You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Alexander Klimetschek (JIRA)" <ji...@apache.org> on 2016/12/15 01:51:58 UTC

[jira] [Commented] (OAK-5304) DefaultSyncContext.sync(ExternalIdentity) does not verify same identity provider

    [ https://issues.apache.org/jira/browse/OAK-5304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15750078#comment-15750078 ] 

Alexander Klimetschek commented on OAK-5304:
--------------------------------------------

For reference, see also discussion in OAK-4845 between [~djaeggi] and me, where we came to the conclusion that it is important to have the strict IDP boundary protection all the way (but not half way).

> DefaultSyncContext.sync(ExternalIdentity) does not verify same identity provider
> --------------------------------------------------------------------------------
>
>                 Key: OAK-5304
>                 URL: https://issues.apache.org/jira/browse/OAK-5304
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-external
>    Affects Versions: 1.5.15, 1.4.11
>            Reporter: Alexander Klimetschek
>
> Since OAK-4224, the external IDP should be verified to be the same, but {{DefaultSyncContext.sync(ExternalIdentity)}} doesn't do that, as it [only looks|https://github.com/apache/jackrabbit-oak/blob/618e680c9c03fe7f2cd18f7db627f3b969311aac/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L226] at {{ExternalIdentityRef.getProviderName()}}, but never at the {{rep:externalId}} of the (existing) authorizable as it is [done in|https://github.com/apache/jackrabbit-oak/blob/618e680c9c03fe7f2cd18f7db627f3b969311aac/oak-auth-external/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.java#L285-L286] {{DefaultSyncContext.sync(String)}}.
> The ExternalIdentity's provider will usually match the one from the context, and it's important to check against the existing local user's rep:externalId in case it was synced with a different IDP beforehand (as per OAK-4224).
> Assume there is
> * a user with the authorizable id "frank"
> * a {{rep:externalId}} with provider "alpha" or no such property (because locally created)
> * a sync {{context}} using provider "beta"
> Calling by id:
> {code:java}
> context.sync("frank") => result has Status.FOREIGN
> {code}
> Calling by external id:
> {code:java}
> ExternalIdentity externalId = ...
> // externalId.getId() => "frank"
> // externalId.getExternalId().getProviderName() => "beta"
> context.sync(externalId) => result has Status.UPDATE
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)