You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Alexander Klimetschek (JIRA)" <ji...@apache.org> on 2016/01/20 06:14:39 UTC
[jira] [Commented] (OAK-3899) TokenLoginModule ignores shared key
javax.security.auth.login.name
[ https://issues.apache.org/jira/browse/OAK-3899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15108026#comment-15108026 ]
Alexander Klimetschek commented on OAK-3899:
--------------------------------------------
To explain our use case a bit:
We have a custom external identity provider (for an external user & authentication system). One authentication mechanism is using oauth, in which an authorization code is sent with the request after a login page, and we pass this code through from an Apache Sling AuthenticationHandler to the repository login. This is done using SimpleCredentials (because a. the ExternalLoginModule only supports this at this time and b. the retrieve-token-back feature of the TokenLoginModule only works with SimpleCredentials as well), which gets a null userId, empty password and a special attribute containing the code.
After this initial login using the code, we want to continue the browser "session" with the oak login token. Because of that, the SimpleCredentials also gets the {{.token}} attribute set in the authentication handler so after the session login the token is present there and can be set as a cookie on the same response for subsequent requests. This would make the whole process seamless, avoiding extra (privileged) sessions.
Workaround:
I can use a utility (granite TokenUtil) to create the token after the session was created and use the session user id to use for the token. This creates 2 extra sessions as it uses impersonation from a privileged session, which is overhead I would like to avoid.
> TokenLoginModule ignores shared key javax.security.auth.login.name
> ------------------------------------------------------------------
>
> Key: OAK-3899
> URL: https://issues.apache.org/jira/browse/OAK-3899
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
> Affects Versions: 1.3.14
> Reporter: Alexander Klimetschek
> Attachments: OAK-3899.patch
>
>
> The {{TokenLoginModule}} and specifically TokenProviderImpl [only look at SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/1144914c053ec9c2723450261fabfee1bd9d0e58/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165] when creating a token.
> However, in certain situations, such as with the ExternalLoginModule and non-username/password credentials, the SimpleCredentials are used but don't have a user id as the real user id is determined not by the caller of {{Repository.login()}}, but by the external identity provider inside the ExternalLoginModule (and the credentials might not include any kind of user id, say an opaque token from an external service). In this case, {{SimpleCredentials.getUserID()}} returns null and the token implementation fails to create a token and does not return it in the {{.token}} attribute of the credentials.
> Instead, the TokenLoginModule should look at the shared {{javax.security.auth.login.name}} attribute, which can de-facto override a {{SimpleCredentials.getUserID()}}, as it happens in the ExternalLoginModule.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)