date:20180207

Re: Deprecation of SlingRepository.loginAdministrative()

2018-02-07 Thread Alexander Klimetschek

I had the same question previously. It is not very feasible to configure a 
service user as a delegate on each individual human user. Especially when these 
human users are constantly added or removed.

This is a question for Oak, I believe.

Cheers,
Alex

> On 07.02.2018, at 14:03, Jörg Hoh  wrote:
> 
> Hi Roy,
> 
> that's indeed good news, as it seems to solve the impersonation usecase. On
> the other hand the javadoc is quite clear, that the requirements of the
> impersonation process itself come from the underlying repository. I
> typically use Oak and the Oak documentation at [1] says that with the
> DefaultLoginModule it still requires some kind of prerequisits
> ("Impersonation another user will only succeed if the impersonated user is
> valid (i.e. exists and is not disabled) *and* the the user associated with
> the editing session is allowed to impersonate this user.").
> 
> 
> Jörg
> 
> 
> 
> [1]
> https://jackrabbit.apache.org/oak/docs/security/authentication/default.html#impersonation
> 
> 
> 
> 2018-02-07 22:50 GMT+01:00 Roy Teeuwen :
> 
>> Hey Andres,
>> 
>> We had a similar use case to do impersonation, there is another method for
>> that now:
>> 
>> https://sling.apache.org/apidocs/sling10/org/apache/
>> sling/jcr/api/SlingRepository.html#impersonateFromService-
>> java.lang.String-javax.jcr.Credentials-java.lang.String-
>> 
>> Greets,
>> Roy
>> 
>> 
>> On 7 Feb 2018, at 20:49, Andres Bott  wrote:
>> 
>> Maybe a solution would be
>> - deprecate / remove the method ( to avoid old code to run as admin)
>> - rename the class / method and add an info to the log
>> 
>> in this way we make sure that old code gets migrated to service users, and
>> the places where it really makes sense to use admin user, the developer
>> should be aware of it.
>> 
>> Andres
>> 
>> 
>> El 2018-02-06 14:09, Bertrand Delacretaz escribió:
>> 
>> On Tue, Feb 6, 2018 at 1:02 PM, Jörg Hoh  wrote:
>> 
>> ...Long story short: Is the loginAdministrative() method planned to be
>> removed? If yes, we should clearly give best practices and document how it
>> can be replaced even in the non-trivial cases. If it's going to stay, we
>> should remove the deprecation warning
>> 
>> I think we need to keep warnings that loginAdmin should be used as
>> sparingly as possible.
>> And probably provide some examples where it does make sense to use it.
>> But deprecation might not be the correct term, as you indicate.
>> -Bertrand
>> 
>> 
>> 
> 
> 
> -- 
> Cheers,
> Jörg Hoh,
> 
> http://cqdump.wordpress.com
> Twitter: @joerghoh

Re: Deprecation of SlingRepository.loginAdministrative()

2018-02-07 Thread Jörg Hoh

Hi Roy,

that's indeed good news, as it seems to solve the impersonation usecase. On
the other hand the javadoc is quite clear, that the requirements of the
impersonation process itself come from the underlying repository. I
typically use Oak and the Oak documentation at [1] says that with the
DefaultLoginModule it still requires some kind of prerequisits
("Impersonation another user will only succeed if the impersonated user is
valid (i.e. exists and is not disabled) *and* the the user associated with
the editing session is allowed to impersonate this user.").


Jörg



[1]
https://jackrabbit.apache.org/oak/docs/security/authentication/default.html#impersonation



2018-02-07 22:50 GMT+01:00 Roy Teeuwen :

> Hey Andres,
>
> We had a similar use case to do impersonation, there is another method for
> that now:
>
> https://sling.apache.org/apidocs/sling10/org/apache/
> sling/jcr/api/SlingRepository.html#impersonateFromService-
> java.lang.String-javax.jcr.Credentials-java.lang.String-
>
> Greets,
> Roy
>
>
> On 7 Feb 2018, at 20:49, Andres Bott  wrote:
>
> Maybe a solution would be
> - deprecate / remove the method ( to avoid old code to run as admin)
> - rename the class / method and add an info to the log
>
> in this way we make sure that old code gets migrated to service users, and
> the places where it really makes sense to use admin user, the developer
> should be aware of it.
>
> Andres
>
>
> El 2018-02-06 14:09, Bertrand Delacretaz escribió:
>
> On Tue, Feb 6, 2018 at 1:02 PM, Jörg Hoh  wrote:
>
> ...Long story short: Is the loginAdministrative() method planned to be
> removed? If yes, we should clearly give best practices and document how it
> can be replaced even in the non-trivial cases. If it's going to stay, we
> should remove the deprecation warning
>
> I think we need to keep warnings that loginAdmin should be used as
> sparingly as possible.
> And probably provide some examples where it does make sense to use it.
> But deprecation might not be the correct term, as you indicate.
> -Bertrand
>
>
>


-- 
Cheers,
Jörg Hoh,

http://cqdump.wordpress.com
Twitter: @joerghoh

Re: Deprecation of SlingRepository.loginAdministrative()

2018-02-07 Thread Roy Teeuwen

Hey Andres,

We had a similar use case to do impersonation, there is another method for that 
now:

https://sling.apache.org/apidocs/sling10/org/apache/sling/jcr/api/SlingRepository.html#impersonateFromService-java.lang.String-javax.jcr.Credentials-java.lang.String-
 


Greets,
Roy

> On 7 Feb 2018, at 20:49, Andres Bott  wrote:
> 
> Maybe a solution would be
> - deprecate / remove the method ( to avoid old code to run as admin)
> - rename the class / method and add an info to the log
> 
> in this way we make sure that old code gets migrated to service users, and 
> the places where it really makes sense to use admin user, the developer 
> should be aware of it.
> 
> Andres
> 
> 
> El 2018-02-06 14:09, Bertrand Delacretaz escribió:
>> On Tue, Feb 6, 2018 at 1:02 PM, Jörg Hoh  wrote:
>>> ...Long story short: Is the loginAdministrative() method planned to be
>>> removed? If yes, we should clearly give best practices and document how it
>>> can be replaced even in the non-trivial cases. If it's going to stay, we
>>> should remove the deprecation warning
>> I think we need to keep warnings that loginAdmin should be used as
>> sparingly as possible.
>> And probably provide some examples where it does make sense to use it.
>> But deprecation might not be the correct term, as you indicate.
>> -Bertrand



signature.asc
Description: Message signed with OpenPGP

Re: Deprecation of SlingRepository.loginAdministrative()

2018-02-07 Thread Andres Bott


Maybe a solution would be
- deprecate / remove the method ( to avoid old code to run as admin)
- rename the class / method and add an info to the log

in this way we make sure that old code gets migrated to service users, 
and the places where it really makes sense to use admin user, the 
developer should be aware of it.


Andres


El 2018-02-06 14:09, Bertrand Delacretaz escribió:
On Tue, Feb 6, 2018 at 1:02 PM, Jörg Hoh  
wrote:

...Long story short: Is the loginAdministrative() method planned to be
removed? If yes, we should clearly give best practices and document 
how it
can be replaced even in the non-trivial cases. If it's going to stay, 
we

should remove the deprecation warning


I think we need to keep warnings that loginAdmin should be used as
sparingly as possible.

And probably provide some examples where it does make sense to use it.

But deprecation might not be the correct term, as you indicate.

-Bertrand

Re: Deprecation of SlingRepository.loginAdministrative()

Re: Deprecation of SlingRepository.loginAdministrative()

Re: Deprecation of SlingRepository.loginAdministrative()

Re: Deprecation of SlingRepository.loginAdministrative()

4 matches

Site Navigation

Mail list logo

Footer information