[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941353233 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: Actually the user needs to be "admin", just being member of the administrators group is IMHO not enough. I don't think that there is an option yet for a user to enable him to impersonate as anyone else. Might be a good extension though for Oak. The same limitation applies to the user doing the webconsole request (in case the Sling Webconsole Security provider is used), so in fact this option does only work for admin with all other users. Therefore I would suggest to use a new administrative resource resolver with impersonation and whitelist the usage accordingly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941353233 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: Actually the user needs to be "admin", just being member of the administrators group is IMHO not enough. I don't think that there is an option yet for a user to enable him to impersonate as anyone else. Might be a good extension though. The same limitation applies to the user doing the webconsole request (in case the Sling Webconsole Security provider is used), so in fact this option does only work for admin with all other users. Therefore I would suggest to use a new administrative resource resolver with impersonation and whitelist the usage accordingly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941071279 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: You need to adjust privileges of the underlying technical user: https://jackrabbit.apache.org/oak/docs/security/authentication/default.html#impersonation -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r941071279 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: You need to adjust privileges of the underlying technical user. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r940262210 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: Just try to get a resourceresolver based on the service one and the user is to impersonate. The one returned as request attribute might not have the according rights -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r940262210 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -255,19 +278,42 @@ protected void doPost(HttpServletRequest request, // finally redirect final String path = request.getContextPath() + request.getServletPath() + request.getPathInfo(); -final String redirectTo; +String redirectTo; if (msg == null) { redirectTo = path; } else { redirectTo = path + '?' + PAR_MSG + '=' + encodeParam(msg) + '&' + PAR_TEST + '=' + encodeParam(test); +if ( user != null && user.length() > 0 ) { +redirectTo += '&' + PAR_USER + '=' + encodeParam(user); +} } response.sendRedirect(redirectTo); } +private ResourceResolver getImpersonatedResourceResolver(HttpServletRequest request, final String user) +throws LoginException { + +// resolver is set by the auth.core bundle in case of successful authentication, so it should +// always be there +Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); Review Comment: Just try to get a resourceresolver based on the service one. The one returned as request attribute might not have the according rights -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-resourceresolver] kwin commented on a diff in pull request #78: Various improvements for the webconsole plugin
kwin commented on code in PR #78: URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78#discussion_r939879452 ## src/main/java/org/apache/sling/resourceresolver/impl/console/ResourceResolverWebConsolePlugin.java: ## @@ -160,14 +169,22 @@ protected void doGet(final HttpServletRequest request, + "clearly marked, and the others listed for completeness."); pw.println(""); -pw.println("Test"); pw.print(""); -pw.print(""); +pw.println(""); +pw.print("Test "); pw.print(""); +pw.println("' class='input' size='20'>"); +pw.print("User (optional)"); +pw.print(" authenticationInfo = new HashMap<>(); +authenticationInfo.put(ResourceResolverFactory.USER_IMPERSONATION, user); + authenticationInfo.put(JcrResourceConstants.AUTHENTICATION_INFO_SESSION, currentResolver.adaptTo(Session.class)); Review Comment: This adaptTo may return null in case JCR resource provider is not used, a null check is necessary here. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org