[ https://issues.apache.org/jira/browse/OAK-8763?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Manfred Baedke updated OAK-8763: -------------------------------- Attachment: (was: OAK-8763-tests.patch) > LoginContextProviderImpl uses any subject found in the AccessControlContext. > ---------------------------------------------------------------------------- > > Key: OAK-8763 > URL: https://issues.apache.org/jira/browse/OAK-8763 > Project: Jackrabbit Oak > Issue Type: Bug > Components: security-spi > Reporter: Manfred Baedke > Assignee: Angela Schreiber > Priority: Major > Attachments: OAK-8763-tests.patch, OAK-8763.patch > > > LoginContextProviderImpl#getLoginContext(...) extracts the most recent > subject from the AccessControlContext and then uses it for either a > PreAuthContext or a JaasLoginContext. This is wrong, because there is no > reason to assume that such a subject has anything to do with Oak. It > particularly hurts when it's readonly, because JAAS will then silently fail > to add principals and credentials. > We would need a way to identify pre-authenticated subjects and subjects that > are not pre-authenticated should not be used to create a JaasLoginContext. -- This message was sent by Atlassian Jira (v8.3.4#803005)