Re: Re: CustomNodeType on startup in Sling12

[Eric Norman]

Hi Rahul,

One more clarification please:  Is your question about how to declare your
own custom node types in the sling feature model?  Or is this specific to
the builtin nodetypes from jackrabbit-filevault?

Regards,
Eric

On Wed, Feb 7, 2024 at 11:08 AM Eric Norman  wrote:

> Hi Rahul,
>
> Your description wasn't clear to me, but can we assume that the node type
> you are using "vlt:PackageDefinition" is coming from
> the jackrabbit-filevault bundle?
>
> I'm not an expert on jackrabbit-filevault, but a quick search of their
> codebase suggests that the filevault nodetypes are possibly lazy-loaded by
> their JcrPackageRegistry#initNodeTypes method (see [1]).  Maybe you can
> attach a debugger to your runtime and set a breakpoint there to inspect the
> code path where that is invoked to reveal why interacting with the
> composium ui causes it to load the node type?
>
> 1.
> https://github.com/apache/jackrabbit-filevault/blob/1f79fa06367726f378cf956b40c3c26c46ca9f9b/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/registry/impl/JcrPackageRegistry.java#L168
>
> Regards,
> Eric
>
> On Wed, Feb 7, 2024 at 4:29 AM Rahul Rupani
>  wrote:
>
>> Hi Robert, Thanks for you response, I tried updating the Composum Nodes
>> package to the latest version I could find which is 4.2.3, still facing the
>> same issue, here is the problem in detail -
>> I have 3 files which I use to start my sling12 server -
>> sling12-kickstart.jar
>> custom-feature.json
>> custom-script
>> Now, when I start the server everything works fine, but when I go to the
>> bin browser to try and create a node with primary type -
>> vlt:PackageDefinition
>> It gives me -
>> Error - 400 javax.jcr.nodetype.NoSuchNodeTypeException: Node type
>> vlt:PackageDefinition does not exist
>> But when I go to the packages section in the bin browser and come back to
>> create a node with the same type it is successful.
>> First of all, I don't understand the behavior of this and how do I fix
>> this as I want that node type on startup?
>> The composum node version in my feature.json is 4.2.3!
>>
>> On 2024/02/06 16:15:13 Robert Munteanu wrote:
>> > Hi Rahul,
>> >
>> > On Tue, 2024-02-06 at 12:29 +0530, Rahul Rupani wrote:
>> > > I am using the sling12 kickstart jar with my custom feature.json file
>> > > and a
>> > > custom script,
>> > > The problem is when i try to create a node in my bin browser with the
>> > > jcr:PrimaryType as vlt:PackageDefinition it gives me -
>> > > Error - 400 javax.jcr.nodetype.NoSuchNodeTypeException: Node type
>> > > vlt:PackageDefinition does not exist
>> > > But when i go to Packages inside bin browser and then go back to
>> > > creating
>> > > the same node it is successful, first of all let me know why and what
>> > > is
>> > > this behaviour and also how can i add the custom node type in my
>> > > feature.json or my start script as i want it on a fresh server start,
>> > > Thanks
>> >
>> > I suspect 'bin browser' is the Composum Nodes package installed by
>> > Sling. I would first start by upgrading to the latest Composum Nodes
>> > version, and if that does not work ask at
>> > https://github.com/ist-dresden/composum-nodes .
>> >
>> > Thanks,
>> > Robert
>> >
>>
>

Re: Re: CustomNodeType on startup in Sling12

[Eric Norman]

Hi Rahul,

Your description wasn't clear to me, but can we assume that the node type
you are using "vlt:PackageDefinition" is coming from
the jackrabbit-filevault bundle?

I'm not an expert on jackrabbit-filevault, but a quick search of their
codebase suggests that the filevault nodetypes are possibly lazy-loaded by
their JcrPackageRegistry#initNodeTypes method (see [1]).  Maybe you can
attach a debugger to your runtime and set a breakpoint there to inspect the
code path where that is invoked to reveal why interacting with the
composium ui causes it to load the node type?

1.
https://github.com/apache/jackrabbit-filevault/blob/1f79fa06367726f378cf956b40c3c26c46ca9f9b/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/registry/impl/JcrPackageRegistry.java#L168

Regards,
Eric

On Wed, Feb 7, 2024 at 4:29 AM Rahul Rupani
 wrote:

