[
https://issues.apache.org/jira/browse/SLING-3179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13868599#comment-13868599
]
Alexander Klimetschek commented on SLING-3179:
----------------------------------------------
I don't see how this is adding security other than reintroducing the
TrustedInfo again, just with different and more complex code.
Why the Subject doAs part: it already does an "evil"
repository.loginAdministrative() - then it would be much simpler to do
impersonation on the session rather than the complex doAs() logic, which really
exposes internal JCR/repository user logic, i.e. how principals are set up,
including group membership, while on the JCR layer a user is simply identified
by a string id.
> Implement solution to the Authentication Handler Credential Validation Problem
> ------------------------------------------------------------------------------
>
> Key: SLING-3179
> URL: https://issues.apache.org/jira/browse/SLING-3179
> Project: Sling
> Issue Type: Bug
> Components: API, JCR, ResourceResolver
> Affects Versions: JCR Base 2.1.2, API 2.4.2, Resource Resolver 1.0.6
> Reporter: Felix Meschberger
> Assignee: Antonio Sanso
> Attachments: SLING-3179.diff, SLING-3179.patch
>
>
> The proposal [Solving the Authentication Handler Credential Validation
> Problem|https://cwiki.apache.org/confluence/display/SLING/Solving+the+Authentication+Handler+Credential+Validation+Problem]
> should be implemented.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
