In my custom authentication handler I'm trying to authenticate user without knowing his password using third party user directory. I can\t store users password inside the CQ so I need a way to pass user through the stack knowing just his name/id.
I used to handle those kind of problems with trust_credentials_attribute set in the repository.xml. However, in AEM 5.6 and 5.6.1, when given solution is used, following log entry appears:
25.11.2013 11:52:10.469 *WARN* [0:0:0:0:0:0:0:1 [1385376730454] POST /content/myapp/en/home/j_security_check HTTP/1.1] org.apache.jackrabbit.core.security.authentication.AbstractLoginModule Usage of deprecated 'trust_credentials_attribute' option. Please note that for security reasons this feature will notbe supported in future releases.
The warning was introduced with a commit for https://issues.apache.org/jira/browse/JCR-3293. The bug is not closed yet and there is no info how the trusted info can/should be avoided. Is it so, that the @deprecated annotation together with log has been introduced, but the workaround is not yet delivered? How can I pass the user through authenticator without knowing its password?
Please advice,
Mateusz
