[MAGNOLIA-5724] CLONE - User name "admin" creates a Jackrabbit exception Created: 24/Mar/14  Updated: 17/Mar/21  Resolved: 17/Mar/21

Status: Closed
Project: Magnolia
Component/s: security
Affects Version/s: 4.5.16, 5.1, 5.2
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Markus Jeni Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: admininterface, login
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows 7 64bit, Java 7, Tomcat 7


Issue Links:
Cloners
clones MAGNOLIA-5424 User name "admin" creates a Jackrabbi... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Testcase included:
Yes
Release notes required:
Yes
Date of First Response:

 Description   

Creating a user of name admin gives an error in Jackrabbit when logging in to admin central.

Workaround: do not use "admin" as username

Steps to reproduce:

  • create a user named "admin"
  • login as "admin"

See this error:

...
Caused by: info.magnolia.jcr.RuntimeRepositoryException: javax.jcr.LoginException
	at info.magnolia.context.AbstractContext.getHierarchyManager(AbstractContext.java:209)
	at info.magnolia.context.MgnlContext.getHierarchyManager(MgnlContext.java:125)
	at info.magnolia.cms.gui.control.Tree.<init>(Tree.java:190)
	at info.magnolia.module.dms.gui.DMSTreeControl.<init>(DMSTreeControl.java:55)
	... 105 more
Caused by: javax.jcr.LoginException
	at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1493)
	at org.apache.jackrabbit.core.jndi.BindableRepository.login(BindableRepository.java:162)
	at info.magnolia.repository.DefaultRepositoryManager.getSession(DefaultRepositoryManager.java:233)
	at info.magnolia.context.DefaultRepositoryStrategy.internalGetSession(DefaultRepositoryStrategy.java:63)
	at info.magnolia.context.AbstractRepositoryStrategy.getSession(AbstractRepositoryStrategy.java:76)
	at info.magnolia.context.AbstractContext.getJCRSession(AbstractContext.java:134)
	at info.magnolia.context.AbstractContext.getHierarchyManager(AbstractContext.java:207)
	... 108 more
Caused by: javax.security.auth.login.FailedLoginException
	at info.magnolia.jaas.sp.jcr.JackrabbitAuthenticationModule.login(JackrabbitAuthenticationModule.java:115)
	at org.apache.jackrabbit.core.security.authentication.LocalAuthContext.login(LocalAuthContext.java:86)
	at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1465)
	...

Problematic code:

info.magnolia.jaas.sp.jcr.JackrabbitAuthenticationModule
113: ==> if (getAdminUser().equals(this.name)) {
114:       if (!Arrays.equals(password, getAdminPassword().toCharArray())) {
115:         throw new FailedLoginException();
116:       }
117:       compileAdminPrincipals();
118:       return true;
119:     }


 Comments   
Comment by Daniel Lipp [ 07/May/14 ]

Summary of a discussion with Jan:

  • there seems to be no obvious fix - user admin is the user we internally use to connect to jackrabbit
  • preventing ppl from creating new users named 'admin' seems to be an acceptable "workaround"

The check for user name could be done in SaveDialogAction#createOrUpdateUser - e.g.:

                if ("admin".equals(newUserName)) {
                    uiContext.openNotification(MessageStyleTypeEnum.WARNING, true, "Username 'admin' is used internally and cannot be used else.");
                    return;
                }

Message should be discussed with Andreas and i18n-ified as well.

Comment by Jan Haderka [ 17/Mar/21 ]

"admin" is the username reserved by underlying JCR implementation JackRabbit. In order to prevent possible security issues that might occur if same username was used elsewhere, this username is reserved and can't be used for normal users.

Generated at Mon Feb 12 04:07:47 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.