You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Robert Munteanu (JIRA)" <ji...@apache.org> on 2015/05/04 14:07:06 UTC

[jira] [Issue Comment Deleted] (SLING-3633) Sling uses wrong value for Principal object

     [ https://issues.apache.org/jira/browse/SLING-3633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Munteanu updated SLING-3633:
-----------------------------------
    Comment: was deleted

(was: I am out of office, back on June 22.

regards

antonio


)

> Sling uses wrong value for Principal object
> -------------------------------------------
>
>                 Key: SLING-3633
>                 URL: https://issues.apache.org/jira/browse/SLING-3633
>             Project: Sling
>          Issue Type: Bug
>          Components: Engine
>    Affects Versions: Engine 2.3.2
>            Reporter: Ilyas Türkben
>            Assignee: Antonio Sanso
>             Fix For: JCR Resource 2.3.8, Engine 2.3.4
>
>
> Sling uses resolver.getUserID() to set the HttpContext.REMOTE_USER on the request object which used later to the instantiation of the Principal object.
> Sling should use the rep:principalName instead of resolver.getUserID().
> {code:java}
>  // org.apache.sling.auth.core.impl.SlingAuthenticator
>     /**
>      * Sets the request attributes required by the OSGi HttpContext interface
>      * specification for the <code>handleSecurity</code> method. In addition the
>      * {@link SlingAuthenticator#REQUEST_ATTRIBUTE_RESOLVER} request attribute
>      * is set to the ResourceResolver.
>      */
>     private void setAttributes(final ResourceResolver resolver, final String authType,
>             final HttpServletRequest request) {
>         // HttpService API required attributes
>         request.setAttribute(HttpContext.REMOTE_USER, resolver.getUserID());
>         request.setAttribute(HttpContext.AUTHENTICATION_TYPE, authType);
>         // resource resolver for down-stream use
>         request.setAttribute(REQUEST_ATTRIBUTE_RESOLVER, resolver);
>         log.debug(
>             "setAttributes: ResourceResolver stored as request attribute: user={}",
>             resolver.getUserID());
>     }
> {code}
> Below *jrAuthorizable is NULL* when the userID(node name) is not equals to rep:principalName property. This is a sample code to reproduce the issue in a servlet.
> {code:java}
>       final Principal principal = request.getUserPrincipal();
>       final org.apache.jackrabbit.api.security.user.UserManager jrUserManager = request.getResourceResolver().adaptTo(org.apache.jackrabbit.api.security.user.UserManager.class);
>       final org.apache.jackrabbit.api.security.user.Authorizable jrAuthorizable = jrUserManager.getAuthorizable(principal);
> {code}
> Basically to reproduce the issue, create a user, change the rep:principalName,  login with the userID, use the api to get a Authorizable object with using the  request.getUserPrincipal();



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)