> Hi Robert, Thanks for you response, I tried updating the Composum Nodes
> package to the latest version I could find which is 4.2.3, still facing the
> same issue, here is the problem in detail -
> I have 3 files which I use to start my sling12 server -
> sling12-kickstart.jar
> custom-feature.json
> custom-script
> Now, when I start the server everything works fine, but when I go to the
> bin browser to try and create a node with primary type -
> vlt:PackageDefinition
> It gives me -
> Error - 400 javax.jcr.nodetype.NoSuchNodeTypeException: Node type
> vlt:PackageDefinition does not exist
> But when I go to the packages section in the bin browser and come back to
> create a node with the same type it is successful.
> First of all, I don't understand the behavior of this and how do I fix
> this as I want that node type on startup?
> The composum node version in my feature.json is 4.2.3!
>
> On 2024/02/06 16:15:13 Robert Munteanu wrote:
> > Hi Rahul,
> >
> > On Tue, 2024-02-06 at 12:29 +0530, Rahul Rupani wrote:
> > > I am using the sling12 kickstart jar with my custom feature.json file
> > > and a
> > > custom script,
> > > The problem is when i try to create a node in my bin browser with the
> > > jcr:PrimaryType as vlt:PackageDefinition it gives me -
> > > Error - 400 javax.jcr.nodetype.NoSuchNodeTypeException: Node type
> > > vlt:PackageDefinition does not exist
> > > But when i go to Packages inside bin browser and then go back to
> > > creating
> > > the same node it is successful, first of all let me know why and what
> > > is
> > > this behaviour and also how can i add the custom node type in my
> > > feature.json or my start script as i want it on a fresh server start,
> > > Thanks
> >
> > I suspect 'bin browser' is the Composum Nodes package installed by
> > Sling. I would first start by upgrading to the latest Composum Nodes
> > version, and if that does not work ask at
> > https://github.com/ist-dresden/composum-nodes .
> >
> > Thanks,
> > Robert
> >
>

Re: Re: Re: Sling 12 issue

[Eric Norman]

Hi Rahul,


> the stdout log generated in sling 11 is missing in sling 12 do you have any
> idea about that?
>

I don't recollect the specific behavior of sling 11.  If the
explanation below doesn't resolve the problem perhaps you can provide some
more details?

In sling 12 any logging output that comes from any of the supported logging
apis (slf4j, log4j, juli, commons.logging), should end up in one of the log
files under the launcher/logs/* folder.

Any logging that is directly using the System.out or System.err PrintStream
apis should still be written to the console.

Regards,
Eric

On Tue, Apr 18, 2023 at 6:21 AM Rahul Rupani 
wrote:

> On 2023/04/12 15:49:23 Eric Norman wrote:
> > Hi Rahul,
> >
> > The launcher script allows you to utilize the JAVA_OPTS environment
> > variable to supply java remote debugging arguments to the jvm.
> >
> > For example, to set the env variable and run the launcher with a one-line
> > subshell, you can execute something like this to open port 5000 for
> remote
> > debugging:
> >
> > (export
> >
>
> JAVA_OPTS="-agentlib:jdwp=transport=dt_socket,address=5000,server=y,suspend=n"
> > && target/dependency/org.apache.sling.feature.launcher/bin/launcher -f
> > target/slingfeature-tmp/feature-oak_tar.json)
> >
> >
> > One way to change the http port would be to supply an "
> > org.osgi.service.http.port" framework property value as an argument to
> the
> > launcher script.   For example, to use  as the http port use
> something
> > like this:
> >
> > (export
> >
>
> JAVA_OPTS="-agentlib:jdwp=transport=dt_socket,address=5000,server=y,suspend=n"
> > && target/dependency/org.apache.sling.feature.launcher/bin/launcher *-D
> > org.osgi.service.http.port=* -f
> > target/slingfeature-tmp/feature-oak_tar.json)
> >
> >
> >
> > Hope that helps.
> > Eric
> >
> > On Wed, Apr 12, 2023 at 12:47 AM Rahul Rupani 
> > wrote:
> >
> > > On 2023/04/05 08:14:59 Robert Munteanu wrote:
> > > > Hi Rahul,
> > > >
> > > > On Wed, 2023-04-05 at 08:56 +0530, rahul rupani wrote:
> > > > > Hi, can anyone help me with turning on or creating a debug port for
> > > > > sling
> > > > > 12 as I'm having trouble doing it, Thanks.
> > > >
> > > > How are launching Sling?
> > > >
> > > > Thanks,
> > > > Robert
> > > >  using this command -
> > > target/dependency/org.apache.sling.feature.launcher/bin/launcher
> > > I've followed all the steps from here -
> > > https://github.com/apache/sling-org-apache-sling-starter
> > > I need to manipulate the port that sling starts on and add a debug port
> too
> > > but can't figure it out as it automatically launches using jetty..
> > > Thanks for your help.
> > >
> >  Thank you so much Eric, that's exactly what i needed, one last thing,
> the stdout log generated in sling 11 is missing in sling 12 do you have any
> idea about that?
>

Re: Re: Sling 12 issue

[Eric Norman]

Hi Rahul,

The launcher script allows you to utilize the JAVA_OPTS environment
variable to supply java remote debugging arguments to the jvm.

