Uploaded image for project: 'Hippo Repository'
  1. Hippo Repository
  2. REPO-1345

[7.8 backport] System session impersonator always impersonates to another system session

    XMLWordPrintable

    Details

    • Similar issues:

      Description

      The current JCR Session.impersonate() logic implemented in HippoLoginModule has a peculiar twist when impersonating another user through a System session (having the SystemPrincipal).
      In that case, the SystemPrincipal is always added/set in the new session, resulting in the impersonated session again becoming a System session. Effectively a System session cannot be used to 'downgrade' to a different/user session right now.

      While this can be considered a bug, fixing it 'proper' results in backwards incompatible behavior, if specific usages now expect/depend on this.
      Some of these usages indeed exists in the core of Hippo CMS itself, like in the SCXML Document Workflow definition, expecting a "system" session to be used to executed scheduled workflow jobs.

      For backwards compatibility therefore an intermediate solution will be provided as a workaround instead, while the proper fix will be done through a separate issue for the next major version.

      The workaround to allow a System session to impersonate another user without becoming a System session again is provided through a new (and deprecated!) HippoSession.NO_SYSTEM_IMPERSONATION attribute name, which can be set on the SimpleCredentials parameter for the Session.impersonate() call like this:

              Session systemSession ....
              final SimpleCredentials userCredentials = new SimpleCredentials("user", new char[]{});
              userCredentials.setAttribute(HippoSession.NO_SYSTEM_IMPERSONATION, Boolean.TRUE);
              Session userSession = systemSession.impersonate(userCredentials);
      

      The HippoSession.NO_SYSTEM_IMPERSONATION attribute is defined as follows:

          /**
           * By default a System Session when impersonating another user will always add the SystemPrincipal itself to the impersonated session.
           * This has as 'side-effect' that it a System Session cannot be 'downgraded' to a normal user.
           * This limitation or 'feature' will be removed in a next major release.
           * Until then, the desired effect can be achieved by adding this attribute with any value (not null) on the SimpleCredentials
           * parameter in a {@link Session#impersonate(Credentials)} call. If this attribute is defined, the SystemPrincipal will not be added
           * to the impersonated session when using the System session to impersonate another session.
           * @deprecated this attribute name and usage will be removed again when the limitation as described above has been fixed.
           */
          String NO_SYSTEM_IMPERSONATION = "org.hippoecm.repository.api.security.no-system-impersonation";
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                tjeger Tobias Jeger
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: