[ https://issues.apache.org/jira/browse/SLING-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13846274#comment-13846274 ]
Antonio Sanso commented on SLING-2762: -------------------------------------- I'd be inclined to apply the patch included by [~fmeschbe] and [~anchela] in https://cwiki.apache.org/confluence/display/SLING/Solving+the+Authentication+Handler+Credential+Validation+Problem namely {code} if (credentials == null) { if (Subject.getSubject(AccessController.getContext()) != null) { return getRepository().login(null, workspace); } else { // TODO: getAnonCredentials(this.anonUser) should not be used for anonymous access return getRepository().login(new GuestCredentials(), workspace); } } else { return getRepository().login(credentials, workspace); } {code} WDYT? > AbstractSlingRepository#login violates JCR spec > ----------------------------------------------- > > Key: SLING-2762 > URL: https://issues.apache.org/jira/browse/SLING-2762 > Project: Sling > Issue Type: Bug > Components: JCR > Reporter: Antonio Sanso > > AbstractSlingRepository#login seems to violate the javax.jcr.Repository spec. > The API [0] says > " If credentials is null, it is assumed that authentication is handled by a > mechanism external to the repository itself (for example, through the JAAS > framework) and that the repository implementation exists within a context > (for example, an application server) that allows it to handle authorization > of the request for access to the specified workspace." > while the implementation looks like > {code} > ... > if (credentials == null) { > credentials = getAnonCredentials(this.anonUser); > } > ... > {code} > [0] > http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Repository.html#login%28javax.jcr.Credentials,%20java.lang.String%29 -- This message was sent by Atlassian JIRA (v6.1.4#6159)