[MAGNOLIA-1403] WebContextImpl.getUser should use jaas user, and not assume that the user is available in the jcr repository Created: 25/Feb/07  Updated: 23/Jan/13  Resolved: 27/Nov/07

Status: Closed
Project: Magnolia
Component/s: security
Affects Version/s: 3.0.1
Fix Version/s: 3.5 RC1

Type: Bug Priority: Major
Reporter: Fabrizio Giustina Assignee: Fabrizio Giustina
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

When the jaas authenticator has been set to use an external user repository, context.getUser() should work happily with that, without assuming that a user node exists in magnolia repository.

WebContextImpl.getUser() instead always call UserManager().getUser() with the userid of the current jaas subject, with the following result:

ERROR info.magnolia.cms.security.MgnlUserManager.getUser(MgnlUserManager.java:168) user not registered in magnolia itself [fgiust]
INFO info.magnolia.cms.security.DummyUser.<init>(DummyUser.java:32) Initializing dummy user - Anonymous
INFO info.magnolia.cms.security.DummyUser.<init>(DummyUser.java:33) This area and/or instance is not secured
(magnolia shows "anonymous" everywhere, context.getUser() is also used in the main admincentral page)

This is the current implementation:

public User getUser() {
if (this.user == null) {
if (Authenticator.getSubject(request) == null)

{ log.debug("JAAS Subject is null, returning Anonymous user"); this.user = Security.getUserManager().getUser(UserManager.ANONYMOUS_USER); }

else

{ this.user = Security.getUserManager().getUser(Authenticator.getSubject(request)); }

}
return this.user;
}

This should definitively be fixed to allow external users to work just like "normal" magnolia users. It should return an instance of ExternalUser which wrap jaas Subject.



 Comments   
Comment by Fabrizio Giustina [ 25/Feb/07 ]

an additional note: this should be also resolved by configuring an ExternalUserManager, but doing that will make getUser crash on unauthenticated users, since the call to:
if (Authenticator.getSubject(request) == null) {
this.user = Security.getUserManager().getUser(UserManager.ANONYMOUS_USER);
}

throws
java.lang.UnsupportedOperationException: not implemented yet
at info.magnolia.cms.security.ExternalUserManager.getUser(ExternalUserManager.java:39)

since getUser(String) is not implemented in ExternalUserManager

Comment by Magnolia International [ 22/Nov/07 ]

Seems like we'll have to look into this in the next version...

Comment by Philipp Bracher [ 27/Nov/07 ]

All that was refacored. The issue should not exist anymore:

  • different user managers registrable.
  • UserContext: login(user), logout()
Generated at Mon Feb 12 03:26:35 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.