commit f9c8b10f9a0ced98a932f5f8792d96ca7f0d38a4
author Karl Pauls <karlpauls@gmail.com> Thu Nov 16 15:31:35 2017 +0100
committer Karl Pauls <karlpauls@gmail.com> Thu Nov 16 15:31:35 2017 +0100
tree e148aa3261074b76ca1447c99a02dde55535c85a
parent 40a601e2cd2cc176c26dcfd96877efd200170c8d

SLING-6419: use 'validation' for the service user that validates service users.

src/main/java/org/apache/sling/jcr/resource/internal/JcrSystemUserValidator.java

diff --git a/src/main/java/org/apache/sling/jcr/resource/internal/JcrSystemUserValidator.java b/src/main/java/org/apache/sling/jcr/resource/internal/JcrSystemUserValidator.java
index 5080140..b748ac5 100644
--- a/src/main/java/org/apache/sling/jcr/resource/internal/JcrSystemUserValidator.java
+++ b/src/main/java/org/apache/sling/jcr/resource/internal/JcrSystemUserValidator.java
@@ -58,6 +58,8 @@
            })
 public class JcrSystemUserValidator implements ServiceUserValidator, ServicePrincipalsValidator {
 
+    public static final String VALIDATION_SERVICE_USER = "validation";
+
     @ObjectClassDefinition(
             name = "Apache Sling JCR System User Validator",
             description = "Enforces the usage of JCR system users for all user mappings being used in the 'Sling Service User Mapper Service'")
@@ -83,7 +85,11 @@
     private boolean allowOnlySystemUsers;
 
     /*
-    * We have to prevent a cycle if we are trying to login ourselves
+    * We have to prevent a cycle if we are trying to login ourselves. The main idea is that we set the
+    * cycleDetection to true for the current thread before we try to loginService('validation', null).
+    * That way, if we are asked if a user is valid and the cycleDetection is true we know we are in a
+    * cycle and have to shotcut by allowing the user. This should make it so that we use a service user
+    * to valid all service users except our own.
     */
     private final ThreadLocal<Boolean> cycleDetection = new ThreadLocal<Boolean>() {
         @Override
@@ -110,6 +116,7 @@
     @Override
     public boolean isValid(final String serviceUserId, final String serviceName, final String subServiceName) {
         if (cycleDetection.get()) {
+            // We are being asked to valid our own service user - hence, allow.
             return true;
         }
         if (serviceUserId == null) {
@@ -132,7 +139,7 @@
                      */
                     cycleDetection.set(true);
                     try {
-                        session = repository.loginService(null, null);
+                        session = repository.loginService(VALIDATION_SERVICE_USER, null);
                     } finally {
                         cycleDetection.set(false);
                     }
@@ -161,6 +168,7 @@
     @Override
     public boolean isValid(Iterable<String> servicePrincipalNames, String serviceName, String subServiceName) {
         if (cycleDetection.get()) {
+            // We are being asked to valid our own service user - hence, allow.
             return true;
         }
         if (servicePrincipalNames == null) {
@@ -186,7 +194,7 @@
                         */
                         cycleDetection.set(true);
                         try {
-                            session = repository.loginService(null, null);
+                            session = repository.loginService(VALIDATION_SERVICE_USER, null);
                         } finally {
                             cycleDetection.set(false);
                         }