[MAGNOLIA-1292] "anonymous" user is not logged in by default on public instance Created: 04/Jan/07  Updated: 23/Jan/13  Resolved: 19/Apr/07

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: 3.0.1
Fix Version/s: 3.1 M1

Type: Bug Priority: Critical
Reporter: Robert Gacki Assignee: Sameer Charles
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

+ JDK 5.0_10
+ Tomcat 5.5.20
+ Magnolia deployed using the WAR-files (magnoliaAuthor.war, magnoliaPublic.war) as they are packaged with this version


Issue Links:
dependency
is depended upon by MAGNOLIA-1293 Role ACL is ignored on public instance Closed
relation
is related to MAGNOLIA-1162 ACL based on URLs Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

There is no user logged into the Magnolia system on the public instance by default.

Both methods return null by default:
info.magnolia.cms.security.Authenticator#getUserId(HttpServletRequest)
info.magnolia.cms.security.Authenticator#getUser(HttpServletRequest)

My proposal:
Add a new parameter to the server configuration to define the user who's logged into the system by default ('anonymous' on installation). The Authenticator should return this user (even when no HttpSession is created). The AccessManager must decide based on this user's roles.



 Comments   
Comment by Philipp Bracher [ 09/Jan/07 ]

Please try MgnlContext.getUser() instead.

Comment by Sameer Charles [ 17/Jan/07 ]

If you are logged in as any user on public all permissions are taken care of as expected. but if its open (not restricted) "no user" is logged-in not even anonymous.

Main reason I am reluctant to implement this is the performance, currently on public instance there are no http sessions kept so we have to force JAAS authorization for each request which involves reading/loading ACL, creating subjects and associated principles.

Comment by Sameer Charles [ 18/Jan/07 ]

will be fixed for 3.1 since this fix requires changes in multiple places and we cannot risk 3.0.x stability

Comment by Sameer Charles [ 19/Apr/07 ]

on svn.

will be refactored together with MAGNOLIA-1162

Generated at Mon Feb 12 03:25:31 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.