For example, to set the env variable and run the launcher with a one-line
subshell, you can execute something like this to open port 5000 for remote
debugging:

(export
JAVA_OPTS="-agentlib:jdwp=transport=dt_socket,address=5000,server=y,suspend=n"
&& target/dependency/org.apache.sling.feature.launcher/bin/launcher -f
target/slingfeature-tmp/feature-oak_tar.json)


One way to change the http port would be to supply an "
org.osgi.service.http.port" framework property value as an argument to the
launcher script.   For example, to use  as the http port use something
like this:

(export
JAVA_OPTS="-agentlib:jdwp=transport=dt_socket,address=5000,server=y,suspend=n"
&& target/dependency/org.apache.sling.feature.launcher/bin/launcher *-D
org.osgi.service.http.port=* -f
target/slingfeature-tmp/feature-oak_tar.json)



Hope that helps.
Eric

On Wed, Apr 12, 2023 at 12:47 AM Rahul Rupani 
wrote:

> On 2023/04/05 08:14:59 Robert Munteanu wrote:
> > Hi Rahul,
> >
> > On Wed, 2023-04-05 at 08:56 +0530, rahul rupani wrote:
> > > Hi, can anyone help me with turning on or creating a debug port for
> > > sling
> > > 12 as I'm having trouble doing it, Thanks.
> >
> > How are launching Sling?
> >
> > Thanks,
> > Robert
> >  using this command -
> target/dependency/org.apache.sling.feature.launcher/bin/launcher
> I've followed all the steps from here -
> https://github.com/apache/sling-org-apache-sling-starter
> I need to manipulate the port that sling starts on and add a debug port too
> but can't figure it out as it automatically launches using jetty..
> Thanks for your help.
>

Re: Server-Side Testing

[Eric Norman]

The paxexam tests are running inside of the OSGi runtime.

So if you just need to create a file in the repository, then maybe you
could just inject a reference to the SlingRepository service into your test
class and use that to interact with the JCR repository to do the work?

For example:

@Inject
protected SlingRepository repository;

Regards,
Eric

On Mon, Sep 26, 2022 at 9:21 AM Andreas Schaefer 
wrote:

> Hi
>
> As mentioned in my previous email I ran into an issue with Composum as I
> could not open it with the Pax Tests even though I included composum()
> setup.
>
> I could fix that with this line:
>
>
> mavenBundle().groupId("org.apache.geronimo.bundles").artifactId("jstl").version("1.2_1"),
>
> I have another question regarding uploading a file. I was able to use
> Jsoup to upload a file to create a file node in Sling.
> I am wondering if there is a way with PaxExam to do that with a direct API
> exam as my tests are not there to test the REST Api but rather to make sure
> my code is working?
>
> Anyhow Jsoup will work fine if it is the only way.
>
> - Andy
>
> > On Aug 23, 2022, at 11:03 AM, Eric Norman  wrote:
> >
> > Hi Andy,
> >
> > What I usually do for debugging/inspecting the pax exam instance is to
> add
> > optional configuration to enable remote debugging (see [1]).  Then you
> can
> > set a breakpoint in your test code and it will stop there for you to
> take a
> > look around.
> >
> > One example of this is at:
> > 1, AuthFormTestSupport.java#L94
> > <
> https://github.com/apache/sling-org-apache-sling-auth-form/blob/0040aac8a3a89a0cfc4727f2802bd560803c4c8a/src/test/java/org/apache/sling/auth/form/it/AuthFormTestSupport.java#L94
> >
> >
> >
> > Hope that helps.
> >
> > Regards,
> > Eric
> >
> >
> > On Mon, Aug 22, 2022 at 2:14 PM Andreas Schaefer
> 
> > wrote:
> >
> >> Hi Oliver
> >>
> >> I am making good progress but I noticed that I cannot get composum up on
> >> both 3.1.0 or 3.0.0 which is the current version I am using because I am
> >> still running against Sling 11.
> >>
> >> The issues I see is: 'The absolute uri:
> http://java.sun.com/jsp/jstl/core
> >> cannot be resolved’
> >>
> >> Also is there a way to keep the Sling instance running (something like
> >> keep running flag) after the tests were done in case I need to
> investigate
> >> an issue with the Sling instance like bundles dependencies etc?
> >>
> >> Thanks - Andy
> >>
> >>
> >>> On Aug 15, 2022, at 2:20 AM, Oliver Lietz 
> wrote:
> >>>
> >>> On Sunday, 14 August 2022 23:15:16 CEST Andreas Schaefer wrote:
> >>>> Hi
> >>>
> >>> Hi Andy,
> >>>
> >>>> I am working on some sling components and want to IT test them within
> >> the
> >>>> server to avoid client-side polling.
> >>>>
> >>>> It looks like there are two ways to do that:
> >>>>
> >>>> - Junit Servlet
> >>>> - Sling Testing Server Setup and Teleporter
> >>>>
> >>>> Does Sling do any server side testing?
> >>>> What is the currently support way of doing server side tests?
> >>>
> >>> Running tests inside the OSGi container is the default when using OPS4J
> >> Pax
> >>> Exam. See the list of Sling modules using Sling's Testing PaxExam and
> >> have a
> >>> look what the ITs are doing to get some ideas:
> >>>
> >>>
> https://sling.apache.org/documentation/development/testing-paxexam.html
> >>>
> >>> Let me know if more documentation is needed.
> >>>
> >>> HTH,
> >>> O.
> >>>
> >>>
> >>>> Thanks - Andy
> >>>
> >>>
> >>>
> >>>
> >>
> >>
>
>

Re: Server-Side Testing

[Eric Norman]

Hi Andy,

What I usually do for debugging/inspecting the pax exam instance is to add
optional configuration to enable remote debugging (see [1]).  Then you can
set a breakpoint in your test code and it will stop there for you to take a
look around.

One example of this is at:
1, AuthFormTestSupport.java#L94



Hope that helps.

Regards,
Eric


On Mon, Aug 22, 2022 at 2:14 PM Andreas Schaefer 
wrote:

> Hi Oliver
>
> I am making good progress but I noticed that I cannot get composum up on
> both 3.1.0 or 3.0.0 which is the current version I am using because I am
> still running against Sling 11.
>
> The issues I see is: 'The absolute uri: http://java.sun.com/jsp/jstl/core
> cannot be resolved’
>
> Also is there a way to keep the Sling instance running (something like
> keep running flag) after the tests were done in case I need to investigate
> an issue with the Sling instance like bundles dependencies etc?
>
> Thanks - Andy
>
>
> > On Aug 15, 2022, at 2:20 AM, Oliver Lietz  wrote:
> >
> > On Sunday, 14 August 2022 23:15:16 CEST Andreas Schaefer wrote:
> >> Hi
> >
> > Hi Andy,
> >
> >> I am working on some sling components and want to IT test them within
> the
> >> server to avoid client-side polling.
> >>
> >> It looks like there are two ways to do that:
> >>
> >> - Junit Servlet
> >> - Sling Testing Server Setup and Teleporter
> >>
> >> Does Sling do any server side testing?
> >> What is the currently support way of doing server side tests?
> >
> > Running tests inside the OSGi container is the default when using OPS4J
> Pax
> > Exam. See the list of Sling modules using Sling's Testing PaxExam and
> have a
> > look what the ITs are doing to get some ideas:
> >
> > https://sling.apache.org/documentation/development/testing-paxexam.html
> >
> > Let me know if more documentation is needed.
> >
> > HTH,
> > O.
> >
> >
> >> Thanks - Andy
> >
> >
> >
> >
>
>

Re: Starting a FAR with the Sling feature launcher without network access

[Eric Norman]

I haven't looked too closely at this, but if I recall correctly, when using
the launcher with a .far it seemed like the logged count of local artifacts
was more than double the number before so I'm not sure if it is ignored
completely?  It seemed like it was counting the artifacts inside the .far
and the artifacts in the local maven repo too even if they were
duplicates.   I thought that was weird, but it didn't bother me enough to
look further.

Are you saying that running with a non-empty "-u" argument that completely
replaces the default repository urls is unable to run?

For example, if your -u arguments are just the zip containing the feix
framework with something like below, is it able to find the artifacts that
exist inside the far archive?

java -jar org.apache.sling.feature.launcher.jar -f
org.apache.sling.starter-12-oak_tar_far.far -u
'jar:file:felixcontainer.zip!'

Regards,
-Eric

On Wed, Mar 16, 2022 at 10:59 AM Dr. Hans-Peter Störr 
wrote:

> Hi!
>
> I'm wondering about use usage of feature archives in the Sling feature
> launcher, especially in a setting without a network and
> $HOME/.m2/repository.
>
> https://github.com/apache/sling-org-apache-sling-feature/blob/master/docs/feature-archives.md
> says the feature archives, such as the
> org.apache.sling.starter-12-oak_tar_far.far produced by the Sling Starter
> https://github.com/apache/sling-org-apache-sling-starter , are meant to
> contain the actual artifacts needed to run the system. Yet, when you start
> the system like this:
>
> java -jar org.apache.sling.feature.launcher.jar -f
> org.apache.sling.starter-12-oak_tar_far.far -v
>
> the log shows that the artifacts in the FAR are completely ignored - it
> takes these from $HOME/.m2/repository or, failing that, they are downloaded
> from https://repo.maven.apache.org/maven2 . That seems not only a waste
> of network resources, but it has its problems. First in intranets or in a
> DMZ it's not guaranteed that you have internet access. Even worse: on
> production systems you don't want the starter to access the network or
> getting files from $HOME/.m2/repository, since that offers various attack
> avenues for injecting code into the system. So I'm wondering: shouldn't the
> feature launcher first check the FAR for the artifact and use that? Or even
> only use the code contained in a FAR?
>
>
> That said: there actually is a way to start the launcher without using the
> network, but in a quite cumbersome way. The feature launcher allows
> specifying the repository URLs, and you can give a jar file URL as
> repository URL:
>
> java -jar org.apache.sling.feature.launcher.jar -f
> org.apache.sling.starter-12-oak_tar_far.far -u
> 'jar:file:org.apache.sling.starter-12-oak_tar_far.far!' -u
> 'jar:file:felixcontainer.zip!'
>
> This also adds a second zip I created as a repository for the felix
> framework, which is required by the launcher, and just contains the file
>
> org/apache/felix/org.apache.felix.framework/7.0.1/org.apache.felix.framework-7.0.1.jar
>
> This works completely without network access, but it does feel like a
> workaround. So, is that actually the intended solution for this usecase, or
> are there plans to extend the feature launcher in some way? Or am I missing
> something?
>
> Thank you all for the good work and the many advances with this!
>
> Best regards,
>
> Hans-Peter
>
> PS: I was almost jumping up and down when I saw the tag
> org.apache.sling.starter-12 in the maven repo. Thanks for finally fixing
> something that can become release 12 of the Sling Starter ! I'm looking
> forward for it to appear in the maven repository.
>

