[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17027904#comment-17027904 ] Carsten Ziegeler commented on SLING-7760: - Totally agree that we must not pass the whole response object down, we could pass a stripped down version which in the first iteration only allows to set headers. But :) as mentioned you can do the same with filters, filters have an ordering which is configurable and you can configure it in a way that it runs first - now granted, there might be other filters that have the same idea of being the first and use the same configuration value. But that can be fixed by configuring them to run a little bit later. Thats the whole point of making it possible to define the order of filters - it requires the knowledge of all filters in the system, but you should have this anyways. > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17027709#comment-17027709 ] Jason E Bailey commented on SLING-7760: --- [~bdelacretaz] My thought process for this is that I wanted to be as careful as possible so as to not impact the performance of the Main servlet and not to provide an avenue for someone to put in more functionality than needed. I could certainly change the request path to a resource object. When I said returning headers, I was thinking a List of headers to be mapped into the Response headers. I wouldn't want to pass something like the response object directly as we could end up with situations where people could create an implementation of the interface that returned content or did all sorts of odd stuff at the wrong level. > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17027659#comment-17027659 ] Bertrand Delacretaz commented on SLING-7760: bq. create a service interface that takes the request path.. Why not the Resource object? Headers like cache-control often depend on that. bq. and returns a list of headers that applies to that request Passing an interface that allows for directly setting the headers would avoid having to set them twice. > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17027587#comment-17027587 ] Jason E Bailey commented on SLING-7760: --- I've been considering this a lot. It's true that I could write a REQUEST Filter would be able to apply for my personal needs. What I was looking for, is a way to incorporate a feature within Sling that would support headers being applied when needed. The reason that I feel a header feature is appropriate is that headers have to be applied prior to any writes that occur. Sling is a framework that supports many different models of development. Including working with other peoples frameworks and adding other peoples "plugins" to provide new features. I then start down a rabbit hole where, if I use a filter, I have no guarantee that it will be the first one called. The only place that you can guarantee that headers will always be applied appropriately is in the Main Servlet. Which, I believe, is the same reason that the static headers are there. How about this proposal. I'm going back to the services approach. Leave the static headers alone. Additionally, create a service interface that takes the request path and returns a list of headers that applies to that request. Whether the service that implements the interface then performs a context aware lookup, or it does pattern matching, or whatever, would then be left up to the individuals implementing the application. That way an implementer can be assured that their feature they are adding will not have any downstream conflicts. I'm pretty sure that I can do this in such a way as to have a minimal impact to the code and not change the current flow. By doing it the same way as the current static headers are applied except use a a static concurrent mapping of services. > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17018870#comment-17018870 ] Carsten Ziegeler commented on SLING-7760: - I see the current way as a global setting applying to all requests; I guess the other option would have been to come up with a filter. Now, I think for your problem, the better option is to provider a Sling servlet filter for REQUEST. This is the first thing that gets called and you can set your per site headers there (and are able to override the global ones if needed). It might make sense to come up with such a filter as part of the context aware configurations, but I have the feeling that the engine is the wrong place as it does not know anything about applications > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17018079#comment-17018079 ] Jason E Bailey commented on SLING-7760: --- This depends on why the response headers are set where they are currently set. My initial attempt at this would be to to remove the setting of the headers from the initialization of SlingHttpServletResponseImpl and create a new method in RequestData called initHeaders(ResourceResolver) which I would call after calling initResource in the doProcessRequest step of SlingRequestProcessorImpl I haven't worked with CA Configurations before so this is an educated guess. > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17015212#comment-17015212 ] Carsten Ziegeler commented on SLING-7760: - I see, thanks - so how do you envision to make the decision which configuration to use? In the main servlet, we only have what the request provides, the headers are atm set before resource resolution > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17015169#comment-17015169 ] Jason E Bailey commented on SLING-7760: --- [~cziegeler] Here's a some of the headers that we currently have. Note that the Content-Security-Policy is huge because we have 5 separate domains that we serve out of our instances. So any one domain has permissions to source data from a domain it doesn't actually interact with because another one of our domains requires it. X-Content-Type-Options: nosniff X-XSS-Protection: 1;mode=block X-Frame-Options: sameorigin Content-Security-Policy: default-src * 'self' data: 