Various improvements for the webconsole plugin #78
Conversation
- allow the path to be empty, but not null - return a more informative message if no mappings are found
… a map/resolve call - extend the form to optionally accept a user to impersonate - use the resolver of the current user as a basis for impersonation - make sure that we don't accidentally generate imports from the auth.core and jcr.resource bundles, they are only used for the constant values, which are inlined.
|
SonarCloud Quality Gate failed. |
| pw.println("' class='input' size='50'>"); | ||
| pw.println("' class='input' size='20'>"); | ||
| pw.print("User (optional)"); | ||
| pw.print("<input type='text' name='" + ATTR_USER + "' value='"); |
There was a problem hiding this comment.
Maybe add a hint that this does only work/has an effect on resources resolved by the JCR resource provider.
|
|
||
| // resolver is set by the auth.core bundle in case of successful authentication, so it should | ||
| // always be there | ||
| Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); |
There was a problem hiding this comment.
Shouldn't this rather be based on service resource resolver as well to make it work with all web console security providers?
There was a problem hiding this comment.
Do you mean that we should try to create an additional mapping for the console using a service user that has impersonation rights?
There was a problem hiding this comment.
Just try to get a resourceresolver based on the service one and the user is to impersonate. The one returned as request attribute might not have the according rights
There was a problem hiding this comment.
If I try to set up impersonation based on the existing resolver (
Test Failure: org.apache.sling.api.resource.LoginException: Impersonation not allowed.
There was a problem hiding this comment.
You need to adjust privileges of the underlying technical user: https://jackrabbit.apache.org/oak/docs/security/authentication/default.html#impersonation
There was a problem hiding this comment.
Looking at the Oak implementation, I see that impersonation works if either:
- the impersonator is an admin
- the impersonator is included in the
rep:impersonatorsproperty of the impersonated user
I am not sure if either of these is possible or desirable for a service user. Do you see another way?
There was a problem hiding this comment.
Actually the user needs to be "admin", just being member of the administrators group is IMHO not enough. I don't think that there is an option yet for a user to enable him to impersonate as anyone else. Might be a good extension though for Oak.
The same limitation applies to the user doing the webconsole request (in case the Sling Webconsole Security provider is used), so in fact this option does only work for admin with all other users.
Therefore I would suggest to use a new administrative resource resolver with impersonation and whitelist the usage accordingly.
|
|
||
| Map<String, Object> authenticationInfo = new HashMap<>(); | ||
| authenticationInfo.put(ResourceResolverFactory.USER_IMPERSONATION, user); | ||
| authenticationInfo.put(JcrResourceConstants.AUTHENTICATION_INFO_SESSION, currentResolver.adaptTo(Session.class)); |
There was a problem hiding this comment.
This adaptTo may return null in case JCR resource provider is not used, a null check is necessary here.
There was a problem hiding this comment.
The import of JCR packages is optional, I assume the above code does not work if the JCR bundle is not installed?
We should keep that dependency as optional and not require JCR api to be installed
There was a problem hiding this comment.
There are two issues to discuss here
- The javax.jcr import is already optional - https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/78/files#diff-6d1033f3cc4642b36cd395cf203fdc2d963f51e46cb1949508765a9756743c45R2 . I think that a
NoClassDefFoundErrorwill be thrown from the method, then caught at . This should not affect the path where impersonation is not used. Do we need to handle this in some other way, e.g. using the bundle class loader to dynamically load the class definition? - The
adaptTocall can return null nonetheless and I will take it into acount
There was a problem hiding this comment.
My bad, I didn't read the full code. You are right, that this will work. And just to be sure I gave it a test run in a sling application that does not have the jcr api and except for impersonation, everything works
| // always be there | ||
| Object resolverAttribute = request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER); | ||
| if ( !(resolverAttribute instanceof ResourceResolver) ) { | ||
| throw new IllegalArgumentException("No " + ResourceResolver.class.getSimpleName() + " found in request, unable to proceed with impersonation"); |
There was a problem hiding this comment.
It is a common case if the web console is not using the Sling authentication provider that the request attribute is not set. In that case, it currently displays:
Test Failure: java.lang.IllegalArgumentException: No ResourceResolver found in request, unable to proceed with impersonation
I think it would be good if just the message without the exception type would be displayed
There was a problem hiding this comment.
@kwin suggested that we use an admin resolver instead (and include the bundle in the allow list ). If we would stop looking up the ResourceResolver in the request attribute, would it solve this issue?
There was a problem hiding this comment.
I'm not really a fan of adding another case for using an admin resource resolver, especially not in the web console
|
SonarCloud Quality Gate failed. |
|
SonarCloud Quality Gate failed.
|
|
|
1 similar comment
|
|
No description provided.