[jira] [Commented] (SLING-3524) ResourceResolver.clone(null) should not share the same JCR session

Wed, 02 May 2018 09:51:20 -0700 

    [ 
https://issues.apache.org/jira/browse/SLING-3524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16461281#comment-16461281
 ] 

Csaba Varga commented on SLING-3524:
------------------------------------

I've added a [new 
commit|https://github.com/csaboka/sling-org-apache-sling-resourceresolver/commit/0f444aa5c6537d480badcf4ca7b2af557f09d48a]
 to clear the CLONE key from the authentication info before passing it to the 
resource resolver. I hope I've caught all the paths from external clients to 
the ResourceResolverImpl constructor. The upside is that now the code has a 
central place where new "forbidden properties" can be added as necessary.

> ResourceResolver.clone(null) should not share the same JCR session
> ------------------------------------------------------------------
>
>                 Key: SLING-3524
>                 URL: https://issues.apache.org/jira/browse/SLING-3524
>             Project: Sling
>          Issue Type: Improvement
>          Components: API, JCR, ResourceResolver
>    Affects Versions: Resource Resolver 1.0.6
>            Reporter: Alexander Klimetschek
>            Priority: Major
>             Fix For: API 2.18.2, JCR Resource 3.0.10, Resource Resolver 1.6.2
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> {{ResourceResolver.clone()}} will reuse the same JCR session in case it was 
> created by passing an existing session using 
> {{JcrResourceConstants.AUTHENTICATION_INFO_SESSION}}. If you need a clone of 
> the resource resolver to pass into a new, separate thread, and use 
> {{ResourceResolver.clone(null)}}, you will actually share the session, but 
> this is not obvious. The problem is that a JCR session cannot be shared 
> across threads.
> The javadocs of clone() say "the same credential data is used as was used to 
> create this instance".
> There are a few problems with this:
> - seeing the session object itself as "credential data" is unintuitive
> - in my code, I have no idea what the original credential data was, so I 
> don't know what kind of credential data it was to make the right decision
> - since sharing a JCR session is to be avoided at all times, the resource 
> resolver should prevent one from this
> A solution would be if a plain {{ResourceResolver.clone(null)}} would return 
> a session that impersonated itself, abstracting this from the resource 
> resolver user. Additionally, it might be worth looking that clone always 
> returns a new session, unless specifically stated.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to