[ https://issues.apache.org/jira/browse/OAK-9224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17200815#comment-17200815 ]
Angela Schreiber commented on OAK-9224: --------------------------------------- [~tomek.rekawek], thanks for providing extra context. that helps.... as discussed in private today the token validator verifies that all changes are made and persisted through the {{TokenProvider}} API, which only allows to issue new tokens and obtain the {{TokenInfo}} for a given existing login token. in case of a {{Session.importXML}} the changes however are persisted by the caller and the import is defined to be a transient operation... so even if the {{TokenProvider}} would support writing a token node from a given set of properties, persisting it during the import would violate the contract. having said that: - omitting the token node from the import should be doable without bigger effort - importing the token node would probably require an extra thought about the security implications and if/how to relax the validator (e.g. by additionally allowing for system-sessions to write the token information as it is currently supported by the {{ExternalIdentityImporter}}). > Create a protected property importer for handling user tokens > ------------------------------------------------------------- > > Key: OAK-9224 > URL: https://issues.apache.org/jira/browse/OAK-9224 > Project: Jackrabbit Oak > Issue Type: Story > Components: core, security > Reporter: Tomek Rękawek > Assignee: Tomek Rękawek > Priority: Major > Fix For: 1.36.0 > > > An attempt to invoke {{javax.jcr.Session#importXML()}} on a payload including > exported {{rep:User}} nodes will fail with the following message if the > {{.tokens}} subnode is not empty: > {noformat} > javax.jcr.nodetype.ConstraintViolationException: OakConstraint0021: > /home/users/5/5d60zjEABcbAjvqo8SyI/.tokens/50c611f9-9886-4124-ada6-e224ffeead8e[[rep:Token]]: > Mandatory property rep:token.key not found in a new node > at > org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:226) > [org.apache.jackrabbit.oak-api:1.34.0] > at > org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:213) > [org.apache.jackrabbit.oak-api:1.34.0] > at > org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:677) > [org.apache.jackrabbit.oak-jcr:1.34.0] > at > org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:503) > [org.apache.jackrabbit.oak-jcr:1.34.0] > at > org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:424) > [org.apache.jackrabbit.oak-jcr:1.34.0] > at > org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:273) > [org.apache.jackrabbit.oak-jcr:1.34.0] > at > org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:421) > [org.apache.jackrabbit.oak-jcr:1.34.0] > at > com.adobe.granite.repository.impl.CRX3SessionImpl.save(CRX3SessionImpl.java:207) > [com.adobe.granite.repository:1.6.100] > {noformat} > The reason is that all the properties in rep:Token nodes are protected: > {noformat} > [rep:Token] > mix:referenceable > - rep:token.key (string) mandatory protected > - rep:token.exp (date) mandatory protected > - * (undefined) protected > - * (undefined) protected multiple > {noformat} > and they'll be skipped by the importer unless there's a custom > ProtectedPropertyImporter implementation handling them: > https://github.com/apache/jackrabbit-oak/blob/bb749cac90617f9350189599f5f63ec20da7c490/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/ImporterImpl.java#L278-L288 > The goal of this story is to create such implementation, so the tokens can be > imported together with the rest of the {{rep:User}} subtree. -- This message was sent by Atlassian Jira (v8.3.4#803005)