Re: Stopping Apache Sling Launchpad upon exception in OSGi bundle

[Eric Norman]

Hi Michael,

I don't believe there is currently any configuration for the Apache Felix
Jetty Based Http Service that would do that automatically.

It seems to me that there are a couple of options that you may consider:

   1. A "fail before startup" solution where you could utilize some other
   tooling in your startup script to check if the TCP port is already being
   used before attempting to launch the sling launchpad.
   2. A "fail during startup" solution where you could modify the jetty
   http bundle code (and optional configuration?) to catch the specific
   BindException and initiate an orderly shutdown when that happens.  The
   felix project should consider any patches you submit for consideration to
   be included in the next release.
   3. A "fail after monitor" solution where your distribution could provide
   your own custom OSGi component that waits for a duration for all required
   services to become available.  If the monitored required services do not
   become available then initiate an orderly shutdown.  Perhaps some
   integration with the felix "healthcheck" apis could be useful here?

Regards,
Eric

On Tue, Apr 27, 2021 at 8:03 AM Lescisin, Michael 
wrote:

> Hi there,
>
> I was wondering if somebody could kindly help me with the following issue.
> We are developing a clinical archive based on Apache Sling (
> https://github.com/ccmbioinfo/lfs) and are using the Sling Launchpad to
> load all artifacts. One such artifact is org.apache.felix.http.jetty
> (specified in
> https://github.com/ccmbioinfo/lfs/blob/dev/distribution/src/main/provisioning/99-standalone.txt)
> which (by default) binds to and listens on TCP port 8080. When another
> process is listening on this port and thus causes
> org.apache.felix.http.jetty to be unable to bind to this port, as expected,
> I see java.net.BindException: Address already in use in
> sling/logs/error.log. However, despite this error, the rest of the
> artifacts are loaded, and the executable JAR does not terminate.
>
> Could someone kindly explain how Sling Launchpad can be reconfigured so
> that the executable JAR will terminate if org.apache.felix.http.jetty
> throws a java.net.BindException?
>
> Thank you,
>
> Michael
>
> This e-mail may contain confidential and/or privileged information for the
> sole use of the intended recipient.
> Any review or distribution by anyone other than the person for whom it was
> originally intended is strictly prohibited.
> If you have received this e-mail in error, please contact the sender and
> delete all copies.
> Opinions, conclusions or other information contained in this e-mail may
> not be that of the organization.
>
> If you feel you have received an email from UHN of a commercial nature and
> would like to be removed from the sender's mailing list please do one of
> the following:
> (1) Follow any unsubscribe process the sender has included in their email
> (2) Where no unsubscribe process has been included, reply to the sender
> and type "unsubscribe" in the subject line. If you require additional
> information please go to our UHN Newsletters and Mailing Lists page.
> Please note that we are unable to automatically unsubscribe individuals
> from all UHN mailing lists.
>
>
> Patient Consent for Email:
>
> UHN patients may provide their consent to communicate with UHN about their
> care using email. All electronic communication carries some risk. Please
> visit our website here<
> https://www.uhn.ca/PatientsFamilies/Patient_Safety_Advocacy/Privacy/Documents/Email_consent_and_safety.pdf>
> to learn about the risks of electronic communication and how to protect
> your privacy. You may withdraw your consent to receive emails from UHN at
> any time. Please contact your care provider, if you do not wish to receive
> emails from UHN.
>

Re: Sling/Felix JDBC Connection Pool problem

[Eric Norman]

Hi Juerg,

I'm still not clear if you are trying to reference the DataSource service
from within another OSGi service or from some POJO class.   The description
of the original problem suggests it is not within an OSGi service as a
failure to inject the non-optional @Reference should have caused that OSGi
service to fail to activate.

