[ https://issues.apache.org/jira/browse/SLING-3524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16461281#comment-16461281 ]
Csaba Varga commented on SLING-3524: ------------------------------------ I've added a [new commit|https://github.com/csaboka/sling-org-apache-sling-resourceresolver/commit/0f444aa5c6537d480badcf4ca7b2af557f09d48a] to clear the CLONE key from the authentication info before passing it to the resource resolver. I hope I've caught all the paths from external clients to the ResourceResolverImpl constructor. The upside is that now the code has a central place where new "forbidden properties" can be added as necessary. > ResourceResolver.clone(null) should not share the same JCR session > ------------------------------------------------------------------ > > Key: SLING-3524 > URL: https://issues.apache.org/jira/browse/SLING-3524 > Project: Sling > Issue Type: Improvement > Components: API, JCR, ResourceResolver > Affects Versions: Resource Resolver 1.0.6 > Reporter: Alexander Klimetschek > Priority: Major > Fix For: API 2.18.2, JCR Resource 3.0.10, Resource Resolver 1.6.2 > > Time Spent: 50m > Remaining Estimate: 0h > > {{ResourceResolver.clone()}} will reuse the same JCR session in case it was > created by passing an existing session using > {{JcrResourceConstants.AUTHENTICATION_INFO_SESSION}}. If you need a clone of > the resource resolver to pass into a new, separate thread, and use > {{ResourceResolver.clone(null)}}, you will actually share the session, but > this is not obvious. The problem is that a JCR session cannot be shared > across threads. > The javadocs of clone() say "the same credential data is used as was used to > create this instance". > There are a few problems with this: > - seeing the session object itself as "credential data" is unintuitive > - in my code, I have no idea what the original credential data was, so I > don't know what kind of credential data it was to make the right decision > - since sharing a JCR session is to be avoided at all times, the resource > resolver should prevent one from this > A solution would be if a plain {{ResourceResolver.clone(null)}} would return > a session that impersonated itself, abstracting this from the resource > resolver user. Additionally, it might be worth looking that clone always > returns a new session, unless specifically stated. -- This message was sent by Atlassian JIRA (v7.6.3#76005)