Francesco Mari created OAK-3392:
-----------------------------------
Summary: Security shouldn't be bound to a SecurityProvider
Key: OAK-3392
URL: https://issues.apache.org/jira/browse/OAK-3392
Project: Jackrabbit Oak
Issue Type: Improvement
Components: core
Affects Versions: 1.3.5
Reporter: Francesco Mari
Assignee: Francesco Mari
{{ConfigurationBase}}, the base class for security configurations, allows a
{{SecurityProvider}} to be injected in a security configuration at will. This
mechanism is used to implement a basic form dependency injection in
{{SecurityProviderImpl}}, where every configuration receives a the instance of
{{SecurityProviderImpl}} that is currently using it.
This mechanism is problematic in a dynamic scenario like OSGi, where a security
configuration can be loaded independently from the {{SecurityProvider}} that is
using it. Moreover, if multiple implementations of {{SecurityProvider}} are
available, it is impossible to determine which instance of {{SecurityProvider}}
will be injected in the security configuration.
I suggest to remove the reference to a {{SecurityProvider}} in the security
configurations. If a {{SecurityProvider}} is needed, it should be instead
passed as parameter in the appropriate methods.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
