[ https://issues.apache.org/jira/browse/SLING-12093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17774596#comment-17774596 ]
Konrad Windszus commented on SLING-12093: ----------------------------------------- It basically boils down to the question what should be the default (if not overwritten by the provider). Either a) filter nothing or b) filter everything (from authentication info). I would go for a) but allow the resource provider to filter. Then we can at least for the JCR resource provider exclude all sensitive attributes. > ResourceResolver.getAttribute(...) might return sensitive information > --------------------------------------------------------------------- > > Key: SLING-12093 > URL: https://issues.apache.org/jira/browse/SLING-12093 > Project: Sling > Issue Type: Improvement > Components: ResourceResolver > Affects Versions: Resource Resolver 1.11.0 > Reporter: Konrad Windszus > Priority: Major > > The method {{ResourceResolver.getAttribute(...)}} retrieves a named attribute > from either > - the underlying resource provider or > - the authentication info passed to the factory > In addition it filters out some attributes supposed to contain sensitive > information > (https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/d9e90e455c0f71e84414bb09c83d7e678f1a788e/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java#L400) > Although there is some JCR specific authentication info filtered in > https://github.com/apache/sling-org-apache-sling-jcr-resource/blob/685c50921085941f4cbb1a3ccdbf90bad0605527/src/main/java/org/apache/sling/jcr/resource/internal/helper/jcr/JcrResourceProvider.java#L676, > this is not-effective as the authentication info is retrieved without > consulting any resource provider. > This affects the attribute {{user.jcr.credentials}}. -- This message was sent by Atlassian Jira (v8.20.10#820010)