OAK-9415 expose the bound principals of a session as attribute #291
Conversation
kwin
changed the title
| Session Attributes | ||
| ------------------ | ||
|
|
||
| Oak exposes the following attributes via [`Session.getAttribute(...)`][1] and [`Session.getAttributeNames()`][2]. |
There was a problem hiding this comment.
that's not entirely correct.... it also exposes credentials attributes as intended by the JCR specification. maybe rather state something like: in addition to attributes defined on credentials.......
| return names.toArray(new String[names.size()]); | ||
| } | ||
|
|
||
| @Override | ||
| public Object getAttribute(String name) { | ||
| if (RepositoryImpl.BOUND_PRINCIPALS.equals(name)) { |
There was a problem hiding this comment.
i would rather move that to the end of the method.... as the last piece to check.... in other words: if someone came up with the crazy idea to set "oak.bound_principals" attribute on his credentials, it probably should take precedence to fulfill the API contract defined by the JCR specification, shouldn't it?
There was a problem hiding this comment.
That is IMHO dangerous, as the bound principals can be used for checking if certain code paths should be allowed (e.g. in the context of FileVault). If someone can forge these attributes by just creating a (otherwise restricted) session with those parameters, this could easily be abused for privilege escalation. IMHO those values should not be allowed to be overwritten by consumers.
There was a problem hiding this comment.
fair point..... so let's keep it the way it is.
adjust test to accept more attributes being exposed than set
the first attribute
|
Merged in cde9070. |
No description provided.