'unsafe-inline' blob:;script-src * 'self' blob: data: 'unsafe-inline' 'unsafe-eval' *.trustarc.com *.doubleclick.net *.liveperson.net *.sas.com assets.adobedtm.com ssl.google-analytics.com accdn.lpsnmedia.net www.googletagmanager.com www.google-analytics.com bat.bing.com benchtag.co front.facetz.net *.facebook.net *.facebook.com www.googleadservices.com tb.juiceadv.com *.linkedin.com pixel.mathtag.com pixel.quantserve.com *.quora.com analytics.twitter.com tagmanager.google.com mc.yandex.ru static.ads-twitter.com snap.licdn.com *.bizographics.com dev.visualwebsiteoptimizer.com scripts.demandbase.com consent.truste.com s.yimg.com ssl.gstatic.com api.company-target.com script.crazyegg.com platform.twitter.com sp.analytics.yahoo.com x.bidswitch.net s7.addthis.com ad4.adfarm1.adition.com livestream.co *.brightcove.net track.adform.net insight.adsrvr.org www.vintom.com b92.yahoo.co.jp cdn.appdynamics.com execution-dscvrtraffic.cidev.sas.us *.brightcove.com *.mrpfd.com d3js.org *.d3.org;img-src * 'self' data: *.google-analytics.com *.doubleclick.net www.google.com *.sas.com front.facetz.net *.facebook.com www.googleadservices.com tb.juiceadv.com ext.ligatus.com bcp.crwdcntrl.net pixel.mathtag.com *.quora.com cdn.taboola.com analytics.twitter.com d.company-target.com mc.yandex.ru t.co px.ads.linkedin.com *.bizographics.com insight.adsrvr.org assets.adobedtm.com *.brightcove.com;font-src * 'self' data: *.sas.com fast.fonts.net;connect-src * 'self' *.sas.com *.brightcove.com ma156-r.analytics.edgekey.net api.company-target.com livestream.com www.vintom.com *.doubleclick.net assets.adobedtm.com;frame-src 'self' assets.adobedtm.com lpcdn.lpsnmedia.net *.liveperson.net www.youtube.com s7.addthis.com *.twitter.com *.sas.com pixel.mathtag.com livestream.com ad4.adfarm1.adition.com www.vintom.com *.doubleclick.net *.facebook.net *.twitter.com *.trustarc.com *.facebook.com *.linkedin.com;frame-ancestors *.ci360.sas.com *.gatheriq.analytics *.curriculumpathways.com Cache-Control: max-age=3600 As you can see the Content-Security-Policy is the problem child and could do with some sort of tool to assist in it's creation in it's own right. > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17014440#comment-17014440 ] Carsten Ziegeler commented on SLING-7760: - Thanks, ok so this sounds like a context aware configuration to me. However, I would be worried of having such a dependency from the engine; in addition I'm worried about performance (figuring out with each and every request which context applies). Maybe it helps if we could see some examples for such per site headers > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17014357#comment-17014357 ] Jason E Bailey commented on SLING-7760: --- [~cziegeler]I don't need a plugin model. What I need is: # Ability to set a header on a per site basis # Ability to change the headers without causing a restart of the Application ## This was handled by SLING-8991 Thanks! And potentially being able to set headers based on the resource. This would be convenient for setting expiration dates on assets. etc. My problem when I was working with this is that once you write to the output stream you're no longer able to modify the headers. On a per application basis I could configure a filter and make sure it would work. But for a feature of the product I couldn't come up with a better solution then to have the headers set in the Main Servlet. > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17013695#comment-17013695 ] Carsten Ziegeler commented on SLING-7760: - [~jebailey] I've created SLING-8991 to improve the handling of configuration changes - but yes, that's independent of this issue here. Do you really need a plugin model to delegate the work to custom services? Or would it be possible do implement this based on configurations, for example with factory configurations for header (each site having its own factory config).? > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17013077#comment-17013077 ] Jason Bailey commented on SLING-7760: - [~cziegeler] that would be a great step in the right direction. The reason why I would eventually like to see it service based is that problem I'm having with different headers being required for different domains that are all ran out of one instance of AEM. As well as doing cool things with expiration headers and security headers. > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-7760) Sling Main Servlet - Change header configuration to a service
[ https://issues.apache.org/jira/browse/SLING-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17013033#comment-17013033 ] Carsten Ziegeler commented on SLING-7760: - Just as a side comment - we can change the implementation to not restart the main servlet if the configuration changes > Sling Main Servlet - Change header configuration to a service > - > > Key: SLING-7760 > URL: https://issues.apache.org/jira/browse/SLING-7760 > Project: Sling > Issue Type: Improvement >Reporter: Jason E Bailey >Assignee: Jason E Bailey >Priority: Major > > The ability to set headers must be done prior to any writing that occurs the > output stream. This is the reason why the headers are set to be configured in > the Sling Main Servlet. > With Sling being used to maintain multiple sites, having a single set of > response headers creates problems where the header provides a non tailored > response. One site may have a conflicting set of requirements then another > site. > If the setting of headers was moved from being a configuration to being a > service used by the Main Servlet, this would allow the following: > * Headers set on a per site basis > * Headers based on selected resource > * Ability to modify the headers without causing the restart of the Sling > Main Servlet > ** Which if you're dealing with CSP headers can be a constant pain > * Ability to create a CSP configuration Service that eases the use of CSP > creation > > -- This message was sent by Atlassian Jira (v8.3.4#803005)