[jira] [Commented] (SLING-2325) SlingDavExServlet uses impersonation to get session. Doesn't work nicely if user doesn't have right to impersonate.

Tue, 24 Jan 2012 14:57:07 -0800 

    [ 
https://issues.apache.org/jira/browse/SLING-2325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13192637#comment-13192637
 ] 

Felix Meschberger commented on SLING-2325:
------------------------------------------

> and give up on having support for long lived sessions in the framework

You can have long lived sessions but not the ones created through the 
authentication mechanism. 

> I'd hate for an implementation change on the JR side to cause this to break 
> again. 

Right. On the other hand, we include the exact portion of the code against 
which we do the thing in the bundle.

But ok, maybe it really is better to always to this... will do

                
> SlingDavExServlet uses impersonation to get session. Doesn't work nicely if 
> user doesn't have right to impersonate.
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: SLING-2325
>                 URL: https://issues.apache.org/jira/browse/SLING-2325
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>    Affects Versions: JCR DavEx 1.0.0
>            Reporter: Christanto
>            Assignee: Felix Meschberger
>            Priority: Blocker
>              Labels: davex
>             Fix For: JCR DavEx 1.1.0
>
>
> SlingDavExServlet uses impersonation to get session. Doesn't work nicely if 
> user doesn't have right to impersonate.
> LoginException will be thrown: javax.jcr.LoginException: attempt to 
> impersonate denied for <user>
> Code excerpt from SlingDavExServlet:
> final Session session = resolver.adaptTo(Session.class);
> // as the session might be longer used by davex than the request
> // we have to create a new session!
> if ( session != null ) {
>     final Credentials credentials = new 
> SimpleCredentials(session.getUserID(), EMPTY_PW);
>     final Session newSession = session.impersonate(credentials);
>     return newSession;
> }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to