[jira] [Commented] (SLING-2325) SlingDavExServlet uses impersonation to get session. Doesn't work nicely if user doesn't have right to impersonate.

Wed, 18 Jan 2012 07:49:05 -0800 

    [ 
https://issues.apache.org/jira/browse/SLING-2325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13188514#comment-13188514
 ] 

Justin Edelson commented on SLING-2325:
---------------------------------------

I'm not sure I agree that there's anything to "fix" in the DavEx servlet. It's 
inherently stateful, at minimum due to Observation.

Granting everyone the ability to impersonate themselves seems reasonable to me, 
but I haven't had a chance to validate if that's acceptable under JSR-170/283. 
In any case, that should be a Jackrabbit bug.

The temporary admin session will obviously work, but it looks very much like 
using exceptions as control flow. If there was some notion that eventually self 
impersonation would always be allowed, I'd be OK with this as a temporary 
solution, but I'd prefer not to have this code in Sling long term.
                
> SlingDavExServlet uses impersonation to get session. Doesn't work nicely if 
> user doesn't have right to impersonate.
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: SLING-2325
>                 URL: https://issues.apache.org/jira/browse/SLING-2325
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>    Affects Versions: JCR DavEx 1.0.0
>            Reporter: Christanto
>            Assignee: Justin Edelson
>            Priority: Blocker
>              Labels: davex
>             Fix For: JCR DavEx 1.1.0
>
>
> SlingDavExServlet uses impersonation to get session. Doesn't work nicely if 
> user doesn't have right to impersonate.
> LoginException will be thrown: javax.jcr.LoginException: attempt to 
> impersonate denied for <user>
> Code excerpt from SlingDavExServlet:
> final Session session = resolver.adaptTo(Session.class);
> // as the session might be longer used by davex than the request
> // we have to create a new session!
> if ( session != null ) {
>     final Credentials credentials = new 
> SimpleCredentials(session.getUserID(), EMPTY_PW);
>     final Session newSession = session.impersonate(credentials);
>     return newSession;
> }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to