Uploaded image for project: '[Read Only] - Hippo Repository'
  1. [Read Only] - Hippo Repository
  2. REPO-1317

System session impersonator always impersonates to another system session

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • 3.1.0
    • None

    Description

      The current JCR Session.impersonate() logic implemented in HippoLoginModule has a peculiar twist when impersonating another user through a System session (having the SystemPrincipal).
      In that case, always the SystemPrincipal is added/set in the new session, resulting in the impersonated session again becoming a System session. Effectively a System session cannot be used to 'downgrade' to a different/user session right now.

      While this can be considered a bug, fixing it 'proper' results in backwards incompatible behavior, if specific usages now expect/depend on this.
      Some of these usages indeed exists in the core of Hippo CMS itself, like in the SCXML Document Workflow definition, expecting a "system" session to be used to executed scheduled workflow jobs.

      For backwards compatibility therefore an intermediate solution will be provided as a workaround instead, while the proper fix will be done through a separate issue for the next major version.

      The workaround to allow a System session to impersonate another user without becoming a System session again is provided through a new (and deprecated!) HippoSession.NO_SYSTEM_IMPERSONATION attribute name, which can be set on the SimpleCredentials parameter for the Session.impersonate() call like this:

              Session systemSession ....
              final SimpleCredentials userCredentials = new SimpleCredentials("user", new char[]{});
              userCredentials.setAttribute(HippoSession.NO_SYSTEM_IMPERSONATION, Boolean.TRUE);
              Session userSession = systemSession.impersonate(userCredentials);
      

      The HippoSession.NO_SYSTEM_IMPERSONATION attribute is defined as follows:

          /**
           * By default a System Session when impersonating another user will always add the SystemPrincipal itself to the impersonated session.
           * This has as 'side-effect' that it a System Session cannot be 'downgraded' to a normal user.
           * This limitation or 'feature' will be removed in a next major release.
           * Until then, the desired effect can be achieved by adding this attribute with any value (not null) on the SimpleCredentials
           * parameter in a {@link Session#impersonate(Credentials)} call. If this attribute is defined, the SystemPrincipal will not be added
           * to the impersonated session when using the System session to impersonate another session.
           * @deprecated this attribute name and usage will be removed again when the limitation as described above has been fixed.
           */
          String NO_SYSTEM_IMPERSONATION = "org.hippoecm.repository.api.security.no-system-impersonation";
      

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              adouma Ate Douma (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: