You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Felix Meschberger (JIRA)" <ji...@apache.org> on 2010/01/18 10:02:54 UTC
[jira] Created: (SLING-1287) Impersonation cookie must be quoted to
support some special characters
Impersonation cookie must be quoted to support some special characters
----------------------------------------------------------------------
Key: SLING-1287
URL: https://issues.apache.org/jira/browse/SLING-1287
Project: Sling
Issue Type: Bug
Components: Commons
Affects Versions: Commons Auth 1.0.0
Reporter: Felix Meschberger
Assignee: Felix Meschberger
Fix For: Commons Auth 1.0.0
The Sling authenticator supports transparent impersonation of another user using a so called "sudo" parameter. Using this parameter causes the authenticator to set a sudo cookie, which is inspected in future requests to decide on whether to further impersonate requests or not.
The problem is, that the character set of cookie values is limited by RFC 2109 defining that a cookie value must be token or quoted-string according
to RFC-2616:
token = 1*<any CHAR except CTLs or separators>
separators = "(" | ")" | "<" | ">" | "@"
| "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "="
| "{" | "}" | SP | HT
quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
qdtext = <any TEXT except <">>
If the sudo user name contains an "@" sign (such as an email address), the value is not a token any longer and must be properly quoted.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SLING-1287) Impersonation cookie must be quoted
to support some special characters
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger resolved SLING-1287.
--------------------------------------
Resolution: Fixed
This issue can be resolved.
Documentation about impersonation is tracked in SLING-1298
> Impersonation cookie must be quoted to support some special characters
> ----------------------------------------------------------------------
>
> Key: SLING-1287
> URL: https://issues.apache.org/jira/browse/SLING-1287
> Project: Sling
> Issue Type: Bug
> Components: Commons
> Affects Versions: Commons Auth 1.0.0
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Commons Auth 1.0.0
>
>
> The Sling authenticator supports transparent impersonation of another user using a so called "sudo" parameter. Using this parameter causes the authenticator to set a sudo cookie, which is inspected in future requests to decide on whether to further impersonate requests or not.
> The problem is, that the character set of cookie values is limited by RFC 2109 defining that a cookie value must be token or quoted-string according
> to RFC-2616:
> token = 1*<any CHAR except CTLs or separators>
> separators = "(" | ")" | "<" | ">" | "@"
> | "," | ";" | ":" | "\" | <">
> | "/" | "[" | "]" | "?" | "="
> | "{" | "}" | SP | HT
> quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
> qdtext = <any TEXT except <">>
> If the sudo user name contains an "@" sign (such as an email address), the value is not a token any longer and must be properly quoted.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (SLING-1287) Impersonation cookie must be quoted to
support some special characters
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger closed SLING-1287.
------------------------------------
Close after release
> Impersonation cookie must be quoted to support some special characters
> ----------------------------------------------------------------------
>
> Key: SLING-1287
> URL: https://issues.apache.org/jira/browse/SLING-1287
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Auth Core 1.0.0
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.0
>
>
> The Sling authenticator supports transparent impersonation of another user using a so called "sudo" parameter. Using this parameter causes the authenticator to set a sudo cookie, which is inspected in future requests to decide on whether to further impersonate requests or not.
> The problem is, that the character set of cookie values is limited by RFC 2109 defining that a cookie value must be token or quoted-string according
> to RFC-2616:
> token = 1*<any CHAR except CTLs or separators>
> separators = "(" | ")" | "<" | ">" | "@"
> | "," | ";" | ":" | "\" | <">
> | "/" | "[" | "]" | "?" | "="
> | "{" | "}" | SP | HT
> quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
> qdtext = <any TEXT except <">>
> If the sudo user name contains an "@" sign (such as an email address), the value is not a token any longer and must be properly quoted.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SLING-1287) Impersonation cookie must be quoted to
support some special characters
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger updated SLING-1287:
-------------------------------------
Component/s: Authentication
(was: Commons)
> Impersonation cookie must be quoted to support some special characters
> ----------------------------------------------------------------------
>
> Key: SLING-1287
> URL: https://issues.apache.org/jira/browse/SLING-1287
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Auth Core 1.0.0
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.0
>
>
> The Sling authenticator supports transparent impersonation of another user using a so called "sudo" parameter. Using this parameter causes the authenticator to set a sudo cookie, which is inspected in future requests to decide on whether to further impersonate requests or not.
> The problem is, that the character set of cookie values is limited by RFC 2109 defining that a cookie value must be token or quoted-string according
> to RFC-2616:
> token = 1*<any CHAR except CTLs or separators>
> separators = "(" | ")" | "<" | ">" | "@"
> | "," | ";" | ":" | "\" | <">
> | "/" | "[" | "]" | "?" | "="
> | "{" | "}" | SP | HT
> quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
> qdtext = <any TEXT except <">>
> If the sudo user name contains an "@" sign (such as an email address), the value is not a token any longer and must be properly quoted.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-1287) Impersonation cookie must be quoted
to support some special characters
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-1287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802200#action_12802200 ]
Felix Meschberger commented on SLING-1287:
------------------------------------------
Implemented cookie quoting in Rev. 900728.
When setting the cookie, the cookie value is always quoted. When reading the cookie, the cookie value is accepted quoted and unquoted.
> Impersonation cookie must be quoted to support some special characters
> ----------------------------------------------------------------------
>
> Key: SLING-1287
> URL: https://issues.apache.org/jira/browse/SLING-1287
> Project: Sling
> Issue Type: Bug
> Components: Commons
> Affects Versions: Commons Auth 1.0.0
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Commons Auth 1.0.0
>
>
> The Sling authenticator supports transparent impersonation of another user using a so called "sudo" parameter. Using this parameter causes the authenticator to set a sudo cookie, which is inspected in future requests to decide on whether to further impersonate requests or not.
> The problem is, that the character set of cookie values is limited by RFC 2109 defining that a cookie value must be token or quoted-string according
> to RFC-2616:
> token = 1*<any CHAR except CTLs or separators>
> separators = "(" | ")" | "<" | ">" | "@"
> | "," | ";" | ":" | "\" | <">
> | "/" | "[" | "]" | "?" | "="
> | "{" | "}" | SP | HT
> quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
> qdtext = <any TEXT except <">>
> If the sudo user name contains an "@" sign (such as an email address), the value is not a token any longer and must be properly quoted.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.