() will throw an LoginException saying "No Subject associated with AccessControlContext".
This example class:
import javax.jcr.*;
import org.apache.jackrabbit.core.TransientRepository;
public class Example {
public static void main(String[] args) {
try {
Repository repository = new TransientRepository();
Session session = repository.login();
session.logout();
} catch (Exception e) {
e.printStackTrace();
}
}
}
will output:
javax.jcr.LoginException: No Subject associated with AccessControlContext
at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1064)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:319)
at org.apache.jackrabbit.core.TransientRepository.login(TransientRepository.java:371)
at Example.main(Example.java:7)
When run without JAAS configuration.
> Default to superuser access when JAAS is not configured
> -------------------------------------------------------
>
> Key: JCR-351
> URL: http://issues.apache.org/jira/browse/JCR-351
> Project: Jackrabbit
> Type: Improvement
> Components: security
> Versions: 0.9
> Reporter: Jukka Zitting
> Priority: Minor
>
> Even though JCR-348 made easier to start a Jackrabbit repository with default configuration, the user still needs to take care of the JAAS configuration. It would be more user-friendly to log a warning and default to superuser access rather than throwing a LoginException when JAAS has not been configured. This behaviour should be limited to only default credential logins (Session.login() with null Credentials) and it should be possible to disable it with a configuration option. We could even have this behaviour disabled by default, but enabled in the configuration file used with the JCR-348 automatic configuration.
> This is a case against the "secure by default" design principle, but I think that in this case the benefits in easier setup outweight the security drawbacks, especially if coupled with the above restrictions and a clear documentation note about the insecure default.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (JCR-351) Default to superuser access when JAAS
is not configured
Posted by "Stefan Guggisberg (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/JCR-351?page=comments#action_12370188 ]
Stefan Guggisberg commented on JCR-351:
---------------------------------------
ok, i agree.
> We could even have this behaviour disabled by default, but enabled in the configuration file
> used with the JCR-348 automatic configuration.
+1
stefan
> Default to superuser access when JAAS is not configured
> -------------------------------------------------------
>
> Key: JCR-351
> URL: http://issues.apache.org/jira/browse/JCR-351
> Project: Jackrabbit
> Type: Improvement
> Components: security
> Versions: 0.9
> Reporter: Jukka Zitting
> Priority: Minor
>
> Even though JCR-348 made easier to start a Jackrabbit repository with default configuration, the user still needs to take care of the JAAS configuration. It would be more user-friendly to log a warning and default to superuser access rather than throwing a LoginException when JAAS has not been configured. This behaviour should be limited to only default credential logins (Session.login() with null Credentials) and it should be possible to disable it with a configuration option. We could even have this behaviour disabled by default, but enabled in the configuration file used with the JCR-348 automatic configuration.
> This is a case against the "secure by default" design principle, but I think that in this case the benefits in easier setup outweight the security drawbacks, especially if coupled with the above restrictions and a clear documentation note about the insecure default.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira