Re: Stopping Apache Sling Launchpad upon exception in OSGi bundle

[Bertrand Delacretaz]

Hi,

On Tue, Apr 27, 2021 at 6:45 PM Eric Norman  wrote:
> ...I don't believe there is currently any configuration for the Apache Felix
> Jetty Based Http Service that would do that automatically...

I also think there's no built-in way to achieve what you want.

In addition to Eric's suggestions, you might implement an Appender
service [1] and use the log message to trigger a shutdown when you
detect the expected failure message.

I've never used that feature myself but the docs say it works ;-)

-Bertrand

[1] 
https://sling.apache.org/documentation/development/logging.html#appenders-as-osgi-services-1

Re: Trying to authenticate sling with Keycloak

[Bertrand Delacretaz]

Hi,

On Mon, Dec 21, 2020 at 6:29 AM gokul vs  wrote:
> ..Trying to use key cloak as IAM system for sling,
> is there any available implementations or extensions available...

This adaptTo() presentation might help:
https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html

-Bertrand

Re: Datasource selection

[Bertrand Delacretaz]

On Tue, Dec 15, 2020 at 4:58 PM Robert Munteanu  wrote:
> ...This way you get the datasources injected and via SCR and you get to
> use the datasource.name as a key...

sounds good and it's certainly more efficient than what I suggested.

-Bertrand

Re: Datasource selection

[Bertrand Delacretaz]

Hi,

On Fri, Dec 11, 2020 at 4:16 PM Nicola Cisternino  wrote:
> ...I can select single datasource using DS annotations:
> @Reference(target =
> "(&(objectclass=javax.sql.DataSource)(datasource.name=*source1*))")
> private DataSource dataSource;
>
> But ... how can I select single datasource programmatically ?

The BundleContext.getServiceReferences(java.lang.Class clazz,
java.lang.String filter) method [1] takes an OSGi LDAP-style filter
with the same syntax quoted above, that's probably what you need.
There are a number of examples using it in the Sling codebase.

-Bertrand

[1] 
https://docs.osgi.org/javadoc/osgi.core/7.0.0/org/osgi/framework/BundleContext.html#getServiceReferences-java.lang.Class-java.lang.String-

Re: [mock] best way to mock http(s) endpoint

[Bertrand Delacretaz]

Hi,

On Tue, Dec 1, 2020 at 10:24 AM Stefan Seifert  wrote:
> ...maybe wiremock? it does real HTTP communication but neatly integrated in 
> junit (i've not tried to use it with JUnit 5).
> https://github.com/tomakehurst/wiremock ...

I've been using wiremock in Sling,
https://github.com/apache/sling-org-apache-sling-junit-teleporter/blob/master/src/test/java/org/apache/sling/testing/teleporter/client/TeleporterHttpClientTest.java
and like it!

Note that that code is from 5 years ago, there's probably been
improvements in the meantime.

-Bertrand

Re: Getting SlingHttpServletRequest in a HTTP Whiteboard

[Bertrand Delacretaz]

Hi,

On Mon, Nov 16, 2020 at 4:37 PM Roy Teeuwen  wrote:
> ...how can you register a Filter programmatically that its inside the 
> SlingHttpServletRequest chain?...

As explained at
https://sling.apache.org/documentation/the-sling-engine/filters.html ,
you need a javax.servlet.Filter OSGi service with some specific
properties described there. If you search the Sling codebase for
"sling.filter" you'll find some examples.

-Bertrand

Re: org.apache.sling.commons.metrics.MetricsService not supporting gauge type

[Bertrand Delacretaz]

Hi,

On Wed, May 27, 2020 at 11:47 PM Allen Liu  wrote:
> ...I created a function in my monitoring service to register gauge as a 
> service...

You should rather add a @Component(service=GaugeMonitor.class)
annotation to your GaugeImpl, so that's it's registered as an OSGi
service if your build setup handles that. Or call
BundleContext.registerService in that bundle's Activator to register
an instance of GaugeImpl.

And export the java package of GaugeMonitor from your bundle so it's
accessible from the outside.

You can then acquire that GaugeMonitor service from other bundles to
call setValue, and the Gauge should be available from the
MetricsRegistry.

-Bertrand

Re: Resource to json serializing

[Bertrand Delacretaz]

On Thu, May 14, 2020 at 9:25 AM Carsten Ziegeler  wrote:
>
> I think it makes sense to discuss API options first, to avoid going back
> and forth. ..

Agreed.

FWIW for the graphql-core module that I'm working on I need to convert
arbitrary objects to and from JSON [1], I suppose that's part of what
we need here.

So far I haven't designed an API for that, just mimicked
https://github.com/jdereg/json-io which I'm using for now, as it has
minimal requirements and is simple to use.

>... First question being, which JSON library do we support? As we settled on
> johnzon, I assume thats the one...

It looks like the Johnzon Mapper module [2] should support what I need
but I haven't found real documentation about it so far. I'll have a
look a might switch the graphql-core to it if I like what I see.

-Bertrand

[1] 
https://github.com/apache/sling-org-apache-sling-graphql-core/blob/master/src/main/java/org/apache/sling/graphql/core/json/JsonSerializer.java
[2] 
http://johnzon.apache.org/apidocs/org/apache/johnzon/mapper/package-summary.html

Re: Resource to json serializing

[Bertrand Delacretaz]

Hi,

On Tue, May 12, 2020 at 4:10 PM JCR  wrote:
> ...the entire commons.json package
> disappeared. Seemingly, this package has been replaced by Apache Johnzon
> but I cannot find anything equivalent to JsonItemWriter.
>
> Anybody aware of its substitute?...

I'm not sure if we have one, and happy to be proven wrong if that's the case.

For the new GraphQL module [1] I've been using json-io [2] which looks
good so far but I haven't done a lot with it at this point.

-Bertrand

[1] https://github.com/apache/sling-org-apache-sling-graphql-core
[2] https://github.com/jdereg/json-io

Re: Sling Slack Channel

[Bertrand Delacretaz]

Hi,

On Wed, Apr 22, 2020 at 9:00 PM Sergiu Dumitriu  wrote:
> ...There is indeed a volume issue, and personally I think it's from the
> fact that the list doesn't contain just direct email discussions, but
> also all notifications from github and jira...

Those should be easy to filter to different mail folders if you need
that - or is there something missing to do that?

-Bertrand

Re: Calling OSGi Service from JSP

[Bertrand Delacretaz]

Hi Juerg,

On Wed, Apr 8, 2020 at 1:42 PM JCR  wrote:
> ...So this is the secret sauce that does the job. That needs to be added to
> the project's pom.xml...

Ok, glad you found out and sorry if our (lack of) examples made your
life harder than it should be!

-Bertrand

Re: Calling OSGi Service from JSP

[Bertrand Delacretaz]

Hi,

On Tue, Apr 7, 2020 at 11:37 AM JCR  wrote:
> ...But what I
> observe is, that MANIFEST.MF gets overriden on every change and even
> package-info is present, the package in there gets set back to to private...

It looks like your build setup is causing trouble.

I recommend that you compare your project with one of ours that you
can gradually adapt to your needs.

You might start with
https://github.com/apache/sling-org-apache-sling-commons-mime for
example, which is a small standalone module change the public package
and/or class names for your initial test, build, verify that you can
use those services from your JSP and then gradually adapt or compare
with your code.

Hope this helps,
-Bertrand

Re: Repoinit Classpath

[Bertrand Delacretaz]

Hi,

On Mon, Apr 6, 2020 at 11:07 PM Daniel Klco  wrote:
>
> I'm looking into executing a Repoinit script from the classpath of a bundle
> upon installation using the references property, but can't work out the
> correct format

So IIUC your scenario is as follows:

1) Your Bundle starts and contains a repoinit script S as a resource
2) The SlingRepository starts and you want it to use that script

So the question is "how to get a stable URL that points to S", is that
what you mean?

If yes I think the question is not repoinit-specific, it's more a
general OSGi question and I don't know the answer.

My understanding is that the Bundle.getResource(path) is one way to
get such a URL, maybe the only one, which AFAIK uses the "bundle:" URL
scheme.

As per [1] it looks like you cannot construct such URLs, only get them
from the Bundle object.

I don't know if there's another OSGi way of getting that URL for S.

Our Bundle Resources module provides a way to get a bundle:// URL by
adapting a Sling resource that points to a Bundle resource but I don't
think it helps here.

Another option would be to use the OSGi Extender model, adding code to
repoinit so that it scans bundles for a specific header that points to
repoinit scripts, like we do for content loading.

-Bertrand

[1] 
https://stackoverflow.com/questions/41905130/accessing-resource-from-osgi-bundle-bundle-scheme-in-the-url-lead-to-a-malforme
[2] 
https://sling.apache.org/documentation/bundles/bundle-resources-extensions-bundleresource.html

Re: Everyone ACL Read on /

[Bertrand Delacretaz]

Hi,

On Thu, Mar 12, 2020 at 7:25 AM Oliver Lietz  wrote:
> On Wednesday, March 11, 2020 10:05:20 PM CET Cris Rockwell wrote:
> > ...I am asking why this default exists.
> > Is there is a rationale for the default or no?...

> It is convenient for the Sling Starter and the sample applications...

I think that's the key - the Sling Starter is not meant to be
production ready, it's more meant for experimenting and learning and a
somewhat open access helps for that.

I have just added a comment to clarify that in the
https://github.com/apache/sling-org-apache-sling-starter README.

-Bertrand

Re: Mock resource resolver factory for use in OSGi?

[Bertrand Delacretaz]

Hi,

On Wed, Mar 4, 2020 at 11:03 AM Christian Schneider
 wrote:
> ...Now I also need to change nodes in the repository. Is there a way to test
> this without the full sling pax exam testing?..

You might "manually" setup just the bundles that you need to get a
ResourceResolverFactory service, but I've found that to be a pain
while sling-org-apache-sling-testing-paxexam has that all sorted out
for you.

At the expense of tests that might take longer to startup due to more
baggage than you actually need - which you can trim by removing
specific bundles [1] but that might get you back to hunting for just
the right set of dependencies.

But https://sling.apache.org/documentation/development/sling-mock.html
might help? Those mocks are well tested.

-Bertrand

[1] 
https://github.com/apache/sling-org-apache-sling-servlets-resolver/blob/1386d2eca418eee37a08b9c488ba657c7a1032d3/src/test/java/org/apache/sling/servlets/resolver/it/ServletResolverTestSupport.java#L96

Re: How to create a namespace mapping from a remote test?

[Bertrand Delacretaz]

Hi,

On Fri, Feb 8, 2019 at 5:14 AM Julian Sedding  wrote:
> ...2. Deploy a custom bundle with a servlet that allows registering a
> namespace...

Yes and you might use tinybundles to create that bundle, to avoid too
complex a setup.

> ...I'm not sure how far the Teleporter junit rule would get you,
> but it may be worth looking into...

Teleported tests run server-side so they can do whatever - and BTW the
sling-org-apache-sling-junit-teleporter uses the tinybundles technique
mentioned above to inject the tests in a Sling instance.

-Bertrand

Re: Apache sling without file system

[Bertrand Delacretaz]

Hi,

On Thu, Oct 18, 2018 at 4:33 PM Nikita  wrote:
> ...Please tell me whether it is possible to teach sling not to save data in 
> the
> file system. I want to use only postgresql database to store files...

As Chris says, Oak can use various databases for its backend storage.

However by default Sling will still need a filesystem for the OSGi
framework state, logs etc.

If this is a problem for you, changing that would require code changes
to the Sling core, or using a virtual filesystem.

-Bertrand

Re: Status of sling provisioning model & documentation of models

[Bertrand Delacretaz]

Hi Joerg,

On Sat, Oct 6, 2018 at 6:36 PM Jörg Hoh  wrote:
> ...it looks pretty slick and uses the sling feature module
> (provisioning model? Unsure about the correct naming) to build the runtime
> environment for the integration tests, see [1] and the pom [2]...

That's provisioning model indeed, and as Oli indicates work is ongoing
to replace that with the Feature Model.

But for now the provisioning model works fine, until we have a
documented improved way, IMO.

> ...I wonder where the artifacts it depends on are documented...

Not sure what you mean by that, the provisioning model is documented
at [3] that you mentioned, and that page points to
http://sling.apache.org/components/slingstart-maven-plugin/ which has
the Maven plugin details, what do you think is missing?

-Bertrand

> [3] https://sling.apache.org/documentation/development/slingstart.html

Re: How do you identify the original content path of a request?

[Bertrand Delacretaz]

Hi,

On Mon, Sep 17, 2018 at 6:13 PM Jason E Bailey  wrote:
> ...When I'm at a component level, I'm trying to identify what the original
> content path/ resource  is and there doesn't seem to be a way to do it...

Doesn't HttpServletRequest.getRequestPath help?

Maybe the info is lost during component inclusion? If so the simplest
way might be to save whatever information you need in request
attributes in a filter that's active at the top of the component
inclusion stack.

-Bertrand

Re: Custom error handling scripts that consider the request file extension?

[Bertrand Delacretaz]

Hi,

On Thu, Aug 9, 2018 at 10:01 PM Eric Norman  wrote:
> ...Basically I would like to have the client get JSON back when something goes
> wrong instead of html that won't parse as JSON.
>
> If no one disagrees, I can open a bug report and provide the proposed
> changes to org.apache.sling.servlets.resolver...

That sounds reasonable, as long as changes to that core module are
covered by strong tests.

-Bertrand

Re: Sightly-based multi-module Maven archetype available?

[Bertrand Delacretaz]

Hi,

On Thu, Jul 12, 2018 at 1:45 PM Greg Fullard  wrote:
> ...Has anyone else done this, that I'm just missing? If not, would anyone else
> find it valuable if I work on something like that?...

I don't think we have that and it's certainly welcome!

-Bertrand

Re: RMI based ResourceProvider

[Bertrand Delacretaz]

Hi Jason,

On Wed, Jun 27, 2018 at 11:57 PM Jason E Bailey  wrote:
> ...I was thinking, wouldn't it be cool if I had a ResourceProvider which
> was a connected via RMI to a JCR Resource Provider for a specific path...

I'm not sure if Oak still provides an RMI interface, but Jackrabbit did.

In general, the problem with RMI access to JCR is that it's very
chatty due to the low granularity of JCR, which can hinder
performance.

I've been thinking for a while that a remote ResourceProvider that
aggregates Resources in larger chunks might be useful, using
micro-trees that can represent a website page for example, based on
the properties and resource types that define the micro-tree
boundaries. In this way you'd reduce the granularity to improve
performance.

That's probably much more complicated than what you are after though,
just wanted to mention it as food for thought.

-Bertrand

Re: SlingHttpServletRequestWrapper Example?

[Bertrand Delacretaz]

Hi Cris,

On Mon, Jun 25, 2018 at 9:55 PM Cris Rockwell  wrote:
> ...I would like to add a POST parameter in a Sling Filter using 
> SlingHttpServletRequestWrapper...

As per 
https://sling.apache.org/apidocs/sling7/org/apache/sling/api/SlingHttpServletRequest.html
you probably need to consistently override the Sling-specific methods
that return org.apache.sling.api.request.RequestParameter objects, I
think that's what the PostServlet uses internally.

Also, there are a number of examples that use that class in the Sling
codebase, maybe one of those help:

./sling-whiteboard/scripting-resolver/org-apache-sling-scripting-resolver/src/main/java/org/apache/sling/scripting/resolver/internal/RequestWrapper.java
./samples/fling/src/main/java/org/apache/sling/samples/fling/internal/FormServlet.java
./sling-org-apache-sling-models-impl/src/test/java/org/apache/sling/models/impl/RequestDisposalTest.java
./sling-org-apache-sling-models-impl/src/main/java/org/apache/sling/models/impl/ResourceOverridingRequestWrapper.java
./sling-org-apache-sling-models-impl/src/main/java/org/apache/sling/models/impl/via/AbstractResourceTypeViaProvider.java
./sling-org-apache-sling-models-impl/src/main/java/org/apache/sling/models/impl/via/ChildResourceViaProvider.java
./sling-samples/fling/src/main/java/org/apache/sling/samples/fling/internal/FormServlet.java
./sling-org-apache-sling-scripting-core/src/main/java/org/apache/sling/scripting/core/impl/helper/OnDemandReaderRequest.java
./sling-org-apache-sling-api/src/main/java/org/apache/sling/api/wrappers/SlingHttpServletResponseWrapper.java
./sling-org-apache-sling-api/src/main/java/org/apache/sling/api/wrappers/SlingHttpServletRequestWrapper.java
./sling-org-apache-sling-i18n/src/main/java/org/apache/sling/i18n/impl/I18NFilter.java

If you find a solution, please post it here for future reference!

-Bertrand

Re: Sling and other database technologies

[Bertrand Delacretaz]

Hi Yuri,

(dropping dev@, definitely a users question)

Thanks for your interest!

On Thu, May 31, 2018 at 4:16 PM, Yuri Simione  wrote:
> ...I would like to use Sling for other back-ends, not limited Jcr 
> repositories: how strong
> is the relationship between Sling and Jcr? How hard is a new Sling 
> implementation
> that also manages graph or document databases?  ...

For historical context: when we created Sling back around 2007 there
were already Way Too Many Java Web Frameworks (TM) around, so we
decided to focus Sling on JCR as a differentiator - while avoiding to
hardcode that decision. And I suppose the vast majority of Sling users
are using it with JCR today.

However, JCR hasn't taken over the world, mostly due (IMO) to the
arrival of NoSQL databases just when JCR and its implementations
became mature - so it makes perfect sense to use Sling with other
backends.

We've been working on this, on and off I'd say, and in theory it is
perfectly possible to run Sling without JCR.

In practice, however, I see two things that might get in the way:

1) As few people are using Sling without JCR, and we don't run a
non-JCR integrations test suite there are probably some assumptions or
defaults that will cause some problems

2) As JCR provides lots of functionality out of the box, like search,
versioning, access control etc. you will have to find alternatives for
those things if you need them. Some of our contrib modules might help.

As starting points I suggest:

a) Playing with the ResourceProvider concept,
https://sling.apache.org/documentation/the-sling-engine/resources.html
- the planets example there is dead simple, but for read-only
resources.

b) Playing with the NoSQL ResourceProviders,
https://sling.apache.org/documentation/bundles/nosql-resource-providers.html

c) Maybe starting with a prototype that still uses JCR in places where
Sling really requires it (which hopefully are very few, or maybe even
none at all? Haven't tried myself lately) but uses another backend for
your application content, mounted as a ResourceProvider.

d) Maybe using a [nojcr] subject line header if discussing here, to
help raise attention

It would be fantastic to have concrete examples of Sling running on
non-JCR backends!

HTH,
-Bertrand

Re: Suppress registerMimeType output on console

[Bertrand Delacretaz]

On Mon, Apr 23, 2018 at 9:59 AM, Christian Schneider
 wrote:
> ...It seems the class checks if there is a log service installed and prints
> out directly if not...

Ah yes, MimeTypeServiceImpl.log(...)

That code's been there forever [1] but I don't think it's useful, +1
to just using the log.

-Bertrand

[1] 
https://svn.apache.org/viewvc/sling/trunk/bundles/commons/mime/src/main/java/org/apache/sling/commons/mime/internal/MimeTypeServiceImpl.java?revision=574179=markup

Re: pom.xml for import with default Sling dependencies

[Bertrand Delacretaz]

Hi,

On Thu, Mar 22, 2018 at 9:38 AM, Evgeniy Fitsner  wrote:
> ...Sling Framework has OOTB dependencies.
> Maybe we already have pom.xml file with this dependencies which I could 
> import into my project...

The parent pom has http://github.com/apache/sling-parent provides some
of that, but not too much, intentionally, so that modules can have
their own dependencies where needed.

The provisioning files at
https://github.com/apache/sling-org-apache-sling-starter/tree/master/src/main/provisioning
define the dependencies of the default Sling runnable jar, might be
useful as well.

-Bertrand

Re: Sling POST servlet and empty arrays?

[Bertrand Delacretaz]

Hi,

On Thu, Mar 1, 2018 at 5:07 AM, John Logan  wrote:
> Hi, I'm trying to create node with an empty String[] property via the Sling 
> POST servlet...
...
> Is there a more succinct and accepted way?...

I don't think so, in general the convention is that empty property
values cause the properties to be removed.

If you rely on that behavior (which I suppose is undocumented and just
happened) it might be wise to contribute an automated test that
clarifies this behavior and prevents it from going away in the future.

-Bertrand

Re: Deprecation of SlingRepository.loginAdministrative()

[Bertrand Delacretaz]

On Tue, Feb 6, 2018 at 1:02 PM, Jörg Hoh  wrote:
> ...Long story short: Is the loginAdministrative() method planned to be
> removed? If yes, we should clearly give best practices and document how it
> can be replaced even in the non-trivial cases. If it's going to stay, we
> should remove the deprecation warning

I think we need to keep warnings that loginAdmin should be used as
sparingly as possible.

And probably provide some examples where it does make sense to use it.

But deprecation might not be the correct term, as you indicate.

-Bertrand

Re: Integration test depending of Sling job

[Bertrand Delacretaz]

Hi,

On Wed, Dec 20, 2017 at 3:16 PM, Johan Ruttens  wrote:
>... Basically I'm searching for a better way to determine when the job is
> finished

I don't remember the details off the top of my head but I suppose OSGi
events are sent to indicate the job's progress - you can check at
/system/console/events and if you see useful events, using those
should be a better way to find out.

-Bertrand

Re: Setting sling:resourceType on a node as part of repo initialization?

[Bertrand Delacretaz]

Hi John,

On Fri, Dec 15, 2017 at 8:00 PM, John Logan  wrote:
> It wouldn't work if I had any other required properties that needed to be 
> mapped from the node...
> For that, the repoinit language would need to support general property 
> initialization, and I'm not
> sure whether that falls within the intended scope...

Indeed, I would prefer avoiding that if possible, hence going via a
resourceType option in the nodetypes parameters sounds cleaner to me.

-Bertrand

Re: Setting sling:resourceType on a node as part of repo initialization?

[Bertrand Delacretaz]

Hi John,

On Fri, Dec 15, 2017 at 1:44 AM, John Logan  wrote:
>... I'm creating a node at repository initialization time using a "create 
>path" statement in my repoinit
> block, and wondering what the best practice would be for also setting the 
> sling:resourceType on
> that node

You're right that this is not supported by the repoinit language so far.

As a workaround you might register a SlingRepositoryInitializer [1]
that does what you need.

But I agree that it would make sense to support this in repoint. As
resource types are in the same "family" than node types I think best
is to expand the bracketed node type statements to something like

  (nt:unstructured mixin nt:versionable resourceType foo/bar)

WDYT?

I won't have time to do this myself in the next few days, though, but
we might at least create a ticket as I think it makes sense. Feel free
to that if you want.

-Bertrand

[1] 
https://sling.apache.org/documentation/bundles/repository-initialization.html

Re: [ANN] New Apache Sling PMC Chair: Robert Munteanu

[Bertrand Delacretaz]

On Thu, Nov 16, 2017 at 3:25 PM, Carsten Ziegeler  wrote:
> ...it's my pleasure to announce that Robert took up the role as our new PMC
> chair

Congrats Robert and thank you for taking up this job!

And many thanks Carsten for several years of service!

-Bertrand

Re: SlingPostServlet File Upload Section Documentation Needs an Update

[Bertrand Delacretaz]

Hi,

On Thu, Oct 5, 2017 at 10:40 AM, Gaurav Sachdeva
 wrote:
> ..I have updated the file and created a Pull Request for the same...

Thanks, I have commented at https://github.com/apache/sling-site/pull/2

-Bertrand

Re: Rendering a Resource inside Sling / OSGi Service

[Bertrand Delacretaz]

Hi,

On Sat, Aug 19, 2017 at 5:59 PM, Andreas Schaefer  wrote:
> ...I use a SlingRequestProcessor but then I need to provide my own 
> implementation
> of an Http Servlet Request and Response...

http://sling.apache.org/documentation/bundles/servlet-helpers.html is
probably what you're looking for.

-Bertrand

CVE-2016-5394 : Apache Sling XSS vulnerability

[Bertrand Delacretaz]

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Sling XSS Protection API 1.0.8

Description:
The encoding done by the XSSAPI.encodeForJSString() method is not
restrictive enough and for some input patterns allows script tags to
pass through unencoded, leading to potential XSS vulnerabilities.

Mitigation:
Users should upgrade to version 1.0.12 or later of the XSS Protection
API module.

CVE-2016-6798 : Apache Sling XXE vulnerability

[Bertrand Delacretaz]

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Sling XSS Protection API 1.0.0

Description:
The method XSS.getValidXML() uses an insecure SAX parser to validate
the input string, which allows for XXE [0] attacks in all scripts
which use this method to validate user input, potentially allowing an
attacker to read sensitive data on the filesystem, perform
same-site-request-forgery (SSRF), port-scanning behind the firewall or
DoS the application.

[0] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

Mitigation:
Users should upgrade to version 1.0.12 or later of the XSS Protection
API module.

Re: Adding bootdelegation during startup requires restart of instance

[Bertrand Delacretaz]

Hi Joerg,

On Wed, Jul 5, 2017 at 4:06 PM, Jörg Hoh  wrote:
> ...What I did:
> * Place all files in place
> * Added my bootdelegation statements to ${sling.home}/sling.properties
> * started up the instance...

AFAIK if you don't have a pre-existing sling state folder that should
cause bootdelegation to be set on the first startup of the OSGi
framework.

Debugging the startup code should help confirm that, and if I'm
correct it's something else that's preventing your bundle from
starting.

-Bertrand

[oak] FYI, Oakathon in Basel in August

[Bertrand Delacretaz]

Hi Sling users,

FYI the Oak team just announced a hackathon in Basel, August 21-25.

I'm relaying the info here as Sling users might be interested in
contributing to our storage layers or better understanding how they
work.
Please ask any specific questions on the oak-dev list.

See

https://wiki.apache.org/jackrabbit/Oakathon%20August%202017

and

https://lists.apache.org/thread.html/c973fbe36b02f3be658c543679c123a9d7525a0c390d828b83ce13ab@%3Coak-dev.jackrabbit.apache.org%3E

-Bertrand

Re: Sling pipes release

[Bertrand Delacretaz]

On Fri, Apr 28, 2017 at 12:28 AM, Correia
 wrote:
> ...The "ignoreImportProviders=json" is not a solution because I use JSON for
> all my content...

That option is per path, so I suppose if you isolate those .json files
in a specific path that should work - but maybe that prevents you from
creating the structure that the i18n bundle needs?

Worst case, using a JCR SystemView XML file should work but maybe
that's inconvenient to generate and edit.

-Bertrand

Re: Sling JSON i18n

[Bertrand Delacretaz]

Hi,

On Thu, Apr 27, 2017 at 1:01 PM, Correia
 wrote:
> ...I'm importing the files to the JCR repository via maven and i'm using JSON
> instead of XML...

Ah ok got it, your problem is how to provide those json files as
initial content in your source code, without them being interpreted by
the initial content loading mechanism.

https://sling.apache.org/documentation/bundles/content-loading-jcr-contentloader.html
should help for that, if you use the "ignoreImportProviders=json"
directive in your bundle's Sling-Initial-Content header the json files
should appear as is in the content repository.

The contrib/jcr/js/nodetypes module has an example.

Let us know if that works for you!

-Bertrand

Re: Sling JSON i18n

[Bertrand Delacretaz]

On Thu, Apr 27, 2017 at 12:14 PM, Correia
 wrote:
> ...What I wanted to do is having a pure JSON file like:
> {
> "hello": "Hello",
> "hello2": "Hello 2"
> }
>
> Is this possible...

Yes, as described in the docs.

The corresponding test is JcrResourceBundleTest.test_json_dictionary()
[1], it's not too readable as the json is created inline but should
provide the information that you're looking for.

-Bertrand

[1] 
https://github.com/apache/sling/blob/trunk/bundles/extensions/i18n/src/test/java/org/apache/sling/i18n/impl/JcrResourceBundleTest.java

Re: Securing a Servlet w/o Resource

[Bertrand Delacretaz]

Hi,

On Mon, Apr 10, 2017 at 10:15 PM, Andreas Schaefer Sr.  wrote:
> ...If I have a servlet that is not based on a resource how would
> I secure access in Sling?..

 IIUC in your code you check for membership in a specific group - that
would probably work but it might be more flexible and manageable to
check that the current user has access to a specific "permissions
shadow" resource.

You could have a /permissions resource with specific children for
various operations like /permissions/send-email-to-example_com, and
have your servlet check read access to those based on operations
names.

-Bertrand

Re: Fling Installation on Trunk

[Bertrand Delacretaz]

On Tue, Mar 28, 2017 at 8:48 PM, Oliver Lietz  wrote:
> -...The Fling sample is using modules (from trunk) which cannot be part of
> Launchpad...

> Nevertheless it works for others and some find it quite useful...

I have added a warning about snapshots to the Fling sample in
http://svn.apache.org/r1789329 - hopefully this helps and if not feel
free to tweak.

-Bertrand

Re: Best Sling samples for a beginner to look at?

[Bertrand Delacretaz]

On Tue, Mar 28, 2017 at 7:15 PM, Andreas Schaefer Sr.  wrote:
> ...Slingbucks is ok but it is outdated (as far as I can tell) using ESPs
> and not using HTL and Sling Models

FWIW it's always been important for Sling to avoid imposing too much
in terms of scripting languages and let users select what works best
for them.

So although there's probably many more people using HTL and Sling
Models than ESP today, I don't think this makes ESP outdated - it's
different ways of working, for different purposes and styles.

-Bertrand

Re: Export content as JSON ready to be imported

[Bertrand Delacretaz]

Hi,

On Tue, Mar 28, 2017 at 11:25 AM, Guillaume Lucazeau
 wrote:
> ...Considering the lack of responses, Re-importing exported JSON, including
> the priviliges, doesn't seem to be a feature that lots of people need, so I
> will try to patch the importer on my own :)..

I actually have a use case for this on my list, but that's a long list
so I'm not sure when I'll start working on it.

> ...I was wondering if pull requests on Github are the best way to submit
> patches to Sling, or if you prefer diff files attached to a ticket...

We need a jira ticket in any case, but submitting patches as pull
requests works.

Looking forward to your contributions!

(and don't forget the tests ;-)

-Bertrand

Re: Best Sling samples for a beginner to look at?

[Bertrand Delacretaz]

Hi Greg,

On Tue, Mar 28, 2017 at 6:21 AM, Greg Fullard  wrote:
> ...The only ones that have been touched in the last year are:
>  - Slingshot
>  - Slingbucks
>  - Fling (the one Andy mentioned) ...

I can really only speak about Slingbucks - that one is relevant and up
to date, it's a small thing but demonstrates important basic concepts.

-Bertrand

Re: [1.0.0] Sling metrics one bundle works other does not register?

[Bertrand Delacretaz]

On Fri, Mar 17, 2017 at 11:34 PM, nino martinez wael
 wrote:
> ...The metric service are discovered as it should but this line below, never
> impacts the sling metrics frontend listing:
> getMetricsService().counter("Webadmin.renderings").increment(); ..

Did you restart your Sling instance since installing the bundle that
has that code?

I don't have a precise diagnostic so far but I've seen instances where
updating a bundle to a version that includes metrics does nothing
until Sling is restarted.

-Bertrand

Re: How to set up a servlet to return HTTP error status instead of redirecting to the login form?

[Bertrand Delacretaz]

On Tue, Feb 28, 2017 at 10:17 PM, John Logan  wrote:
> ...The SlingAuthenticator.doLogin() method first
> calls AuthUtil.isBrowserRequest(), and if the return value is true, then
> calls AuthUtil.isAjaxRequest().  This method returns true if the following
> header is present:
>
> X-Requested-With: XMLHttpRequest ...

