Feb 18 '25 15:02 kwin

Commit-Check ❌

Commit rejected by Commit-Check.                                  
                                                                  
  (c).-.(c)    (c).-.(c)    (c).-.(c)    (c).-.(c)    (c).-.(c)  
   / ._. \      / ._. \      / ._. \      / ._. \      / ._. \   
 __\( C )/__  __\( H )/__  __\( E )/__  __\( C )/__  __\( K )/__ 
(_.-/'-'\-._)(_.-/'-'\-._)(_.-/'-'\-._)(_.-/'-'\-._)(_.-/'-'\-._)
   || E ||      || R ||      || R ||      || O ||      || R ||   
 _.' '-' '._  _.' '-' '._  _.' '-' '._  _.' '-' '._  _.' '-' '._ 
(.-./`-´\.-.)(.-./`-´\.-.)(.-./`-´\.-.)(.-./`-´\.-.)(.-./`-´\.-.)
 `-´     `-´  `-´     `-´  `-´     `-´  `-´     `-´  `-´     `-´ 
                                                                  
Commit rejected.                                                  
                                                                  
Type message check failed => add tests

 
It doesn't match regex: ^OAK-\d+:?\s\S+.*
The commit message must start with 'OAK-<ID>[:] ' followed by some descriptive text
Suggest: Please check your commit message whether it matches above regex

Feb 18 '25 15:02 github-actions[bot]

I am gonna merge end of this week, if there is no other feedback.

Mar 03 '25 21:03 kwin

@anchela - how would a default implementation help? (FWIW, I'd like to understand as well how we would implement this in Jackrabbit Classic).

Mar 05 '25 14:03 reschke

as i said before the fact that principals can be exposed on the jackrabbit API is very much an implementation detail of oak and i am not really convinced that this should be exposed in jackrabbit API.

We do have several principal related API classes already in https://github.com/apache/jackrabbit-oak/tree/trunk/oak-jackrabbit-api/src/main/java/org/apache/jackrabbit/api/security/principal. As JCR 2.0 spec relies on principals for access control (https://developer.adobe.com/experience-manager/reference-materials/spec/jcr/2.0/16_Access_Control_Management.html#16.5.1%20Access%20Control%20Entries) it is natural that somehow you have it bound to a session as each impl would need to somehow compute those to check for access.

For JR2 I think the subject.getPrincipals (https://github.com/apache/jackrabbit/blob/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/SessionImpl.java#L384) should work in general. Maybe with some additional logic to get transitive group memberships like in https://github.com/apache/jackrabbit/blob/trunk/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.java#L682C30-L682C43.

Mar 05 '25 14:03 kwin

@anchela - I do not understand how having a default impl would avoid bumping up the package version - or did you have something else in mind?

@kwin - that said, would it be possible to have a meaningful default impl?

Mar 12 '25 15:03 reschke

I don't think a default impl in the JR-API module without additional dependencies would work, rather one impl for Oak and one for JR2.

Mar 12 '25 15:03 kwin

Having a default implementation which just throws an exception is actually worse than requiring any provider. to come up with a reasonable impl. Otherwise semantic versioning becomes useless

May 22 '25 08:05 kwin

@kwin , i was not thinking about an impl that throws but one that leverages public API. i will work with @Amoratinos to get this unblocked.