[ https://issues.apache.org/jira/browse/SLING-12093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17774565#comment-17774565 ]
Carsten Ziegeler commented on SLING-12093: ------------------------------------------ I suggest we drop the auth info completely. a provider can then add whatever it thinks is fine to add > ResourceResolver.getAttribute(...) might return sensitive information > --------------------------------------------------------------------- > > Key: SLING-12093 > URL: https://issues.apache.org/jira/browse/SLING-12093 > Project: Sling > Issue Type: Improvement > Components: ResourceResolver > Affects Versions: Resource Resolver 1.11.0 > Reporter: Konrad Windszus > Priority: Major > > The method {{ResourceResolver.getAttribute(...)}} retrieves a named attribute > from either > - the underlying resource provider or > - the authentication info passed to the factory > In addition it filters out some attributes supposed to contain sensitive > information > (https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/d9e90e455c0f71e84414bb09c83d7e678f1a788e/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java#L400) > Although there is some JCR specific authentication info filtered in > https://github.com/apache/sling-org-apache-sling-jcr-resource/blob/685c50921085941f4cbb1a3ccdbf90bad0605527/src/main/java/org/apache/sling/jcr/resource/internal/helper/jcr/JcrResourceProvider.java#L676, > this is not-effective as the authentication info is retrieved without > consulting any resource provider. > This affects the attribute {{user.jcr.credentials}}. -- This message was sent by Atlassian Jira (v8.20.10#820010)