You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Konrad Windszus (Jira)" <ji...@apache.org> on 2021/04/06 12:32:00 UTC

[jira] [Updated] (JCRVLT-515) AdminPermissionChecker should evaluate all principals bound to the Session

     [ https://issues.apache.org/jira/browse/JCRVLT-515?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Konrad Windszus updated JCRVLT-515:
-----------------------------------
    Description: Currently the AdminPermissionChecker only evaluates the session-bound user id in https://github.com/kwin/jackrabbit-filevault/blob/49e3c2179c18e0552e49b0671843d85d045ebf48/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/AdminPermissionChecker.java#L54. This does not work well with principal based login (like with Sling Service Authentication) as in general only the first principal is returned (in case it is backed by a real JCR user). Instead one should leverage {{org.apache.jackrabbit.api.security.principal.PrincipalManager}} to retrieve all principals bound to the session and check that at least one is the administrator.  (was: Currently the AdminPermissionChecker only evaluates the session-bound user id in https://github.com/kwin/jackrabbit-filevault/blob/49e3c2179c18e0552e49b0671843d85d045ebf48/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/AdminPermissionChecker.java#L54. This does not work well with principal based login (like with Sling Service Authentication) as in general only the principal is returned (in case it is backed by a real JCR user). Instead one should leverage {{org.apache.jackrabbit.api.security.principal.PrincipalManager}} to retrieve all principals bound to the session and check that at least one is configured to have the access.)

> AdminPermissionChecker should evaluate all principals bound to the Session
> --------------------------------------------------------------------------
>
>                 Key: JCRVLT-515
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-515
>             Project: Jackrabbit FileVault
>          Issue Type: Improvement
>          Components: vlt
>            Reporter: Konrad Windszus
>            Priority: Major
>             Fix For: 3.4.12
>
>
> Currently the AdminPermissionChecker only evaluates the session-bound user id in https://github.com/kwin/jackrabbit-filevault/blob/49e3c2179c18e0552e49b0671843d85d045ebf48/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/AdminPermissionChecker.java#L54. This does not work well with principal based login (like with Sling Service Authentication) as in general only the first principal is returned (in case it is backed by a real JCR user). Instead one should leverage {{org.apache.jackrabbit.api.security.principal.PrincipalManager}} to retrieve all principals bound to the session and check that at least one is the administrator.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)