If this is indeed a POJO class, you may try something like this:

import java.util.Collection;

import javax.sql.DataSource;

import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkUtil;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.framework.ServiceReference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class DSExamplePojo {
private Logger logger = LoggerFactory.getLogger(getClass());

public void doSomething() {
// get the bundle this class lives in
Bundle bundle = FrameworkUtil.getBundle(getClass());
// and the bundle context to lookup a service
BundleContext bundleContext = bundle.getBundleContext();

// lookup the service
DataSource ds = null;
Collection> serviceReferences = null;
try {
serviceReferences =
bundleContext.getServiceReferences(DataSource.class, "(datasource.name
=dbdb)");
} catch (InvalidSyntaxException e) {
logger.error("Failed to get service references", e);
}
if (serviceReferences != null && !serviceReferences.isEmpty()) {
// get the first match
ServiceReference ref =
serviceReferences.iterator().next();
try {
// get the service from the service reference
ds = bundleContext.getService(ref);
} finally {
// cleanup
bundleContext.ungetService(ref);
}

//TODO: use the ds variable to do something here
logger.info("Found DataSource: {}", ds);
}
}

}


Regards,
-Eric

On Mon, Mar 1, 2021 at 1:09 AM JCR  wrote:

> Yes, the pool is called by a class in an OSGI bundle with the dependency
> shown in my previous email.
>
> But indeed, we have strong reasons that we are talking about a
> classloader issue here. In the meanwhile, I tested the JDBC "vanilla
> approach":
>
>  Class.forName("org.mariadb.jdbc.Driver");
>  Connection con =
> DriverManager.getConnection("jdbc:mariadb://localhost:3306/dbdb",
> "dbuser1", "pwd");
>
> and a direct DataSource approach:
>
>  MariaDbDataSource ds = new MariaDbDataSource();
>  ds.setUser("dbuser1");
>  ds.setPassword("pwd");
>  ds.setServerName("localhost");
>  ds.setPortNumber(3306);
>  ds.setDatabaseName("dbdb");
>  con = ds.getConnection();
>
> The first version returns with a runtime error that the Driver-class is
> not found. The second version behaves similarly
>
>  java.lang.NoClassDefFoundError: javax/sql/DataSource
>
> Now, javax.sql is even a standard part of Felix. If I add this
> dependency to pom:
>
> 
>  javax.sql
>  jdbc-stdext
>  2.0
> 
>
>   ... Eclipse marks an error saying "Missing artifact
> javax.sql:jdbc-stdext:jar:1.0". That's strange because the jar is in
> /home/juerg/.m2/repository/javax/sql and most probably also in core
> Felix, otherwise it wouldn't be possible the establish a pool.
>
> And now coming to the point: the "vanilla approach" works perfectly in
> the Servlet/JSP environment! I don't know in what context that part of
> Sling exactly runs, but the Driver class is seemingly found and DB
> interaction works.
> But from an architectural perspective, a JSP is obviously not the place
> where database code should be placed...
>
> Question is, how can access to the driver be achieved from an OSGi bundle?
>
> Best,
> Juerg
>
>
> On 26.02.21 18:13, Eric Norman wrote:
> > I'm not using JDBC datasources personally, but can you clarify in what
> > context your client code is running?
> >
> > In general the @Reference annotations (both the older felix.scr ones and
> > the newer standardardized annotations from OSGi R6 specification) are
> only
> > going to work when they are within a declarative service component and
> that
> > client class is accessed as an osgi service.
> >
> > If the client code is running in some other context or lookup of the
> client
> > class happens some other way, then you would likely need a different way
> to
> > get the reference to the DataSource component.
&g

Re: Sling/Felix JDBC Connection Pool problem

[Eric Norman]

I'm not using JDBC datasources personally, but can you clarify in what
context your client code is running?

In general the @Reference annotations (both the older felix.scr ones and
the newer standardardized annotations from OSGi R6 specification) are only
going to work when they are within a declarative service component and that
client class is accessed as an osgi service.

If the client code is running in some other context or lookup of the client
class happens some other way, then you would likely need a different way to
get the reference to the DataSource component.

For example, sling models can use the @Inject annotation for getting a
reference to an osgi service, or you can get the DataSource service
reference from a ServiceTracker or a direct service reference lookup from
some BundleContext.

