You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Tobias Bocanegra (JIRA)" <ji...@apache.org> on 2014/02/07 07:54:19 UTC

[jira] [Commented] (OAK-1404) Pre-Authenticated login does not propagate principals in subject to AuthInfo class.

    [ https://issues.apache.org/jira/browse/OAK-1404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13894244#comment-13894244 ] 

Tobias Bocanegra commented on OAK-1404:
---------------------------------------

workaround for system subject:

{code}
--- a/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/SystemSubject.java
+++ b/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/SystemSubject.java
@@ -16,9 +16,13 @@
  */
 package org.apache.jackrabbit.oak.spi.security.authentication;

+import java.security.Principal;
 import java.util.Collections;
+import java.util.Set;
+
 import javax.security.auth.Subject;

+import org.apache.jackrabbit.oak.api.AuthInfo;
 import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;

 /**
@@ -34,6 +38,8 @@ public final class SystemSubject {
     private SystemSubject() {}

     private static Subject createSystemSubject() {
-        return new Subject(true, Collections.singleton(SystemPrincipal.INSTANCE), Collections.<Object>emptySet(), Collections.<Object>emptySet());
+        Set<? extends Principal> principals = Collections.singleton(SystemPrincipal.INSTANCE);
+        AuthInfo info = new AuthInfoImpl("system", null, principals);
+        return new Subject(true, principals, Collections.singleton(info), Collections.<Object>emptySet());
     }
 }
{code}

But I think this should be solved globally. Somehow it's wrong to put the AutoInfo class as public credential in the Subject and provide principals others than those of the subject. If the goal of the public credentials is to transport the authenticated userid and the attributes we might only include those into the info.

> Pre-Authenticated login does not propagate principals in subject to AuthInfo class.
> -----------------------------------------------------------------------------------
>
>                 Key: OAK-1404
>                 URL: https://issues.apache.org/jira/browse/OAK-1404
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.15
>            Reporter: Tobias Bocanegra
>
> Example:
> {code}
> systemSession = Subject.doAs(SystemSubject.INSTANCE, new PrivilegedExceptionAction<ContentSession>() {
>     @Override
>     public ContentSession run() throws LoginException, NoSuchWorkspaceException {
>         return repository.login(null, null);
>     }
> });
> {code}
> Produces a session with no permissions.
> I think there are 2 issues:
> 1. Pre-Authenticated logins do not set an AuthInfo to the public credentials of the Subject.
> 2. the AbstractAccessControlManager uses the AuthInfo.getPrincipals() to retrieve them. IMO, the principals should always match those of the subject and be retrieved from there.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)