[ https://issues.apache.org/jira/browse/OAK-8763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16973480#comment-16973480 ]
Manfred Baedke commented on OAK-8763: ------------------------------------- See https://issues.apache.org/jira/secure/attachment/12985222/logout.png for an example of a preexisting readonly subject not featuring the principals and credentials it's supposed to hold (note that LoginModuleImpl#credentials holds ImpersonationCredentials not to be found in the subject. > LoginContextProviderImpl uses any subject found in the AccessControlContext. > ---------------------------------------------------------------------------- > > Key: OAK-8763 > URL: https://issues.apache.org/jira/browse/OAK-8763 > Project: Jackrabbit Oak > Issue Type: Bug > Components: security-spi > Reporter: Manfred Baedke > Assignee: Angela Schreiber > Priority: Major > > LoginContextProviderImpl#getLoginContext(...) extracts the most recent > subject from the AccessControlContext and the uses it for either a > PreAuthContext or a JaasLoginContext. This is wrong, because there is no > reason to assume that such a subject has anything to do with Oak. It > particularly hurts when it's readonly, because JAAS will then silently fail > to add principals and credentials. > We would need a way to identify pre-authenticated subjects and subjects that > are not pre-authenticated should not be used to create a JaasLoginContext. -- This message was sent by Atlassian Jira (v8.3.4#803005)