[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78:
URL:
https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941353233
##
src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java:
##
@@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request,
// finally redirect
final String path = request.getContextPath() + request.getServletPath()
+ request.getPathInfo();
-final String redirectTo;
+String redirectTo;
if (msg == null) {
redirectTo = path;
} else {
redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&'
+ PAR_TEST + '=' + encodeParam(test);
+if ( user != null && user.length() > 0 ) {
+redirectTo += '&' + PAR_USER + '=' + encodeParam(user);
+}
}
response.sendRedirect(redirectTo);
}
+private ResourceResolver
getImpersonatedResourceResolver(HttpServletRequest request, final String user)
+throws LoginException {
+
+// resolver is set by the auth.core bundle in case of successful
authentication, so it should
+// always be there
+Object resolverAttribute =
request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
Review Comment:
Actually the user needs to be "admin", just being member of the
administrators group is IMHO not enough. I don't think that there is an option
yet for a user to enable him to impersonate as anyone else. Might be a good
extension though for Oak.
The same limitation applies to the user doing the webconsole request (in
case the Sling Webconsole Security provider is used), so in fact this option
does only work for admin with all other users.
Therefore I would suggest to use a new administrative resource resolver with
impersonation and whitelist the usage accordingly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78:
URL:
https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941353233
##
src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java:
##
@@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request,
// finally redirect
final String path = request.getContextPath() + request.getServletPath()
+ request.getPathInfo();
-final String redirectTo;
+String redirectTo;
if (msg == null) {
redirectTo = path;
} else {
redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&'
+ PAR_TEST + '=' + encodeParam(test);
+if ( user != null && user.length() > 0 ) {
+redirectTo += '&' + PAR_USER + '=' + encodeParam(user);
+}
}
response.sendRedirect(redirectTo);
}
+private ResourceResolver
getImpersonatedResourceResolver(HttpServletRequest request, final String user)
+throws LoginException {
+
+// resolver is set by the auth.core bundle in case of successful
authentication, so it should
+// always be there
+Object resolverAttribute =
request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
Review Comment:
Actually the user needs to be "admin", just being member of the
administrators group is IMHO not enough. I don't think that there is an option
yet for a user to enable him to impersonate as anyone else. Might be a good
extension though.
The same limitation applies to the user doing the webconsole request (in
case the Sling Webconsole Security provider is used), so in fact this option
does only work for admin with all other users.
Therefore I would suggest to use a new administrative resource resolver with
impersonation and whitelist the usage accordingly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78:
URL:
https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941071279
##
src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java:
##
@@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request,
// finally redirect
final String path = request.getContextPath() + request.getServletPath()
+ request.getPathInfo();
-final String redirectTo;
+String redirectTo;
if (msg == null) {
redirectTo = path;
} else {
redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&'
+ PAR_TEST + '=' + encodeParam(test);
+if ( user != null && user.length() > 0 ) {
+redirectTo += '&' + PAR_USER + '=' + encodeParam(user);
+}
}
response.sendRedirect(redirectTo);
}
+private ResourceResolver
getImpersonatedResourceResolver(HttpServletRequest request, final String user)
+throws LoginException {
+
+// resolver is set by the auth.core bundle in case of successful
authentication, so it should
+// always be there
+Object resolverAttribute =
request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
Review Comment:
You need to adjust privileges of the underlying technical user:
https://jackrabbit.apache.org/oak/docs/security/authentication/default.html#impersonation
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78:
URL:
https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941071279
##
src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java:
##
@@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request,
// finally redirect
final String path = request.getContextPath() + request.getServletPath()
+ request.getPathInfo();
-final String redirectTo;
+String redirectTo;
if (msg == null) {
redirectTo = path;
} else {
redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&'
+ PAR_TEST + '=' + encodeParam(test);
+if ( user != null && user.length() > 0 ) {
+redirectTo += '&' + PAR_USER + '=' + encodeParam(user);
+}
}
response.sendRedirect(redirectTo);
}
+private ResourceResolver
getImpersonatedResourceResolver(HttpServletRequest request, final String user)
+throws LoginException {
+
+// resolver is set by the auth.core bundle in case of successful
authentication, so it should
+// always be there
+Object resolverAttribute =
request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
Review Comment:
You need to adjust privileges of the underlying technical user.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78:
URL:
https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r940262210
##
src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java:
##
@@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request,
// finally redirect
final String path = request.getContextPath() + request.getServletPath()
+ request.getPathInfo();
-final String redirectTo;
+String redirectTo;
if (msg == null) {
redirectTo = path;
} else {
redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&'
+ PAR_TEST + '=' + encodeParam(test);
+if ( user != null && user.length() > 0 ) {
+redirectTo += '&' + PAR_USER + '=' + encodeParam(user);
+}
}
response.sendRedirect(redirectTo);
}
+private ResourceResolver
getImpersonatedResourceResolver(HttpServletRequest request, final String user)
+throws LoginException {
+
+// resolver is set by the auth.core bundle in case of successful
authentication, so it should
+// always be there
+Object resolverAttribute =
request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
Review Comment:
Just try to get a resourceresolver based on the service one and the user is
to impersonate. The one returned as request attribute might not have the
according rights
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78:
URL:
https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r940262210
##
src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java:
##
@@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request,
// finally redirect
final String path = request.getContextPath() + request.getServletPath()
+ request.getPathInfo();
-final String redirectTo;
+String redirectTo;
if (msg == null) {
redirectTo = path;
} else {
redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&'
+ PAR_TEST + '=' + encodeParam(test);
+if ( user != null && user.length() > 0 ) {
+redirectTo += '&' + PAR_USER + '=' + encodeParam(user);
+}
}
response.sendRedirect(redirectTo);
}
+private ResourceResolver
getImpersonatedResourceResolver(HttpServletRequest request, final String user)
+throws LoginException {
+
+// resolver is set by the auth.core bundle in case of successful
authentication, so it should
+// always be there
+Object resolverAttribute =
request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
Review Comment:
Just try to get a resourceresolver based on the service one. The one
returned as request attribute might not have the according rights
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78:
URL:
https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r939879452
##
src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java:
##
@@ -160,14 +169,22 @@ protected void doGet(final HttpServletRequest request,
+ "clearly marked, and the others listed for
completeness.");
pw.println("");
-pw.println("Test");
pw.print("");
-pw.print("");
+pw.println("");
+pw.print("Test ");
pw.print("");
+pw.println("' class='input' size='20'>");
+pw.print("User (optional)");
+pw.print(" authenticationInfo = new HashMap<>();
+authenticationInfo.put(ResourceResolverFactory.USER_IMPERSONATION,
user);
+
authenticationInfo.put(JcrResourceConstants.AUTHENTICATION_INFO_SESSION,
currentResolver.adaptTo(Session.class));
Review Comment:
This adaptTo may return null in case JCR resource provider is not used, a
null check is necessary here.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
