You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Felix Meschberger (JIRA)" <ji...@apache.org> on 2010/01/19 12:26:54 UTC

[jira] Commented: (SLING-1287) Impersonation cookie must be quoted to support some special characters

    [ https://issues.apache.org/jira/browse/SLING-1287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802200#action_12802200 ] 

Felix Meschberger commented on SLING-1287:
------------------------------------------

Implemented cookie quoting in Rev. 900728.

When setting the cookie, the cookie value is always quoted. When reading the cookie, the cookie value is accepted quoted and unquoted.

> Impersonation cookie must be quoted to support some special characters
> ----------------------------------------------------------------------
>
>                 Key: SLING-1287
>                 URL: https://issues.apache.org/jira/browse/SLING-1287
>             Project: Sling
>          Issue Type: Bug
>          Components: Commons
>    Affects Versions: Commons Auth 1.0.0
>            Reporter: Felix Meschberger
>            Assignee: Felix Meschberger
>             Fix For: Commons Auth 1.0.0
>
>
> The Sling authenticator supports transparent impersonation of another user using a so called "sudo" parameter. Using this parameter causes the authenticator to set a sudo cookie, which is inspected in future requests to decide on whether to further impersonate requests or not.
> The problem is, that the character set of cookie values is limited by RFC 2109 defining that a cookie value must be token or quoted-string according
> to RFC-2616:
>        token          = 1*<any CHAR except CTLs or separators>
>        separators     = "(" | ")" | "<" | ">" | "@"
>                       | "," | ";" | ":" | "\" | <">
>                       | "/" | "[" | "]" | "?" | "="
>                       | "{" | "}" | SP | HT
>        quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
>        qdtext         = <any TEXT except <">>
> If the sudo user name contains an "@" sign (such as an email address), the value is not a token any longer and must be properly quoted.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.