Ah ok, great! I had forgotten about this feature, thanks for sharing
your solution.

-Bertrand

Re: How to set up a servlet to return HTTP error status instead of redirecting to the login form?

[Bertrand Delacretaz]

Hi John,

On Mon, Feb 27, 2017 at 10:11 PM, John Logan  wrote:
> ...I receive 302 if the curl request includes the user agent, and
> 401 otherwise

AFAIK it's the AuthUtil.isBrowserRequest method [1] that makes this decision.

>  I don't think this helps for browser AJAX requests, though...

You might be able to tweak your request to work around this, based on
that source code?

Or maybe catch the 302 response and implement the behavior that you need.

-Bertrand

[1] 
https://svn.apache.org/repos/asf/sling/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java

Re: How to create Rest APIs for non-JCR data in Sling 8??

[Bertrand Delacretaz]

Hi Lance,

On Tue, Jan 31, 2017 at 10:25 PM, lancedolan  wrote:
> Aha! Solved Here's my solution for posterity

thanks for sharing!

Note that (and maybe I should have tried that earlier, sorry) you can
also use our planets resource example on Sling 8 by building it as
follows:

svn co -r1660344
https://svn.apache.org/repos/asf/sling/trunk/launchpad/test-services
rm -f $(find src -type f | grep -v Planet)
mvn clean install

...load and start the resulting bundle on Sling 8, it has just the
planets resource provider then

With this the following requests work for me:

curl http://localhost:8080/planets/earth.tidy.2.json

curl http://localhost:8080/planets.tidy.2.json

-Bertrand

Re: Sling Health Checks

[Bertrand Delacretaz]

Hi.

On Tue, Jan 31, 2017 at 9:23 AM, Georg Henzler  wrote:
> ...nobody stops you to make the HC
> component also provide an additional, custom MBean that shares some
> additional result properties of the HC execution to other services

Or maybe put that additional information in its own MBean, and use HC
just to check that those values are in range - that might be a better
separation of concerns.

-Bertrand

Re: How to create Rest APIs for non-JCR data in Sling 8??

[Bertrand Delacretaz]

Hi Lance,

On Fri, Jan 27, 2017 at 10:27 PM, lancedolan  wrote:
> ...Bertrand suggests creating a ResourceProvider, as in the example here [1].
> However, that uses the spi package which is not in version 2.9.0 of
> org.apache.sling.api, and thus, not available to me in Sling 8

We might need to release Sling 9 soon, in general that's "only" a
question of getting all tests to run with the specific list of bundles
that we're releasing.

> ...The result is that I get a 403 response. How do I control the 
> authentication
> for resources that don't actually exist?...

As Henry indicates, if you can back part of your resource provider
with JCR nodes that should help.

> ...Finally, I'd much prefer to use Jersey if possible...

That's certainly doable but IMO mixing models like this adds
complexity without adding much value.

Maybe we just need to flesh out examples like Henry's in actual samples.

Lance, would that help you?

Henry, could you turn your example into code, or at least into a
skeleton that I could translate into a complete sample?

-Bertrand

Re: Not-sticky sessions with Sling?

[Bertrand Delacretaz]

Hi Lance,

On Wed, Jan 18, 2017 at 11:21 PM, lancedolan  wrote:
> ...Bertrand, I'd feel selfish taking you up on your offer to build this for 
> me.
> Yet I'd be a fool to not at least partner with you to get it done. Should we
> correspond outside this mail list?...

I understand you're probably looking at a different solution now but
just wanted to clarify this: the Sling dev list would be the place to
discuss such things, no need for off-list communications.

-Bertrand

Re: Not-sticky sessions with Sling?

[Bertrand Delacretaz]

On Wed, Jan 18, 2017 at 12:48 PM, Chetan Mehrotra
 wrote:
> ...there is a "asyncDelay" setting in DocumentNodeStore which
> defaults to 1 sec. Currently its not possible to modify it via OSGi
> config though

But Lance could patch [1] to experiment with different values, right?
And then replace the oak-core bundle in Sling, starting with the right
version for patching, the one his Sling instance currently uses.

-Bertrand

[1] 
http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/document/DocumentNodeStore.java

Re: Not-sticky sessions with Sling?

[Bertrand Delacretaz]

Hi Lance,

On Wed, Jan 18, 2017 at 2:43 AM, lancedolan  wrote:
> ...It pretty much always takes 1 second exactly for a Sling instance to get 
> the
> latest revision, and thus the latest data. When not 1 second, it takes 2
> seconds exactly

I don't know enough about Oak internals to give your a precise answer
here but this 1 second increment vaguely rings a bell, based on
discussions with Chetan when working on our adaptTo demo [1].

Chetan is one of the few Sling committers who's deep into Oak as well,
hopefully he can comment on this but otherwise best would be to ask on
the Oak dev list about that specific issue, as I think this delay is
entirely Oak dependent.

Apart from that, handling such things at the client level could be
valid - as you say if you had a way to send the current revision
number to the client (in an opaque way probably) it could add a header
to its next request saying that it wants to see that revision, and
Sling/Oak could block that request until that revision is available. I
suppose a one or two second delay that happens only rarely is
acceptable if it makes your system easier to scale, and hopefully that
1-second cycle can be configured to be shorter. I'm willing to help
make this functionality available if you don't find a better way, as I
think it can be generally useful.

-Bertrand

[1] https://github.com/bdelacretaz/sling-adaptto-2016

Re: Not-sticky sessions with Sling?

[Bertrand Delacretaz]

Hi,

On Mon, Jan 16, 2017 at 9:16 PM, lancedolan  wrote:
> ...this probably shoots down our entire Sling
> proof of concept project...

That would be a pity, as I suppose you're starting to like Sling now ;-)

> ...Is there any way
> to force all reads to read the most recent revision, perhaps through some
> configuration?...

As Chetan say that's a question for the Oak dev list, but from a Sling
point of view having that option would be useful IMO.

If the clustered Sling instances can get consensus on what the most
recent revision is (*), having the option for Oak to block until it
sees that revision sounds useful in some cases. That should probably
happen either on opening a JCR Session or when Session.refresh() is
called.

-Bertrand

(*) which might require an additional consensus mechanism, maybe via
Mongo if that's what you're using?

Re: How to change run mode in Sling8

[Bertrand Delacretaz]

Hi Lance,

On Fri, Jan 13, 2017 at 1:54 AM, lancedolan  wrote:
> ...It's just some text files that neatly describe
> which OSGI bundles and configurations (including run modes) you'd like
> present in a new .war file which is then built using *actual* sling
> artifacts from completely different projects

Indeed!

There are some docs about this at
https://sling.apache.org/documentation/development/slingstart.html
(and patches welcome on that as usual)

-Bertrand

Re: Lock on LOCAL_REVISONS table

[Bertrand Delacretaz]

Hi,

On Tue, Nov 29, 2016 at 4:39 PM, JMR  wrote:
> ...Do you know this kind of problem and how to solve it?...

Maybe someone here can help (I can't) but this looks more like a pure
Jackrabbit problem, maybe related to
https://issues.apache.org/jira/browse/JCR-3738 ?

-Bertrand

Re: Need help in implementing Sling Context Aware Configuration

[Bertrand Delacretaz]

On Fri, Nov 18, 2016 at 8:36 AM, Gopal Agarwal  wrote:
...
> ResourceResolver resourceResolver = request.getResourceResolver();
> Resource contentResource = (Resource) 
> resourceResolver.getResource("/content/ubi/test");
> ValueMap props = 
> contentResource.adaptTo(ConfigurationBuilder.class).asValueMap();...

You should check whether contentResource is null before using it: as
per [1] getResource(..) returns null if the resource is not present or
cannot be read.

-Bertrand

[1] 
https://sling.apache.org/apidocs/sling7/org/apache/sling/api/resource/ResourceResolver.html

Re: Creating a service user for your own bundle

[Bertrand Delacretaz]

On Mon, Nov 7, 2016 at 12:19 PM, Oliver Lietz  wrote:
> .. and a service which executes repoinit statements at runtime (not sure
> if Carsten already created an issue for that)

You can already do that today by passing the output of a
RepoInitParser to a JcrRepoInitOpsProcessor.

-Bertrand

Re: Creating a service user for your own bundle

[Bertrand Delacretaz]

On Mon, Nov 7, 2016 at 12:01 PM, Carsten Ziegeler <cziege...@apache.org> wrote:
> Bertrand Delacretaz wrote
>>... That's a nice model but IIUC Carsten earlier in this thread OSGi
>> capabilities cannot be created at runtime so that won't work for
>> service users or access rights.
>
> I just had the crazy idea that we could generate them at runtime by
> creating an artifical bundle providing the capabilities. When the
> capabilities change, that bundle could be updated

I like crazy ideas in general, but service users might appear later
during startup, at a time where bundles that need them are already
started so not sure if the dynamics would work.

If we want to keep the usual dynamics of OSGi, the service model is
probably better - IIRC we are already using somewhere fake services
with properties that act like capabilities, something like depending
on a ServiceUserPresent(target="my-service-user") service. I forgot
where that is.

-Bertrand

Re: Creating a service user for your own bundle

[Bertrand Delacretaz]

On Mon, Nov 7, 2016 at 11:20 AM, Oliver Lietz  wrote:
> ...If a bundle requires a capability the system has to provide that capability
> otherwise the bundle would not resolve

That's a nice model but IIUC Carsten earlier in this thread OSGi
capabilities cannot be created at runtime so that won't work for
service users or access rights.

If we want to express the access requirements of bundles or services
in a self-explaining way we could use the repoinit syntax (maybe
tweaked to be more declarative) and implement a service that checks
whether those expectations are met.

Having a way to verify the conformance of a Sling instance with a set
of repoinit statements would be useful anyway - but that's not
implemented so far.

-Bertrand

Re: Creating lots of nodes

[Bertrand Delacretaz]

Hi,

On Fri, Oct 28, 2016 at 4:55 PM, Christoph Thodte
 wrote:
> ...My importer is very fast for the 30.000 nodes than it will be very slow 
> down

It's not likely that Sling is the cause of this, but to find out the
best way by far is profiling or at least looking at DEBUG log messages
to get a feel for what's being slow.

-Bertrand

Re: OO style inheritance of master website to child websites

[Bertrand Delacretaz]

Hi,

On Thu, Oct 20, 2016 at 2:28 PM, Carsten Steckel
 wrote:
> ...Inheritance comes to mind where a Master website is defined and every child
> inherits its masters config, content, assets, ... but overwrites if
> necessary...

The Sling Resource Merger [1] goes in that direction but I haven't
heard so far from people using it in the way that you mention, what
I've seen is simpler use cases where configuration-like resources are
being merged.

But if you stick to the Sling Resource API (as opposed to JCR) and
manage access rights carefully it might work for your use case.

-Bertrand

[1] https://sling.apache.org/documentation/bundles/resource-merger.html

Re: [Service Ranking] WebDAV Handlers are being managed in reverse order of service ranking.

[Bertrand Delacretaz]

Hi,

On Tue, Sep 13, 2016 at 10:17 AM, Anshika Agarwal
 wrote:
>> ...the lowest ranked service get the chance to process first.
>> In contradiction, the sling documentation states that it should be that
>> higher ranking is given preference over lower one. See [3]  ...

This is wrong indeed but let's not change the implementation, we
already have a similar case with filters IIRC which introduced
problematic backwards compatibility issues.

There's not set rule about the semantics of service ranking order at
the application level, we just need to have correct documentation.

Please create a jira ticket about fixing the docs, with your
explanation, so that things are consistent.

-Bertrand

Re: User Defined Token Substitution in Content

[Bertrand Delacretaz]

Hi Adam,

On Sun, Sep 11, 2016 at 10:19 PM, Adam Henderson
 wrote:
> .../content/products/product1
> - description : string = “This is the description of Product 1, hurry 
> - discount of $JCR[‘/content/promotions/discounts:holidayspecialdiscount’]% 
> applies!” ...

> I would like Sling to resolve the $JCR token so that what is shown to the 
> user would be:
>
> "This is the description of Product 1, hurry - discount of 10% applies!" ...

I don't think we have a component that does this out of the box.

I suppose you could approach it by treating that string as input for a
templating engine like Velocity of Thymeleaf, but it means giving
control over scripts to whoever can write to that product1 node, so
you have to be careful to avoid security issues.

-Bertrand

Re: Sling in Karaf not working well

[Bertrand Delacretaz]

Hi,

On Tue, Sep 6, 2016 at 9:32 AM, Mike Hummel  wrote:
> ...I try to run sling in karaf but have an issue with the Authentication 
> Support

Did you use the Karaf features provided under
https://svn.apache.org/repos/asf/sling/trunk/karaf/ ?

I don't think they are released yet but AFAIK they are tested and
should provide the right combinations of bundles.

(I'm not familiar with them, Oliver Lietz will probably add more precise info)

-Bertrand

Re: Custom installer: watch for data files to transform them in resources

[Bertrand Delacretaz]

Hi Guillaume,

On Mon, Aug 1, 2016 at 4:50 PM, Guillaume Lucazeau  wrote:
> ...I was thinking I could upload JSON files in a watched folder, containings
> information for the command (type, root path, data to update etc.) and that
> a service could read them, and create "tasks" resources, that later my
> command consumer would handle

The OSGi Installer does something similar but it's really about
installing and removing things, in your case I assume once a command
is executed you don't want to keep track of it anymore so not sure if
it's a good model. Writing an adapter (for a specific file extension
for example) shouldn't be hard however, if you want to try this
approach.

OTOH the file system provider for the Installer does a lot of what you
need and you might be able to adapt its code, but in the meantime I
suspect commons IO's FileAlterationObserver. [1] would work for you
without having to write much code.

-Bertrand

[1] 
https://commons.apache.org/proper/commons-io/javadocs/api-2.4/org/apache/commons/io/monitor/FileAlterationObserver.html

Re: One Resource to multiple views in different locations

[Bertrand Delacretaz]

On Tue, Jul 12, 2016 at 3:56 PM, Jason E Bailey  wrote:
> ...When discussing different views for a resource, the key thing is that a
> URL should define one view. If you want a resource to be displayed in
> different ways, you want to modify the URL to be different. Either by
> extension or selector...

+1, that's how Sling sees things.

-Bertrand

Re: Deploying a bundle with configuration removes other configuration saved with Felix web console

[Bertrand Delacretaz]

Hi,

On Wed, Jul 6, 2016 at 11:17 AM, Guillaume Lucazeau  wrote:
> ...3. I deploy bundle-ui with the Maven Sling plugin. During deployment, I see
> it removes the configuration previously set...
...
> [JcrInstaller.1] INFO  o.a.s.i.p.jcr.impl.JcrInstaller - Deleting
> WatchedFolder:/apps/sling/install, path does not exist anymore ..

Does the deployment of your bundle-ui cause that /apps/sling/install
folder to be deleted?

>From what you say it looks like it shouldn't, but maybe its initial
content config causes that, and that's not desired AFAICS.

(just saw Carsten message, similar hypothesis ;-)

-Bertrand

Re: Deploying a bundle with configuration removes other configuration saved with Felix web console

[Bertrand Delacretaz]

Hi Guillaume,

On Wed, Jul 6, 2016 at 9:01 AM, Guillaume Lucazeau  wrote:
> ...I've found out that if a configuration is initialized through a
> sling:OsgiConfig node in a config.json file in /libs/myApp/install, the
> configuration (even modified through the web console) is not removed by the
> JCR Installer when I deploy another bundle...

I'm not sure if I understand exactly what you are doing, can you
clarify in the form of a simple scenario that we can use to reproduce
your issue? A test case is even better if you have one.

-Bertrand

Re: Response content type when url has no extension

[Bertrand Delacretaz]

Hi,

On Wed, Jun 22, 2016 at 4:19 PM, Jason Bailey  wrote:
> ...Under
> org.apache.sling.servlets.resolver
> for the property servletresolver.defaultExtensions ...

This is not for the use case discussed here, as explained in that
parameter's OSGi config description:

servletresolver.defaultExtensions.name = Default Extensions
servletresolver.defaultExtensions.description = The list of extensions
for which the default behavior \
 will be used. This means that the last path segment of the resource
type can be used as the script name.

So it's only meant to define which extensions use this "script name
can have resource name for extension FOO" logic, but still requires
the request to have an extension.

-Bertrand

Re: Response content type when url has no extension

[Bertrand Delacretaz]

Hi,

On Wed, Jun 22, 2016 at 12:39 AM, Ben Fortuna  wrote:
> ...Should this be handled in sling or is it common practice to use another
> mechanism to redirect / to /index.html? ...

I suspect people often use front-end rewriters like mod_rewrite to add
extensions to URLs which have none.

Having a configurable default extension in Sling might be interesting,
but we'd probably need to limit it to specific paths, or make that
just an extension point.

-Bertrand

Re: Use of request/resource wrappers

[Bertrand Delacretaz]

Hi,

On Wed, Apr 27, 2016 at 11:16 AM, Guillaume Lucazeau
 wrote:
> ...My application is supposed to have a "presentation mode" that disables
> editing capabilities on content

Can't you use access control for that?

For example give read only access to the anonymous user and read/write
to logged in content authors.

-Bertrand

Re: [import] how to POST ordered structures

[Bertrand Delacretaz]

Hi Nicolas,

On Wed, Apr 20, 2016 at 11:11 AM, Nicolas Peltier  wrote:
> ...so to me ootb i have 2 choices...

OOTB yes, the alternative being to extend the POST servlet to do what
you need, as it's generally useful.

-Bertrand

Re: [import] how to POST ordered structures

[Bertrand Delacretaz]

Hi,

On Tue, Apr 19, 2016 at 6:11 PM, Nicolas Peltier  wrote:
> json objects’ key values are not ordered, so does that mean there is no choice
> but to use xml to POST ordered structure?...

Could you use arrays instead of objects in your POST requests to keep ordering?

I don't remember how our default POST servlet or content loader handle
that so you might need to experiment.

Similarly, our json GET servlet [1] uses an .harray selector to switch
to arrays instead of objects to keep ordering.

-Bertrand

[1] 
https://sling.apache.org/documentation/bundles/rendering-content-default-get-servlets.html#default-json-rendering

Re: Websockets in Sling

[Bertrand Delacretaz]

On Tue, Apr 5, 2016 at 12:03 PM, Olaf  wrote:
> ...I've gotten it to work by wrapping the init() method in a try/catch block
> temporarily setting the context class loader to the current bundle's class 
> loader.
> This did the trick

Cool!

Is this something worth contributing to Sling, or maybe just worth of
a how-to document?

A list of links on the Sling website is long overdue anyway, so if you
publish a how-to somewhere we can also just link to it.

-Bertrand

Re: Websockets in Sling

[Bertrand Delacretaz]

Hi Olaf,

On Tue, Apr 5, 2016 at 11:11 AM, Olaf  wrote:
> ...Has anyone implemented a server-side websocket in Sling? While the jetty 
> API
> is around, I'm not sure how to make best use of it and how this works in
> conjunction with @SlingServlet & co

A few experiments exist, like
https://github.com/bobpaulin/sling-websocket and SLING-4616 was
created a year ago to investigate this but I don't think we something
in our "official" modules.

I'm not sure if it's a Sling concern or rather a Felix HTTP service
concern, however - there were some discussions in Felix a while ago
[1] including interesting pointers.

I support creating a "Sling native" option for web sockets...as long
as people promise not to abuse them ;-)

-Bertrand

[1] http://felix.markmail.org/thread/ems4ih7653pvtkz5

Re: New to Sling

[Bertrand Delacretaz]

Hi,

On Wed, Mar 30, 2016 at 9:56 PM, Raymond Auge  wrote:
> Used a Sling thing today for the first time! OSGi-Mocks [1] ...

Welcome!

Our docs are not always fantastic, so feel free to ask questions here.
We have lots of samples and examples around.

-Bertrand

Re: Sling 8 standalone jar

[Bertrand Delacretaz]

On Mon, Jan 18, 2016 at 2:17 PM, Roll, Kevin  wrote:
> ...I'll take a look at the plugin

BTW there are some docs at
https://sling.apache.org/documentation/development/slingstart.html but
I haven't checked recently if they are up to date - the Truth Is In
The Code as usual and feel free to report anything incorrect in those
docs.

-Bertrand

Re: Sling 8 standalone jar

[Bertrand Delacretaz]

Hi,

On Fri, Jan 15, 2016 at 9:28 PM, Roll, Kevin  wrote:
> We build our own standalone jar which includes an overriden Main class as
> well as several custom bundles that contain our functionality...

I'm curious why you needed a custom Main class - not saying it's wrong
but maybe we can do something at the Sling level to make your life
easier.

To build you own launcher now best is to use the slingstart plugin,
there's several examples in our codebase. You can then add your
bundles in a provisioning model file.

-Bertrand

Re: Fake request/response classes

[Bertrand Delacretaz]

On Wed, Jan 13, 2016 at 11:58 PM, Stefan Seifert  wrote:
> ... https://issues.apache.org/jira/browse/SLING-5428 ...

Thanks for this new servlet-helpers module!

I have mentioned it in the SlingRequestProcessor javadocs (rev
1724549) and added minimal docs at
http://sling.apache.org/documentation/bundles/servlet-helpers.html

-Bertrand

Re: How to create a proper System User for Services?

[Bertrand Delacretaz]

Hi,

On Wed, Jan 6, 2016 at 11:35 AM, olimination  wrote:
> ...For creating such service users we still need to do a
> ".loginAdministrative()", but this method is actually deprecated. How do
> you handle this? Should we use then the JCR API directly instead of the
> SlingRepository?...

We're still debating how to best handle/mark such cases where it is
legit to use an admin session - see
https://issues.apache.org/jira/browse/SLING-5135

-Bertrand

Re: How to create a proper System User for Services?

[Bertrand Delacretaz]

Hi,

On Fri, Dec 18, 2015 at 10:35 AM, Robert Munteanu  wrote:
> ...We are also working on a solution for a more declarative approach, see
>   https://issues.apache.org/jira/browse/SLING-5355 ...

And you could use that code [1] as an example to create system users
programatically. It's a work in progress right now but that part
works.

-Bertrand

[1] 
https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/acldef/oak-jcr

Re: How to create a proper System User for Services?

[Bertrand Delacretaz]

Hi,

On Mon, Dec 21, 2015 at 2:29 PM, olimination  wrote:
> ...According to SLING-5355 the Provisioning Model will be extended with this
> ability to create service users. Would it also be an idea to offer such
> possibility during Content Loading?...

The code I'm writing for SLING-5355 will be reusable outside of the
provisioning model, so you'll be able to use it in your bundles if
that makes sense in your environment.

I'm not sure if we want to mix this with the content loading out of
the box, but we should at least provide ways to extend those content
loading features (which might already be possible, I forgot if that's
the case).

-Bertrand

Re: Fake request/response classes

[Bertrand Delacretaz]

Hi,

On Mon, Dec 21, 2015 at 4:30 PM, Stefan Seifert  wrote:
> ...here are the classes
> https://svn.apache.org/repos/asf/sling/trunk/testing/mocks/sling-mock/src/main/java/org/apache/sling/testing/mock/sling/servlet
>
> most of them have no dependencies except some to commons-lang and guava which
> could be eliminated if required...

I think the best would be to create a new commons/servlet-helpers
bundle with those classes, and minimize their dependencies, removing
at least guava.

I prefer keeping the engine bundle as lean as possible.

-Bertrand

Re: Upgrading an installation

[Bertrand Delacretaz]

Hi,

On Fri, Oct 30, 2015 at 8:16 PM, Roll, Kevin  wrote:
> ...The problem comes when we upgrade to a new version and provide a
> newer standalone launcher

Could you provide a minimal example (source code) that demonstrates the problem?

I'm not saying it does not happen, just want to make sure we test it
with the exact same setup as you do.

-Bertrand

Re: Control JcrInstaller (OsgiInstaller) Behavior of Bundle Updating vs Installing

[Bertrand Delacretaz]

On Tue, Sep 22, 2015 at 8:36 AM, Julian Sedding  wrote:
> ...By specifying the desired deployment state in a provisioning model file,
> the installer could make sure it has all required artifacts available (e.g.
> local folder, maven repository, etc). Once that is the case it could
> update/install/uninstall as it sees fit in order to attain the desired
> system state

I've also been thinking about this lately.

Are you thinking of an absolute approach as in "here's your new
provisioning model, forget everything and move to that new state" or a
relative/incremental one where a partial provisioning model specifies
additions and exclusions?

The former moves us closer to the immutable instances idea, which I
like, but might be harder to manage when starting from a different
model.

Creating an installer provider based on the provisioning model
shouldn't be hard in itself, but managing priorities and overrides
between the various installation tools could be trickier.

-Bertrand

Re: Further clarification of SLING-2512

[Bertrand Delacretaz]

On Mon, Aug 24, 2015 at 4:08 PM, steven.walters
steven.walt...@icidigital.com wrote:
 ...If the intent was to not allow absolute URLs in the XML format to exclude
 the possibility of arbitrary content, then that should've been the
 approach taken instead of the current approach of simply not importing if
 the would-be URL spec (/baseLocation/ here) is null

Absolute URLs are fine, it's local file references that can be
problematic, similar to your example.

-Bertrand

Re: Further clarification of SLING-2512

[Bertrand Delacretaz]

Hi,

On Fri, Aug 21, 2015 at 3:13 AM, Steven Walters
steven.walt...@icidigital.com wrote:
 ...Is there any additional detail as to why SLING-2512 is a bug exactly, in
 that it is classified as should not be allowed?...

I had another look and the functionality that SLING-2512 disables
could in certain cases allow arbitrary files to be imported in the
repository, which we don't want of course.

So it's correct for this to be disabled now, if you need it in your
environment I see two ways

a) Implement your own variant of that :import operation

b) Use a post-processor that imports the files - you might import only
their names/URLs from the XML and write an observation-triggered
processor that validates their names/locations and if valid imports
them.

-Bertrand

Re: Further clarification of SLING-2512

[Bertrand Delacretaz]

Hi,

On Fri, Aug 21, 2015 at 3:13 AM, Steven Walters
steven.walt...@icidigital.com wrote:
 ...as a result, this completely blocks being able to have absolute URLs in
 the imported XML content in this scenario...

Could you provide a minimal example of what doesn't work for you?

Maybe an example XML file, indicating what doesn't match your
expectations after importing.

-Bertrand

Re: quick way to see all service user mappings?

[Bertrand Delacretaz]

On Thu, Aug 6, 2015 at 6:36 PM, Rob Ryan rr...@adobe.com wrote:
 There is also /system/console/status-Configurations where searching for 
 user.mapping will find the mappings

It will find the mapping configurations, right?

The SLING-4930 InventoryProvider shows the actual mappings used by the
ServiceUserMapper, which I suppose might be different in some cases if
there are collisions of config priority issues.

-Bertrand

Re: Greetings and IRC consult

[Bertrand Delacretaz]

On Mon, Jul 6, 2015 at 3:37 PM, Jason Bailey jason.bai...@sas.com wrote:
 ...anything that could actually create an actual sling community would be a 
 positive step

Why do you think such a community cannot happen here?

Questions and discussions are welcome, we do our best to reply, and
the asynchronous nature of our lists works well for the current
community, IMO.

-Bertrand

Re: Greetings and IRC consult

[Bertrand Delacretaz]

Hi,

On Mon, Jul 6, 2015 at 8:57 PM, Jason Bailey jason.bai...@sas.com wrote:
 ...It's not like I don't think a community can happen out of this mailing 
 list. It's that I
 don't believe that it has happened for Sling yet

I tend to agree, but given the current small size of the Sling
community, scattering communications channels might not help. People
starting to talk more here would help more IMO.

-Bertrand

Re: register sling post processor by resourcetype. what is the state?

[Bertrand Delacretaz]

Hi,

On Fri, May 22, 2015 at 10:55 AM, Santiago García Pimentel
santiago.pimen...@netcentric.biz wrote:
 ...I've been looking at sling post processor and I noticed that the idea of
 being able to register them by resourcetype has been raised in more than
 once occasion [0],[1]...

I don't think there's been any progress on this - there's several
places where selecting things based on their resource type, with the
same logic used to select scripts, would be useful, but we don't have
a generic mechanism for that yet.

-Bertrand

Re: mime type detection

[Bertrand Delacretaz]

Hi,

On Mon, May 4, 2015 at 1:36 PM, Satya Deep Maheshwari
connus...@gmail.com wrote:
 ...How about modifying the
 existing SlingTikaDetector itself and adding a mechanism in it to resort to
 inputstream based mime-type detection if name based detection draws a
 null

I don't think we want to make this the default, as that's much more
expensive than the other methods.

As Robert says, providing an extension point for content-based mime
type detection is good.

-Bertrand

Re: Initialize OBR configuration in a crankstart driven sling instances

[Bertrand Delacretaz]

On Wed, Mar 25, 2015 at 11:46 PM, Bruce Edge
bruce.e...@nextissuemedia.com wrote:
 ...Perhaps the right question is, how does one initialize the configuration
 for an OBR, independent of startup method?...

Ah I get it now, you want to set an OSGi config from code, that's used
to setup an OBR?

The ConfigurationAdmin [1] lets you do that, there's examples in the
Sling codebase.

-Bertrand

[1] https://osgi.org/javadoc/r4v42/org/osgi/service/cm/ConfigurationAdmin.html

Re: Initialize OBR configuration in a crankstart driven sling instances

[Bertrand Delacretaz]

On Wed, Mar 25, 2015 at 7:17 PM, Bruce Edge
bruce.e...@nextissuemedia.com wrote:
 With the launchpad one could set
 launchpad/src/main/sling/common.properties:obr.repository.url
 to a custom URL to specify a custom OBR configuration...

That doesn't work with crankstart so far, as it only knows about Maven
repositories for artifacts.

-Bertrand

[ANN] ApacheCon, Austin, Texas, April 13th - 16th, 2015

[Bertrand Delacretaz]

(Bcc dev@)

Dear Apache Sling enthusiast,

In just a few weeks, we'll be holding ApacheCon in Austin, Texas, and
we'd love to have you in attendance. You can save $300 on admission by
registering NOW, since the early bird price ends on the 21st.

Register at http://s.apache.org/acna2015-reg

ApacheCon this year celebrates the 20th birthday of the Apache HTTP
Server, and we'll have Brian Behlendorf, who started this whole thing,
keynoting for us, and you'll have a chance to meet some of the
original Apache Group, who will be there to celebrate with us.

We've got 7 tracks of great talks, as well as BOFs, the Apache
BarCamp, project-specific hack events, and evening events where you
can deepen your connection with the larger Apache community. See the
full schedule at http://apacheconna2015.sched.org/

And if you have any questions, comments, or just want to hang out with
us before and during the event, follow us on Twitter - @apachecon - or
drop by #apachecon on the Freenode IRC network.

I won't be there myself unfortunately but if Sling community members
are there make sure to meet each other!
-Bertrand

Re: Moving nodes using Transformer

[Bertrand Delacretaz]

Hi,

On Fri, Feb 13, 2015 at 2:21 PM, Omar Crea omar.c...@thyme.it wrote:
 ...What I want to achieve, within my html page, is to move certain
 nodes (stylesheets and javascript) from the middle of the HTML document to
 the head element

 Can this task be achieved using a Transformer?...

You can certainly write an XSLT transform to do that, triggered by a
Sling Output Rewriting Pipeline.

That will probably cause the transformer to buffer the whole output,
might become inefficient depending on the input's size.

-Bertrand