You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2011/03/24 15:35:05 UTC

[jira] [Created] (JCR-2931) Compatibility issue if admin impersonates admin session

Compatibility issue if admin impersonates admin session
-------------------------------------------------------

                 Key: JCR-2931
                 URL: https://issues.apache.org/jira/browse/JCR-2931
             Project: Jackrabbit Content Repository
          Issue Type: Bug
          Components: jackrabbit-core, security
            Reporter: angela
            Priority: Trivial
             Fix For: 2.3.0


in revision 1076596 in made some improvements in ImpersonationImpl removing the shortcut for "AdminPrincipal" which from my point of view is problematic.

however, this introduced the following compatibility issue (detected by tom):
while - according to my tests - a user is allowed to impersonate itself (jcr isn't totally clear about this but states that Session.impersonate is used to "[...] impersonate" another [...]" this was possible for the admin-user due to the shortcut mentioned above.

in order not to break existing code relying on that special case, i would suggest to change the code accordingly.




--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Resolved] (JCR-2931) Compatibility issue if admin impersonates admin session

Posted by "angela (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JCR-2931?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

angela resolved JCR-2931.
-------------------------

    Resolution: Fixed
      Assignee: angela

> Compatibility issue if admin impersonates admin session
> -------------------------------------------------------
>
>                 Key: JCR-2931
>                 URL: https://issues.apache.org/jira/browse/JCR-2931
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-core, security
>            Reporter: angela
>            Assignee: angela
>            Priority: Trivial
>             Fix For: 2.3.0
>
>
> in revision 1076596 in made some improvements in ImpersonationImpl removing the shortcut for "AdminPrincipal" which from my point of view is problematic.
> however, this introduced the following compatibility issue (detected by tom):
> while - according to my tests - a user is allowed to impersonate itself (jcr isn't totally clear about this but states that Session.impersonate is used to "[...] impersonate" another [...]" this was possible for the admin-user due to the shortcut mentioned above.
> in order not to break existing code relying on that special case, i would suggest to change the code accordingly.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (JCR-2931) Compatibility issue if admin impersonates admin session

Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/JCR-2931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13010801#comment-13010801 ] 

Tobias Bocanegra commented on JCR-2931:
---------------------------------------

do you mean: ensure that a admin can impersonate to an admin session, as a shortcut to spawn a new session?

so basically:

SimpleCredentials myCreds = new SimpleCredentials(session.getUserId(), new char[0]);
Session newSession = session.impersonate(myCreds);

should work.

> Compatibility issue if admin impersonates admin session
> -------------------------------------------------------
>
>                 Key: JCR-2931
>                 URL: https://issues.apache.org/jira/browse/JCR-2931
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-core, security
>            Reporter: angela
>            Priority: Trivial
>             Fix For: 2.3.0
>
>
> in revision 1076596 in made some improvements in ImpersonationImpl removing the shortcut for "AdminPrincipal" which from my point of view is problematic.
> however, this introduced the following compatibility issue (detected by tom):
> while - according to my tests - a user is allowed to impersonate itself (jcr isn't totally clear about this but states that Session.impersonate is used to "[...] impersonate" another [...]" this was possible for the admin-user due to the shortcut mentioned above.
> in order not to break existing code relying on that special case, i would suggest to change the code accordingly.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira