jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OAK-3899) TokenLoginModule ignores shared key javax.security.auth.login.name
Date Thu, 28 Jan 2016 14:09:40 GMT

    [ https://issues.apache.org/jira/browse/OAK-3899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15121518#comment-15121518

angela commented on OAK-3899:

sorry... but that patch cannot be applied. it's on purpose that the TokenLoginModule doesn't
care about the nature of the shared credentials because the loginmodule doesn't know what
type of credentials are supported and respected by the {{TokenProvider}} implementations (note:
there might be multiple and the default one might simply not be relevant). So, we are not
going to bake the {{SimpleCredentials}} into the {{TokenLoginModule}}. 

> TokenLoginModule ignores shared key javax.security.auth.login.name
> ------------------------------------------------------------------
>                 Key: OAK-3899
>                 URL: https://issues.apache.org/jira/browse/OAK-3899
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 1.3.14
>            Reporter: Alexander Klimetschek
>         Attachments: OAK-3899.patch
> The {{TokenLoginModule}} and specifically TokenProviderImpl [only look at SimpleCredentials.getUserID()|https://github.com/apache/jackrabbit-oak/blob/1144914c053ec9c2723450261fabfee1bd9d0e58/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.java#L165]
when creating a token.
> However, in certain situations, such as with the ExternalLoginModule and non-username/password
credentials, the SimpleCredentials are used but don't have a user id as the real user id is
determined not by the caller of {{Repository.login()}}, but by the external identity provider
inside the ExternalLoginModule (and the credentials might not include any kind of user id,
say an opaque token from an external service). In this case, {{SimpleCredentials.getUserID()}}
returns null and the token implementation fails to create a token and does not return it in
the {{.token}} attribute of the credentials.
> Instead, the TokenLoginModule should look at the shared {{javax.security.auth.login.name}}
attribute, which can de-facto override a {{SimpleCredentials.getUserID()}}, as it happens
in the ExternalLoginModule.

This message was sent by Atlassian JIRA

View raw message