[
https://issues.apache.org/jira/browse/SLING-5006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14984956#comment-14984956
]
Konrad Windszus commented on SLING-5006:
----------------------------------------
Looks good to me, thanks for that.
Just out of curiosity: Is there a known race condition why SLING-4895 was
necessary? Or is it just, that it is considered bad practice to call OSGi API
while holding a lock
(http://njbartlett.name/files/osgibook_preview_20091217.pdf, Chapter 6.4)?
> Allow to enable the usage of regular JCR users for service resolvers
> --------------------------------------------------------------------
>
> Key: SLING-5006
> URL: https://issues.apache.org/jira/browse/SLING-5006
> Project: Sling
> Issue Type: Improvement
> Components: Service User Mapper
> Affects Versions: Service User Mapper 1.2.0, JCR Resource 2.5.6
> Reporter: Konrad Windszus
> Assignee: Konrad Windszus
> Fix For: Service User Mapper 1.2.2, JCR Resource 2.6.0
>
> Attachments: SLING-5006-serviceusermapper-v01.diff,
> SLING-5006-uservalidator-v01.diff
>
>
> With SLING-3854 a {{ServiceUserValidator}} interface was introduced.
> Basically all OSGi services implementing that interface may decide whether
> certain users can be used as backing user for a call to
> {{ResourceResolverFactory.getServiceResolver(...)}}. The only implementation
> of that in Sling is {{JcrSystemUserValidator}} which only allows to use JCR
> system users.
> The list of all those services is bound in the {{ServiceUserMapperImpl}}
> dynamically.
> If you for example want to use that service to relax the policy being
> introduced with SLING-3854 (to e.g. allow all users as service users) you may
> register your own service just returning {{true}} for all users in the only
> method {{isValid}}. Unfortunately you don't know when your
> {{ServiceUserValidator}} service is bound (due to the dynamic restart
> behaviour of services). Therefore other services cannot rely on the fact that
> your own {{ServiceUserValidator}} is being available at a certain point in
> time and therefore their call to
> {{ResourceResolverFactory.getServiceResolver(...)}} may fail, if they rely on
> a non-System JCR user. Therefore this mechanism is not suitable to disable
> the enforcing of JCR system users.
> Instead I would propose the following:
> # allow to configure the {{JcrSystemUserValidator}} via an OSGi property
> named {{allowOnlySystemUsers}} which by default should be {{true}}.
> # within the method {{JcrSystemUserValidator.isValidUser}} you either allow
> all users or leave the current logic in place (in case
> {{allowOnlySystemUsers}} is {{true}}).
> Only that way it would be possible to reliably allow all users as service
> users which is especially helpful during development of a certain feature
> (although this is probably not a config you would set on a production
> instance).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
