You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "angela (JIRA)" <ji...@apache.org> on 2013/03/01 14:57:13 UTC

[jira] [Commented] (SLING-2762) AbstractSlingRepository#login violates JCR spec

    [ https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13590525#comment-13590525 ] 

angela commented on SLING-2762:
-------------------------------

apart from violating the spec this also pretty awkward as the 'anonymous' in sling represents the unauthenticated user.
login as such with other credentials that javax.jcr.GuestCredentials doesn't make sense IMHO.

it's actually an oddity (or bug) in jackrabbit core that it was (actually is) possible to login with SimpleCredentials build for the
anonymous user that has not been fixed in order not to break backwards compatibility.

as of oak that special handling for the anonymous user will not be supported any more and the built-in anonymous user
will not have a password property any more... so login(new SimpleCredentials("anonymous", "") will no longer work.
instead login(new GuestCredentials) will succeed if a valid anonymous user exists.

similarly, login(null) will no longer be converted into an anonymous-login by default. to ease migration and provide a
backwards compatible setup there exists a separate loginmodule implementation that will populate the shared-state 
with guestcredentials in case of null-login.

hope that helps
                
> AbstractSlingRepository#login violates JCR spec
> -----------------------------------------------
>
>                 Key: SLING-2762
>                 URL: https://issues.apache.org/jira/browse/SLING-2762
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>            Reporter: Antonio Sanso
>
> AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec.
> The API [0] says
> " If credentials is null, it is assumed that authentication is handled by a mechanism external to the repository itself (for example, through the JAAS framework) and that the repository implementation exists within a context (for example, an application server) that allows it to handle authorization of the request for access to the specified workspace."
> while the implementation looks like
> {code}
> ...
> if (credentials == null) {
>     credentials = getAnonCredentials(this.anonUser);
> }
> ...
> {code}
> [0] http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira