You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Manfred Baedke (Jira)" <ji...@apache.org> on 2019/12/04 18:13:00 UTC

[jira] [Comment Edited] (OAK-8763) LoginContextProviderImpl uses any subject found in the AccessControlContext.

    [ https://issues.apache.org/jira/browse/OAK-8763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988058#comment-16988058 ] 

Manfred Baedke edited comment on OAK-8763 at 12/4/19 6:12 PM:
--------------------------------------------------------------

[~angela],

bq. this issue as you reported it is only about the failing logout. so please let me know if that part is fixed in the environment your have been testing

That was another issue , but yes, these tests no longer fail. 

This issue is not about logout. 
Let me quote from the description:

bq. because JAAS will then silently fail to add principals and credentials.

That's still my concern.

bq.  if an application passes a read-only subject, the session will get the permissions defined for the specified principals.

You mean the principals found in the readonly subject? 


was (Author: baedke):
[~angela],

bq. this issue as you reported it is only about the failing logout. so please let me know if that part is fixed in the environment your have been testing

That was another issue , but yes, these tests no longer fail. 

This issue not about logout. 
Let me quote from the description:

bq. because JAAS will then silently fail to add principals and credentials.

That's still my concern.

bq.  if an application passes a read-only subject, the session will get the permissions defined for the specified principals.

You mean the principals found in the readonly subject? 

> LoginContextProviderImpl uses any subject found in the AccessControlContext.
> ----------------------------------------------------------------------------
>
>                 Key: OAK-8763
>                 URL: https://issues.apache.org/jira/browse/OAK-8763
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: security-spi
>            Reporter: Manfred Baedke
>            Assignee: Angela Schreiber
>            Priority: Minor
>         Attachments: OAK-8763-tests.patch, OAK-8763.patch
>
>
> LoginContextProviderImpl#getLoginContext(...) extracts the most recent subject from the AccessControlContext and then uses it for either a PreAuthContext or a JaasLoginContext. This is wrong, because there is no reason to assume that such a subject has anything to do with Oak. It particularly hurts when it's readonly, because JAAS will then silently fail to add principals and credentials.
> We would need a way to identify pre-authenticated subjects and subjects that are not pre-authenticated should not be used to create a JaasLoginContext.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)