[
https://issues.apache.org/jira/browse/OAK-9224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17200815#comment-17200815
]
Angela Schreiber commented on OAK-9224:
---------------------------------------
[~tomek.rekawek], thanks for providing extra context. that helps.... as
discussed in private today the token validator verifies that all changes are
made and persisted through the {{TokenProvider}} API, which only allows to
issue new tokens and obtain the {{TokenInfo}} for a given existing login token.
in case of a {{Session.importXML}} the changes however are persisted by the
caller and the import is defined to be a transient operation... so even if the
{{TokenProvider}} would support writing a token node from a given set of
properties, persisting it during the import would violate the contract.
having said that:
- omitting the token node from the import should be doable without bigger
effort
- importing the token node would probably require an extra thought about the
security implications and if/how to relax the validator (e.g. by additionally
allowing for system-sessions to write the token information as it is currently
supported by the {{ExternalIdentityImporter}}).
> Create a protected property importer for handling user tokens
> -------------------------------------------------------------
>
> Key: OAK-9224
> URL: https://issues.apache.org/jira/browse/OAK-9224
> Project: Jackrabbit Oak
> Issue Type: Story
> Components: core, security
> Reporter: Tomek Rękawek
> Assignee: Tomek Rękawek
> Priority: Major
> Fix For: 1.36.0
>
>
> An attempt to invoke {{javax.jcr.Session#importXML()}} on a payload including
> exported {{rep:User}} nodes will fail with the following message if the
> {{.tokens}} subnode is not empty:
> {noformat}
> javax.jcr.nodetype.ConstraintViolationException: OakConstraint0021:
> /home/users/5/5d60zjEABcbAjvqo8SyI/.tokens/50c611f9-9886-4124-ada6-e224ffeead8e[[rep:Token]]:
> Mandatory property rep:token.key not found in a new node
> at
> org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:226)
> [org.apache.jackrabbit.oak-api:1.34.0]
> at
> org.apache.jackrabbit.oak.api.CommitFailedException.asRepositoryException(CommitFailedException.java:213)
> [org.apache.jackrabbit.oak-api:1.34.0]
> at
> org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.newRepositoryException(SessionDelegate.java:677)
> [org.apache.jackrabbit.oak-jcr:1.34.0]
> at
> org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:503)
> [org.apache.jackrabbit.oak-jcr:1.34.0]
> at
> org.apache.jackrabbit.oak.jcr.session.SessionImpl$8.performVoid(SessionImpl.java:424)
> [org.apache.jackrabbit.oak-jcr:1.34.0]
> at
> org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:273)
> [org.apache.jackrabbit.oak-jcr:1.34.0]
> at
> org.apache.jackrabbit.oak.jcr.session.SessionImpl.save(SessionImpl.java:421)
> [org.apache.jackrabbit.oak-jcr:1.34.0]
> at
> com.adobe.granite.repository.impl.CRX3SessionImpl.save(CRX3SessionImpl.java:207)
> [com.adobe.granite.repository:1.6.100]
> {noformat}
> The reason is that all the properties in rep:Token nodes are protected:
> {noformat}
> [rep:Token] > mix:referenceable
> - rep:token.key (string) mandatory protected
> - rep:token.exp (date) mandatory protected
> - * (undefined) protected
> - * (undefined) protected multiple
> {noformat}
> and they'll be skipped by the importer unless there's a custom
> ProtectedPropertyImporter implementation handling them:
> https://github.com/apache/jackrabbit-oak/blob/bb749cac90617f9350189599f5f63ec20da7c490/oak-jcr/src/main/java/org/apache/jackrabbit/oak/jcr/xml/ImporterImpl.java#L278-L288
> The goal of this story is to create such implementation, so the tokens can be
> imported together with the rest of the {{rep:User}} subtree.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
