jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Angela Schreiber (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OAK-8763) LoginContextProviderImpl uses any subject found in the AccessControlContext.
Date Wed, 04 Dec 2019 15:14:00 GMT

    [ https://issues.apache.org/jira/browse/OAK-8763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16987938#comment-16987938

Angela Schreiber commented on OAK-8763:

[~baedke], this issue as you reported it is only about the failing logout. so please let me
know if that part is fixed in the environment your have been testing. if not please provide
a test case that illustrates the issue... it could e.g. be due to login modules that are not
provided by oak and potentially needed their logout fixed (which then was likely outside of
the scope of oak).

as far as the question regarding authorization is concerned: that's a different issue unrelated
to the logout we discuss here and i would love not to make this issue about different topics.
short answer: if an application passes a read-only subject, the session will get the permissions
defined for the specified principals.

> LoginContextProviderImpl uses any subject found in the AccessControlContext.
> ----------------------------------------------------------------------------
>                 Key: OAK-8763
>                 URL: https://issues.apache.org/jira/browse/OAK-8763
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: security-spi
>            Reporter: Manfred Baedke
>            Assignee: Angela Schreiber
>            Priority: Minor
>         Attachments: OAK-8763-tests.patch, OAK-8763.patch
> LoginContextProviderImpl#getLoginContext(...) extracts the most recent subject from the
AccessControlContext and then uses it for either a PreAuthContext or a JaasLoginContext. This
is wrong, because there is no reason to assume that such a subject has anything to do with
Oak. It particularly hurts when it's readonly, because JAAS will then silently fail to add
principals and credentials.
> We would need a way to identify pre-authenticated subjects and subjects that are not
pre-authenticated should not be used to create a JaasLoginContext.

This message was sent by Atlassian Jira

View raw message