[jira] [Commented] (SLING-2325) SlingDavExServlet uses impersonation to get session. Doesn't work nicely if user doesn't have right to impersonate.

Tue, 17 Jan 2012 04:07:11 -0800 

    [ 
https://issues.apache.org/jira/browse/SLING-2325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13187601#comment-13187601
 ] 

Felix Meschberger commented on SLING-2325:
------------------------------------------

Potential solutions:

 * Fix Jackrabbit DavEx
 * Grante Impersonation privilege to self to all users
 * Use a temporary admin session to impersonate as the target user (thanks 
Carsten Ziegeler)

So we could do this:

final Session session = resolver.adaptTo(Session.class); 
if ( session != null ) { 
    final Credentials credentials = new SimpleCredentials(session.getUserID(), 
EMPTY_PW); 
    try {
       final Session newSession = session.impersonate(credentials); 
       return newSession; 
    } catch (RepositoryException re) {
      final Session adminSession = 
slingRepository.loginAdministrative(session.getWorkspace().getName());
      return adminSession.impersonate(credentials);
   }
}
                
> SlingDavExServlet uses impersonation to get session. Doesn't work nicely if 
> user doesn't have right to impersonate.
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: SLING-2325
>                 URL: https://issues.apache.org/jira/browse/SLING-2325
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>    Affects Versions: JCR DavEx 1.0.0
>            Reporter: Christanto
>            Assignee: Justin Edelson
>            Priority: Blocker
>              Labels: davex
>             Fix For: JCR DavEx 1.1.0
>
>
> SlingDavExServlet uses impersonation to get session. Doesn't work nicely if 
> user doesn't have right to impersonate.
> LoginException will be thrown: javax.jcr.LoginException: attempt to 
> impersonate denied for <user>
> Code excerpt from SlingDavExServlet:
> final Session session = resolver.adaptTo(Session.class);
> // as the session might be longer used by davex than the request
> // we have to create a new session!
> if ( session != null ) {
>     final Credentials credentials = new 
> SimpleCredentials(session.getUserID(), EMPTY_PW);
>     final Session newSession = session.impersonate(credentials);
>     return newSession;
> }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to