Regards,
Eric

On Fri, Feb 26, 2021 at 7:04 AM JCR  wrote:

> Adding a detail: The @Reference annotation is deprecated.
>
> 
>
> For creating a JDBC connection pool (to mariadb) in Sling 11, I followed
> the instructions given at
> https://sling.apache.org/documentation/bundles/datasource-providers.html
> . However, I get a runtime exception on the datasource without further
> details.
>
> As documented on that webpage, I declared the following in the consuming
> class:
>
> import org.apache.felix.scr.annotations.Reference;
>
> public class Database {
>
>  @Reference(target =
> "(&(objectclass=javax.sql.DataSource)(datasource.name=dbdb))")
>  DataSource dataSource;
>
>  public String test() {
>
>  try {
>
>  Connection con = dataSource.getConnection();
>
>  ... Some SQL instructions...
>
>  }
>
> The config of the datasource was done via the Felix console and looks like:
>
>  in JNDI DataSource:
>
>  Datasource name(*): dbdb
>  JNDI name(*): dbdb
>
>  in Apache Sling Connection Pooled DataSource:
>
>  Datasource name(*): dbdb
>  JDBC driver class: org.mariadb.jdbc.Driver
>  JDBC connection URI:
> jdbc:mysql://localhost:3306/someDB?useUnicode=yes=UTF-8
>  Username: xyz
>   many more
>
> The POM:
>  
>  org.apache.felix
> org.apache.felix.scr.annotations
>  1.12.0
>  
>
>
> Now, the datasource, at the moment of calling test() is null. I have
> absolutely no hint what the problem is. The config? The annotation? What
> is obvious, however, is that the /@Reference /as suggested on the
> bundles page, is deprecated... What would be the most current approach?
>
> Thanks,
> -Juerg
>
>
>
>

Re: SLING-9503 control over variable replacement in feature models

[Eric Norman]

Thanks for the confirmation.  I've created a bug report at as SLING-10060
for tracking.

On Mon, Jan 11, 2021 at 10:44 PM Carsten Ziegeler 
wrote:

> Hi,
>
> thanks for checking - I would consider this a bug in the current
> implementation and go with #1. #2 is introducing a new format which
> would be incompatible to the current format and you can get the same
> support via the properties section:
>
> 
> some-${name1}
> 
>
> and then use name2 in replacePropertyVariables.
>
> Regards
> Carsten
>
> Am 11.01.2021 um 19:12 schrieb Eric Norman:
> > As far as I can tell, it is generally the maven expression evaluator that
> > picks the system property value over the project property with the same
> > name.  So an expression like ${property.name1.here} in the pom would get
> > the system property value instead of the project property value.
> However,
> > if I am reading it correctly, the MavenProject#getProperties api call
> > doesn't appear to consider the system property values in the map that it
> > returns and it is simply the model that was parsed from the pom xml.
> >
> > So I can imagine a couple of solutions to my problem:
> > 1. Simply, enhance the slingfeature-maven-plugin Substitution handling
> > of replacePropertyVariables to first check for a system property with the
> > same name and use that value if it is available.  If no system property
> > exists, then fallback to the project property value with the same name as
> > the default value.
> >
> > 2. Or refactor the slingfeature-maven-plugin "replacePropertyVariables"
> > configuration to accept a map-like structure instead of just property
> names
> > and let the maven expression evaluator choose the values with something
> > like this:
> >
> > 
> >  
> >
> ${property.name1.here}
> >
> ${property.name2.here}
> >  
> >  ...
> > 
> >
> >
> > Solution #1 would be much easier to implement, but perhaps #2 adds
> > flexibility that could be useful to someone in the future?
> >
> > Let me know if you have any thoughts.
> >
> > Regards,
> > -Eric
> >
> > On Mon, Jan 11, 2021 at 12:50 AM Carsten Ziegeler 
> > wrote:
> >
> >> Ok, I guess I'm wrong but I thought if you specify the property in
> >> "replacePropertyVariables" then the property value is picked up from the
> >> maven project - which should allow for overrides via system properties -
> >> meaning maven should already do the replacement.
> >>
> >> I assume that is not the case?
> >>
> >> Regards
> >> Carsten
> >>
> >> Am 11.01.2021 um 09:06 schrieb Eric Norman:
> >>> Yes, well i did make an explicit decision and declared my property name
> >> in
> >>> "replacePropertyVariables".  My use case is purely for testing so I
> don't
> >>> care much about the reproducibility of the builds.
> >>>
> >>> My question was more about if it is necessary to ignore the system
> >> property
> >>> value supplied on the command line and be forced to use the hardcoded
> >> value
> >>> from the pom?  For example, the use case of a parameterized jenkins job
> >>> where the users choice should be passed along to maven and used to
> >>> configure/prepare the environment to run a set of tests against.
> >>>
> >>>
> >>> On Sun, Jan 10, 2021 at 10:41 PM Carsten Ziegeler <
> cziege...@apache.org>
> >>> wrote:
> >>>
> >>>> This is done on purpose - as soon as you allow user input (via system
> >>>> properties), you end up with non reproducible builds.
> >>>>
> >>>> Now, if you are in full control over your project, you can either
> enable
> >>>> "enableLegacyVariableReplacement" or open it up to system properties
> via
> >>>> the "properties" section in your pom and mentioning the property in
> >>>> "replacePropertyVariables" - but this needs to be an explicit
> decision.
> >>>>
> >>>> Regards
> >>>> Carsten
> >>>>
> >>>> Am 10.01.2021 um 23:58 schrieb Eric Norman:
> >>>>> I see that the changes from SLING-9503 changed the variable
> replacement
> >>>> in
> >>>>> slingfeature-maven-plugin to be more limited.
> >>>>>
> >>>>> Is there an expectation that the substitutio

