Description
The current JCR Session.impersonate() logic implemented in HippoLoginModule has a peculiar twist when impersonating another user through a System session (having the SystemPrincipal).
In that case, always the SystemPrincipal is added/set in the new session, resulting in the impersonated session again becoming a System session. Effectively a System session cannot be used to 'downgrade' to a different/user session right now.
While this can be considered a bug, fixing it 'proper' results in backwards incompatible behavior, if specific usages now expect/depend on this.
Some of these usages indeed exists in the core of Hippo CMS itself, like in the SCXML Document Workflow definition, expecting a "system" session to be used to executed scheduled workflow jobs.
For backwards compatibility therefore an intermediate solution will be provided as a workaround instead, while the proper fix will be done through a separate issue for the next major version.
The workaround to allow a System session to impersonate another user without becoming a System session again is provided through a new (and deprecated!) HippoSession.NO_SYSTEM_IMPERSONATION attribute name, which can be set on the SimpleCredentials parameter for the Session.impersonate() call like this:
Session systemSession .... final SimpleCredentials userCredentials = new SimpleCredentials("user", new char[]{}); userCredentials.setAttribute(HippoSession.NO_SYSTEM_IMPERSONATION, Boolean.TRUE); Session userSession = systemSession.impersonate(userCredentials);
The HippoSession.NO_SYSTEM_IMPERSONATION attribute is defined as follows:
/** * By default a System Session when impersonating another user will always add the SystemPrincipal itself to the impersonated session. * This has as 'side-effect' that it a System Session cannot be 'downgraded' to a normal user. * This limitation or 'feature' will be removed in a next major release. * Until then, the desired effect can be achieved by adding this attribute with any value (not null) on the SimpleCredentials * parameter in a {@link Session#impersonate(Credentials)} call. If this attribute is defined, the SystemPrincipal will not be added * to the impersonated session when using the System session to impersonate another session. * @deprecated this attribute name and usage will be removed again when the limitation as described above has been fixed. */ String NO_SYSTEM_IMPERSONATION = "org.hippoecm.repository.api.security.no-system-impersonation";
Attachments
Issue Links
- is backported by
-
REPO-1320 [7.9 backport] System session impersonator always impersonates to another system session
- Closed
-
REPO-1321 [10.0 backport] System session impersonator always impersonates to another system session
- Closed
-
REPO-1345 [7.8 backport] System session impersonator always impersonates to another system session
- Closed