Am 12.08.2014 23:19 schrieb "Alexander Klimetschek" <aklim...@adobe.com>: > > Carsten Ziegeler <cziege...@apache.org> wrote: > > Yes, right - now the replacement for loginAdministrative can prevent this > > if loginAdministrative is not working anymore (throws an exception). > > No! With JAAS Subject.doAs() you can still login as admin [1].
Right and i can do reflection etc. Carsten > > Disabling loginAdministrative() is just preventing the all too convenient and already well-known way in the prominent SlingRepository API. It does NOT prevent code including JSPs to login as admin if it really wants to! > > The thing is that there are still Sling authentication handlers that need to define the user (incl. admin). Otherwise the code would have had to be moved down below the JCR API or some Java Security style privilege would have to be done to trust certain auth handlers running in Sling. > > [1] http://sling.markmail.org/thread/itfmayeef6lyz3tg > > Cheers, > Alex