[
https://issues.apache.org/jira/browse/SLING-7815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16601673#comment-16601673
]
Csaba Varga commented on SLING-7815:
------------------------------------
[~rombert]: I had some time this weekend to have a look at this.
Because of a stupid mistake in my code, the JCR resource provider could close
the session from under itself. This case was even triggered with a regular
username+password login, but it haven't occurred to me to test for it!
I've created a pull request with the proposed fixed code:
[https://github.com/apache/sling-org-apache-sling-jcr-resource/pull/4]
This passes the (now extended) unit tests, and I can also launch the starter
app properly using this version of the bundle, so hopefully it works properly
now. Do let me know if I should validate it some other way as well.
> CLONE - ResourceResolver.clone(null) should not share the same JCR session
> --------------------------------------------------------------------------
>
> Key: SLING-7815
> URL: https://issues.apache.org/jira/browse/SLING-7815
> Project: Sling
> Issue Type: Improvement
> Components: API, JCR, ResourceResolver
> Affects Versions: JCR Resource 3.0.14
> Reporter: Alexander Klimetschek
> Assignee: Carsten Ziegeler
> Priority: Major
> Fix For: JCR Resource 3.0.18
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> {{ResourceResolver.clone()}} will reuse the same JCR session in case it was
> created by passing an existing session using
> {{JcrResourceConstants.AUTHENTICATION_INFO_SESSION}}. If you need a clone of
> the resource resolver to pass into a new, separate thread, and use
> {{ResourceResolver.clone(null)}}, you will actually share the session, but
> this is not obvious. The problem is that a JCR session cannot be shared
> across threads.
> The javadocs of clone() say "the same credential data is used as was used to
> create this instance".
> There are a few problems with this:
> - seeing the session object itself as "credential data" is unintuitive
> - in my code, I have no idea what the original credential data was, so I
> don't know what kind of credential data it was to make the right decision
> - since sharing a JCR session is to be avoided at all times, the resource
> resolver should prevent one from this
> A solution would be if a plain {{ResourceResolver.clone(null)}} would return
> a session that impersonated itself, abstracting this from the resource
> resolver user. Additionally, it might be worth looking that clone always
> returns a new session, unless specifically stated.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
