in src/main/java/org/apache/sling/jcr/resource/internal/JcrSystemUserValidator.java [168:226]
public boolean isValid(Iterable<String> servicePrincipalNames, String serviceName, String subServiceName) {
if (cycleDetection.get()) {
// We are being asked to valid our own service user - hence, allow.
return true;
}
if (servicePrincipalNames == null) {
log.debug("The provided service principal names are null");
return false;
}
if (!allowOnlySystemUsers) {
log.debug("There is no enforcement of JCR system users, therefore service principal names '{}' are valid", servicePrincipalNames);
return true;
}
Session session = null;
UserManager userManager = null;
Set<String> invalid = new HashSet<>();
try {
for (final String pName : servicePrincipalNames) {
if (validPrincipalNames.contains(pName)) {
log.debug("The provided service principal name '{}' has been already validated and is a known JCR system user", pName);
} else {
if (session == null) {
/*
* We have to prevent a cycle if we are trying to login ourselves
*/
cycleDetection.set(true);
try {
session = repository.loginService(VALIDATION_SERVICE_USER, null);
} finally {
cycleDetection.set(false);
}
if (session instanceof JackrabbitSession) {
userManager = ((JackrabbitSession) session).getUserManager();
} else {
log.debug("Unable to validate service user principals, JackrabbitSession expected.");
return false;
}
}
Authorizable authorizable = userManager.getAuthorizable(() -> pName);
if (isValidSystemUser(authorizable)) {
validPrincipalNames.add(pName);
log.debug("The provided service principal name {} is a known JCR system user", pName);
} else {
log.warn("The provided service principal name '{}' is not a known JCR system user id and therefore not allowed in the Sling Service User Mapper.", pName);
invalid.add(pName);
}
}
}
} catch (final RepositoryException e) {
log.warn("Could not get user information", e);
} finally {
if (session != null) {
session.logout();
}
}
return invalid.isEmpty();
}