Re: SLING-9503 control over variable replacement in feature models

[Eric Norman]

As far as I can tell, it is generally the maven expression evaluator that
picks the system property value over the project property with the same
name.  So an expression like ${property.name1.here} in the pom would get
the system property value instead of the project property value.  However,
if I am reading it correctly, the MavenProject#getProperties api call
doesn't appear to consider the system property values in the map that it
returns and it is simply the model that was parsed from the pom xml.

So I can imagine a couple of solutions to my problem:
1. Simply, enhance the slingfeature-maven-plugin Substitution handling
of replacePropertyVariables to first check for a system property with the
same name and use that value if it is available.  If no system property
exists, then fallback to the project property value with the same name as
the default value.

2. Or refactor the slingfeature-maven-plugin "replacePropertyVariables"
configuration to accept a map-like structure instead of just property names
and let the maven expression evaluator choose the values with something
like this:



${property.name1.here}
${property.name2.here}

...



Solution #1 would be much easier to implement, but perhaps #2 adds
flexibility that could be useful to someone in the future?

Let me know if you have any thoughts.

Regards,
-Eric

On Mon, Jan 11, 2021 at 12:50 AM Carsten Ziegeler 
wrote:

> Ok, I guess I'm wrong but I thought if you specify the property in
> "replacePropertyVariables" then the property value is picked up from the
> maven project - which should allow for overrides via system properties -
> meaning maven should already do the replacement.
>
> I assume that is not the case?
>
> Regards
> Carsten
>
> Am 11.01.2021 um 09:06 schrieb Eric Norman:
> > Yes, well i did make an explicit decision and declared my property name
> in
> > "replacePropertyVariables".  My use case is purely for testing so I don't
> > care much about the reproducibility of the builds.
> >
> > My question was more about if it is necessary to ignore the system
> property
> > value supplied on the command line and be forced to use the hardcoded
> value
> > from the pom?  For example, the use case of a parameterized jenkins job
> > where the users choice should be passed along to maven and used to
> > configure/prepare the environment to run a set of tests against.
> >
> >
> > On Sun, Jan 10, 2021 at 10:41 PM Carsten Ziegeler 
> > wrote:
> >
> >> This is done on purpose - as soon as you allow user input (via system
> >> properties), you end up with non reproducible builds.
> >>
> >> Now, if you are in full control over your project, you can either enable
> >> "enableLegacyVariableReplacement" or open it up to system properties via
> >> the "properties" section in your pom and mentioning the property in
> >> "replacePropertyVariables" - but this needs to be an explicit decision.
> >>
> >> Regards
> >> Carsten
> >>
> >> Am 10.01.2021 um 23:58 schrieb Eric Norman:
> >>> I see that the changes from SLING-9503 changed the variable replacement
> >> in
> >>> slingfeature-maven-plugin to be more limited.
> >>>
> >>> Is there an expectation that the substitutions for the limited
> >>> "replacePropertyVariables" values would only use the property value
> >>> hardcoded in the pom and ignore the system property with the same name?
> >>>
> >>> I was expecting that when supplying a system property (with the same
> >> name)
> >>> on the mvn command line, that the value from the system property would
> be
> >>> used for the substitutions but is not used and the value always comes
> >> from
> >>> the property defined in the pom.
> >>>
> >>> If this is not done on purpose, I can provide a fix to check for a
> system
> >>> property value first before a fallback to the project property.
> >>>
> >>> Let me know what you think.
> >>>
> >>> -Eric
> >>>
> >>
> >> --
> >> --
> >> Carsten Ziegeler
> >> Adobe Research Switzerland
> >> cziege...@apache.org
> >>
> >
>
> --
> --
> Carsten Ziegeler
> Adobe Research Switzerland
> cziege...@apache.org
>

Re: SLING-9503 control over variable replacement in feature models

[Eric Norman]

Yes, well i did make an explicit decision and declared my property name in
"replacePropertyVariables".  My use case is purely for testing so I don't
care much about the reproducibility of the builds.

My question was more about if it is necessary to ignore the system property
value supplied on the command line and be forced to use the hardcoded value
from the pom?  For example, the use case of a parameterized jenkins job
where the users choice should be passed along to maven and used to
configure/prepare the environment to run a set of tests against.


On Sun, Jan 10, 2021 at 10:41 PM Carsten Ziegeler 
wrote:

> This is done on purpose - as soon as you allow user input (via system
> properties), you end up with non reproducible builds.
>
> