jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Manfred Baedke (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OAK-8763) LoginContextProviderImpl uses any subject found in the AccessControlContext.
Date Thu, 05 Dec 2019 18:05:00 GMT

    [ https://issues.apache.org/jira/browse/OAK-8763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16989043#comment-16989043
] 

Manfred Baedke commented on OAK-8763:
-------------------------------------

[~angela],

bq. i got confused, which of the 2 issues you were posting to because the discussions kept
getting mixed

Yes, I noticed.

bq. yes, i mean the principals from the read-only subject.

Which means, in the case of the original scenario, some "JMXPrincipal: xyz", which is then
the only principal to be found in the context. No principal associated with the user logging
in will be contained in there. To me that looks like authorization issues.

> LoginContextProviderImpl uses any subject found in the AccessControlContext.
> ----------------------------------------------------------------------------
>
>                 Key: OAK-8763
>                 URL: https://issues.apache.org/jira/browse/OAK-8763
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: security-spi
>            Reporter: Manfred Baedke
>            Assignee: Angela Schreiber
>            Priority: Minor
>         Attachments: OAK-8763-tests.patch, OAK-8763.patch
>
>
> LoginContextProviderImpl#getLoginContext(...) extracts the most recent subject from the
AccessControlContext and then uses it for either a PreAuthContext or a JaasLoginContext. This
is wrong, because there is no reason to assume that such a subject has anything to do with
Oak. It particularly hurts when it's readonly, because JAAS will then silently fail to add
principals and credentials.
> We would need a way to identify pre-authenticated subjects and subjects that are not
pre-authenticated should not be used to create a JaasLoginContext.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message