Hi Chetan That's a completely different thing: The developer of you code makes an (hopefully informed) decision to use another super-privileged session to perform a given task.
While with your proposed change we just open the door and make it work without enforcing an informed decision (instead just having a note in the Javadoc (which probably gets ignored) given away the ability to secure access to those binaries. And just for the sake of correctness: 1. Neither JCR nor Jackrabbit nor Oak comes with a Repository.loginAsAdmin call. This has been discussed once in the past and we made a conscious decision not to do this for various reasons including security. 2. SlingRepository.loginAdministrative, which you are referring to has been a constant source of most severe vulnerabilities putting every customer of Sling-based applications at risk; despite the fact that the API contract (i.e. javadoc) was utterly clear about the risk and asked for using it responsively [1]. As you know the Apache Sling team ended up deprecating the method because it caused too many security issues! Kind regards Angela [1] quote from javadoc of SlingRepository.loginAdministrative: * <i>NOTE: This method is intended for use by infrastructure bundles to * access the repository and provide general services. This method MUST not * be used to handle client requests of whatever kinds. To handle client * requests a regular authenticated session retrieved through * {@link #login(javax.jcr.Credentials, String)} or * {@link Session#impersonate(javax.jcr.Credentials)} must be used.</i></b> On 05/05/16 13:50, "Chetan Mehrotra" <chetan.mehro...@gmail.com> wrote: >On Thu, May 5, 2016 at 5:07 PM, Francesco Mari <mari.france...@gmail.com> >wrote: > >> >> This is a totally different thing. The change to the node will be >>committed >> with the privileges of the session that retrieved the node. If the >>session >> doesn't have enough privileges to delete that node, the node will be >> deleted, There is no escape from the security model. > > >A "bad code" when passes a node backed via admin session can still do bad >thing as admin session has all the privileges. In same way if a bad code >is >passed a file handle then it can cause issue. So I am still not sure on >the >attack vector which we are defending against. > >Chetan Mehrotra