[
https://issues.apache.org/jira/browse/OAK-8763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16989043#comment-16989043
]
Manfred Baedke commented on OAK-8763:
-------------------------------------
[~angela],
bq. i got confused, which of the 2 issues you were posting to because the
discussions kept getting mixed
Yes, I noticed.
bq. yes, i mean the principals from the read-only subject.
Which means, in the case of the original scenario, some "JMXPrincipal: xyz",
which is then the only principal to be found in the context. No principal
associated with the user logging in will be contained in there. To me that
looks like authorization issues.
> LoginContextProviderImpl uses any subject found in the AccessControlContext.
> ----------------------------------------------------------------------------
>
> Key: OAK-8763
> URL: https://issues.apache.org/jira/browse/OAK-8763
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: security-spi
> Reporter: Manfred Baedke
> Assignee: Angela Schreiber
> Priority: Minor
> Attachments: OAK-8763-tests.patch, OAK-8763.patch
>
>
> LoginContextProviderImpl#getLoginContext(...) extracts the most recent
> subject from the AccessControlContext and then uses it for either a
> PreAuthContext or a JaasLoginContext. This is wrong, because there is no
> reason to assume that such a subject has anything to do with Oak. It
> particularly hurts when it's readonly, because JAAS will then silently fail
> to add principals and credentials.
> We would need a way to identify pre-authenticated subjects and subjects that
> are not pre-authenticated should not be used to create a JaasLoginContext.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
