You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Felix Meschberger (JIRA)" <ji...@apache.org> on 2010/01/19 12:26:54 UTC
[jira] Commented: (SLING-1287) Impersonation cookie must be quoted
to support some special characters
[ https://issues.apache.org/jira/browse/SLING-1287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802200#action_12802200 ]
Felix Meschberger commented on SLING-1287:
------------------------------------------
Implemented cookie quoting in Rev. 900728.
When setting the cookie, the cookie value is always quoted. When reading the cookie, the cookie value is accepted quoted and unquoted.
> Impersonation cookie must be quoted to support some special characters
> ----------------------------------------------------------------------
>
> Key: SLING-1287
> URL: https://issues.apache.org/jira/browse/SLING-1287
> Project: Sling
> Issue Type: Bug
> Components: Commons
> Affects Versions: Commons Auth 1.0.0
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Commons Auth 1.0.0
>
>
> The Sling authenticator supports transparent impersonation of another user using a so called "sudo" parameter. Using this parameter causes the authenticator to set a sudo cookie, which is inspected in future requests to decide on whether to further impersonate requests or not.
> The problem is, that the character set of cookie values is limited by RFC 2109 defining that a cookie value must be token or quoted-string according
> to RFC-2616:
> token = 1*<any CHAR except CTLs or separators>
> separators = "(" | ")" | "<" | ">" | "@"
> | "," | ";" | ":" | "\" | <">
> | "/" | "[" | "]" | "?" | "="
> | "{" | "}" | SP | HT
> quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
> qdtext = <any TEXT except <">>
> If the sudo user name contains an "@" sign (such as an email address), the value is not a token any longer and must be properly quoted.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.