Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
None
Description
The current JCR Session.impersonate() logic implemented in HippoLoginModule has a peculiar twist when impersonating another user through a System session (having the SystemPrincipal).
In that case, the SystemPrincipal is always added/set in the new session, resulting in the impersonated session again becoming a System session. Effectively a System session cannot be used to 'downgrade' to a different/user session right now.
While this can be considered a bug, fixing it 'proper' results in backwards incompatible behavior, if specific usages now expect/depend on this.
Some of these usages indeed exists in the core of Hippo CMS itself, like in the SCXML Document Workflow definition, expecting a "system" session to be used to executed scheduled workflow jobs.
For backwards compatibility therefore an intermediate solution will be provided as a workaround instead, while the proper fix will be done through a separate issue for the next major version.
The workaround to allow a System session to impersonate another user without becoming a System session again is provided through a new (and deprecated!) HippoSession.NO_SYSTEM_IMPERSONATION attribute name, which can be set on the SimpleCredentials parameter for the Session.impersonate() call like this:
Session systemSession ....
final SimpleCredentials userCredentials = new SimpleCredentials("user", new char[]{});
userCredentials.setAttribute(HippoSession.NO_SYSTEM_IMPERSONATION, Boolean.TRUE);
Session userSession = systemSession.impersonate(userCredentials);
The HippoSession.NO_SYSTEM_IMPERSONATION attribute is defined as follows:
/**
* By default a System Session when impersonating another user will always add the SystemPrincipal itself to the impersonated session.
* This has as 'side-effect' that it a System Session cannot be 'downgraded' to a normal user.
* This limitation or 'feature' will be removed in a next major release.
* Until then, the desired effect can be achieved by adding this attribute with any value (not null) on the SimpleCredentials
* parameter in a {@link Session#impersonate(Credentials)} call. If this attribute is defined, the SystemPrincipal will not be added
* to the impersonated session when using the System session to impersonate another session.
* @deprecated this attribute name and usage will be removed again when the limitation as described above has been fixed.
*/
String NO_SYSTEM_IMPERSONATION = "org.hippoecm.repository.api.security.no-system-impersonation";
Attachments
Issue Links
- is a backport of
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-