[jira] [Commented] (SLING-4888) Add SlingRepository.impersonateFromService

Tue, 11 Aug 2015 18:54:06 -0700 

    [ 
https://issues.apache.org/jira/browse/SLING-4888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14692770#comment-14692770
 ] 

Alexander Klimetschek commented on SLING-4888:
----------------------------------------------

For the record, this basically requires OAK-2947 - otherwise (as of Jackrabbit 
2 / Oak 1) you'd have to add the service user to the {{rep:impersonators}} 
property of every single user that should be impersonated to, which is 
impractical.

> Add SlingRepository.impersonateFromService
> ------------------------------------------
>
>                 Key: SLING-4888
>                 URL: https://issues.apache.org/jira/browse/SLING-4888
>             Project: Sling
>          Issue Type: New Feature
>          Components: JCR
>            Reporter: angela
>            Assignee: Carsten Ziegeler
>             Fix For: JCR Jackrabbit Server 2.3.0, JCR Base 2.3.0, JCR API 
> 2.3.0, JCR Oak Server 1.0.0
>
>         Attachments: SLING-4888.patch, SLING-4888_2.patch
>
>
> as discussed before it it would be generally preferable to perform 
> event-based with the original subject that triggered the event instead of 
> using a clone of the privileged session that was used to register the event 
> listener.
> using the original subject (instead of just using the privileged session) 
> will ultimately always results in the same piece of code which consists of
> - {{SlingRepository.loginService}} or {{SlingRepository.loginAdministrative}} 
> followed by
> - {{Session.impersonate}} to obtain a session associated with the original 
> subject
> - {{Session.logout}} for the privileged session
> - {{Session.logout}} for the impersonated session
> To ease the usage of the original subject, which usually would be preferable 
> from a security point of view, I would like to suggest to introduce 
> {{SlingRepository.impersonateFromService}}, which not only reduced the total 
> amount of code to be written but also helped developers to move away from 
> using {{loginAdministrative}}. Furthermore an implementation may also take 
> advantage of implementation details and avoid the duplicate authentication 
> altogether.
> Initial proposal of the API extension -> see attached patch



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to