You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Robert Munteanu (JIRA)" <ji...@apache.org> on 2015/05/04 14:07:06 UTC
[jira] [Issue Comment Deleted] (SLING-3633) Sling uses wrong value
for Principal object
[ https://issues.apache.org/jira/browse/SLING-3633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Munteanu updated SLING-3633:
-----------------------------------
Comment: was deleted
(was: I am out of office, back on June 22.
regards
antonio
)
> Sling uses wrong value for Principal object
> -------------------------------------------
>
> Key: SLING-3633
> URL: https://issues.apache.org/jira/browse/SLING-3633
> Project: Sling
> Issue Type: Bug
> Components: Engine
> Affects Versions: Engine 2.3.2
> Reporter: Ilyas Türkben
> Assignee: Antonio Sanso
> Fix For: JCR Resource 2.3.8, Engine 2.3.4
>
>
> Sling uses resolver.getUserID() to set the HttpContext.REMOTE_USER on the request object which used later to the instantiation of the Principal object.
> Sling should use the rep:principalName instead of resolver.getUserID().
> {code:java}
> // org.apache.sling.auth.core.impl.SlingAuthenticator
> /**
> * Sets the request attributes required by the OSGi HttpContext interface
> * specification for the <code>handleSecurity</code> method. In addition the
> * {@link SlingAuthenticator#REQUEST_ATTRIBUTE_RESOLVER} request attribute
> * is set to the ResourceResolver.
> */
> private void setAttributes(final ResourceResolver resolver, final String authType,
> final HttpServletRequest request) {
> // HttpService API required attributes
> request.setAttribute(HttpContext.REMOTE_USER, resolver.getUserID());
> request.setAttribute(HttpContext.AUTHENTICATION_TYPE, authType);
> // resource resolver for down-stream use
> request.setAttribute(REQUEST_ATTRIBUTE_RESOLVER, resolver);
> log.debug(
> "setAttributes: ResourceResolver stored as request attribute: user={}",
> resolver.getUserID());
> }
> {code}
> Below *jrAuthorizable is NULL* when the userID(node name) is not equals to rep:principalName property. This is a sample code to reproduce the issue in a servlet.
> {code:java}
> final Principal principal = request.getUserPrincipal();
> final org.apache.jackrabbit.api.security.user.UserManager jrUserManager = request.getResourceResolver().adaptTo(org.apache.jackrabbit.api.security.user.UserManager.class);
> final org.apache.jackrabbit.api.security.user.Authorizable jrAuthorizable = jrUserManager.getAuthorizable(principal);
> {code}
> Basically to reproduce the issue, create a user, change the rep:principalName, login with the userID, use the api to get a Authorizable object with using the request.getUserPrincipal();
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)