You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Robert Munteanu <ro...@apache.org> on 2022/08/04 13:37:10 UTC
User impersonation in the web console
Hi,
For SLING-10844 [1] I am trying to add a feature to the resource
resolver console plugin which allows the map/resolve test to optionally
run as a specific user.
The code I'm using is very simple
Map<String, Object> authenticationInfo = new HashMap<>();
authenticationInfo.put(ResourceResolverFactory.USER_IMPERSONATION,
user);
resolver = resolverFactory.getResourceResolver(authenticationInfo);
A failure is thrown from Oak, even though I'm logging in as
admin/admin:
Caused by: javax.security.auth.login.FailedLoginException:
Impersonation not allowed.
at
org.apache.jackrabbit.oak.security.user.UserAuthentication.checkSuccess
(UserAuthentication.java:186)
at
org.apache.jackrabbit.oak.security.user.UserAuthentication.authenticate
(UserAuthentication.java:126)
at
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl.
authenticate(LoginModuleImpl.java:261)
at
org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl.
login(LoginModuleImpl.java:130)
at
org.apache.felix.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java
:52)
(I've ommitted the full stack trace).
Does anyone know whether I'm missing something from the code or if this
is a limitation of the web console? If it's a limitation, is there a
place where I can try and fix it?
Thanks,
Robert
[1]: https://issues.apache.org/jira/browse/SLING-10844
Re: User impersonation in the web console
Posted by Robert Munteanu <ro...@apache.org>.
Hi Konrad,
On Thu, 2022-08-04 at 16:45 +0200, Konrad Windszus wrote:
> Hi Robert,
> According to
> https://sling.apache.org/documentation/the-sling-engine/resources.html#jcr-based-resources
> the key “user.impersonation” “...Must be combined with one of the
> other authentication info keys.”
> So I guess you need to add at least one other key to the
> AuthenticationInfo map (most probably a session).
> Otherwise Oak would not know from whose perspective you want to
> impersonate.
That works for me, thanks. I was able to look up the resource resolver
associated with the authenticated user by looking it up at
request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
which, AFAIU, is guaranteed to be set if the user is authenticated.
Thanks,
Robert
>
> Konrad
>
> > On 4. Aug 2022, at 15:37, Robert Munteanu <ro...@apache.org>
> > wrote:
> >
> > Hi,
> >
> > For SLING-10844 [1] I am trying to add a feature to the resource
> > resolver console plugin which allows the map/resolve test to
> > optionally
> > run as a specific user.
> >
> > The code I'm using is very simple
> >
> > Map<String, Object> authenticationInfo = new HashMap<>();
> > authenticationInfo.put(ResourceResolverFactory.USER_IMPERSONATION,
> > user);
> > resolver =
> > resolverFactory.getResourceResolver(authenticationInfo);
> >
> > A failure is thrown from Oak, even though I'm logging in as
> > admin/admin:
> >
> > Caused by: javax.security.auth.login.FailedLoginException:
> > Impersonation not allowed.
> > at
> > org.apache.jackrabbit.oak.security.user.UserAuthentication.checkSuc
> > cess
> > (UserAuthentication.java:186)
> > at
> > org.apache.jackrabbit.oak.security.user.UserAuthentication.authenti
> > cate
> > (UserAuthentication.java:126)
> > at
> > org.apache.jackrabbit.oak.security.authentication.user.LoginModuleI
> > mpl.
> > authenticate(LoginModuleImpl.java:261)
> > at
> > org.apache.jackrabbit.oak.security.authentication.user.LoginModuleI
> > mpl.
> > login(LoginModuleImpl.java:130)
> > at
> > org.apache.felix.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.
> > java
> > :52)
> >
> > (I've ommitted the full stack trace).
> >
> > Does anyone know whether I'm missing something from the code or if
> > this
> > is a limitation of the web console? If it's a limitation, is there
> > a
> > place where I can try and fix it?
> >
> > Thanks,
> > Robert
> >
> > [1]: https://issues.apache.org/jira/browse/SLING-10844
>
Re: User impersonation in the web console
Posted by Konrad Windszus <ko...@gmx.de>.
Hi Robert,
According to https://sling.apache.org/documentation/the-sling-engine/resources.html#jcr-based-resources the key “user.impersonation” “...Must be combined with one of the other authentication info keys.”
So I guess you need to add at least one other key to the AuthenticationInfo map (most probably a session).
Otherwise Oak would not know from whose perspective you want to impersonate.
Konrad
> On 4. Aug 2022, at 15:37, Robert Munteanu <ro...@apache.org> wrote:
>
> Hi,
>
> For SLING-10844 [1] I am trying to add a feature to the resource
> resolver console plugin which allows the map/resolve test to optionally
> run as a specific user.
>
> The code I'm using is very simple
>
> Map<String, Object> authenticationInfo = new HashMap<>();
> authenticationInfo.put(ResourceResolverFactory.USER_IMPERSONATION,
> user);
> resolver = resolverFactory.getResourceResolver(authenticationInfo);
>
> A failure is thrown from Oak, even though I'm logging in as
> admin/admin:
>
> Caused by: javax.security.auth.login.FailedLoginException:
> Impersonation not allowed.
> at
> org.apache.jackrabbit.oak.security.user.UserAuthentication.checkSuccess
> (UserAuthentication.java:186)
> at
> org.apache.jackrabbit.oak.security.user.UserAuthentication.authenticate
> (UserAuthentication.java:126)
> at
> org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl.
> authenticate(LoginModuleImpl.java:261)
> at
> org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl.
> login(LoginModuleImpl.java:130)
> at
> org.apache.felix.jaas.boot.ProxyLoginModule.login(ProxyLoginModule.java
> :52)
>
> (I've ommitted the full stack trace).
>
> Does anyone know whether I'm missing something from the code or if this
> is a limitation of the web console? If it's a limitation, is there a
> place where I can try and fix it?
>
> Thanks,
> Robert
>
> [1]: https://issues.apache.org/jira/browse/SLING-10844