Bug #39: No access control on raw repository - TYPO3.TYPO3CR - TYPO3 Forge

Base Distribution TYPO3.Form TYPO3.Imagine TYPO3.Media TYPO3.Neos TYPO3.Neos.NodeTypes TYPO3.Party TYPO3.Setup TYPO3.SiteKickstarter TYPO3.Twitter.Bootstrap TYPO3.TYPO3CR TYPO3.TypoScript Coordination Group Website and Communication

Bug #39

No access control on raw repository

Added by Karsten Dambekalns over 8 years ago. Updated about 4 years ago.

Status:

Closed

Start date:

Priority:

Should have

Due date:

Assigned To:

Karsten Dambekalns

% Done:

Category:

Target version:

Description

The unit test in [source:Packages/phpCRJackrabbit/Tests/T3P_phpCRJackrabbit_CheckPermissionTest.php T3P_phpCRJackrabbit_CheckPermissionTest.php] always fails. Reason is missing resp. wrong access control for the Jackrabbit setup. The (sparse) Jackrabbit documentation says:

----
The default Repository.login() method starts a repository session using the default workspace and no user credentials. Jackrabbit tries to use the Java Authentication and Authorization Service (JAAS) configuration in such cases, but defaults to the anonymous user if a JAAS Subject is not found.

...

As discussed in the First Hop example, the default Repository.login() method returns an anonymous read-only session in the Jackrabbit default configuration. To be able to store and remove content we need to create a session with write access, and to do that we need to pass some credentials to the Repository.login(Credentials credentials) method.

The default Jackrabbit login mechanism accepts any username and password as valid credentials and returns a session with full write access. Thus we only need to construct and use a !SimpleCredentials instance with some dummy username and password, in this case "username" and "password".
----

So the read-only session should be fetched without calling login() at all... or we define a different login manager for Jackrabbit and use that to verify user credentials.

History

#1 Updated by Karsten Dambekalns over 8 years ago

Status changed from New to Accepted

Ok, I got this working now, now I need to find out when AccessDeniedException and when AccessControlException are thrown...

#2 Updated by Karsten Dambekalns over 8 years ago

Status changed from Accepted to Closed
Sprint set to fixed

(In r169) Fixes failures in T3P_phpCRJackrabbit_CheckPermissionTest caused by incorrectly set up account permissions:

repository.xml now does no longer provide a default user for logins without credentials
The unit test base class uses the configured "anonymous" user for read-only session access

This fixes #39

Additionally T3P_phpCRJackrabbit_CheckPermissionTest contained some uses of + instead of . for string concatenation, this created invalid input.

#3 Updated by Robert Lemke about 7 years ago

Target version deleted (1)

Also available in: Atom PDF

TYPO3.TYPO3CR

Issues