You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Konrad Windszus (Jira)" <ji...@apache.org> on 2021/04/20 15:06:00 UTC

[jira] [Comment Edited] (JCRVLT-515) AdminPermissionChecker should evaluate all principals bound to the Session

    [ https://issues.apache.org/jira/browse/JCRVLT-515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17325884#comment-17325884 ] 

Konrad Windszus edited comment on JCRVLT-515 at 4/20/21, 3:05 PM:
------------------------------------------------------------------

Obviously not from the JCR API. But my question was about this class specifically: https://github.com/apache/jackrabbit-oak/blob/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java. But I see that this is not even exported in https://github.com/apache/jackrabbit-oak/blob/77f243b8b810f7c611d1b1cd9b06abfc5e546446/oak-jcr/pom.xml#L160.
Is the Oak API not thought for consumers? Is all access there supposed to be done via either JCR or Jackrabbit API?

Sometimes the repository has been constructed by some other party (e.g. in the context of Sling) and the only API being available is JCR and Jackrabbit API.


was (Author: kwin):
Obviously not from the JCR API. But my question was about this class specifically: https://github.com/apache/jackrabbit-oak/blob/trunk/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/session/SessionImpl.java. But I see that this is not even exported in https://github.com/apache/jackrabbit-oak/blob/77f243b8b810f7c611d1b1cd9b06abfc5e546446/oak-jcr/pom.xml#L160.
Is the Oak API not thought for consumers? Is all access there supposed to be done via either JCR or Jackrabbit API?

> AdminPermissionChecker should evaluate all principals bound to the Session
> --------------------------------------------------------------------------
>
>                 Key: JCRVLT-515
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-515
>             Project: Jackrabbit FileVault
>          Issue Type: Improvement
>          Components: vlt
>            Reporter: Konrad Windszus
>            Priority: Major
>             Fix For: 3.4.12
>
>
> Currently the AdminPermissionChecker only evaluates the session-bound user id in https://github.com/kwin/jackrabbit-filevault/blob/49e3c2179c18e0552e49b0671843d85d045ebf48/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/AdminPermissionChecker.java#L54. This does not work well with principal based login (like with Sling Service Authentication) as in general only the first principal is returned (in case it is backed by a real JCR user). Instead one should leverage {{org.apache.jackrabbit.api.security.principal.PrincipalManager}} to retrieve all principals bound to the session and check that at least one is the administrator.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)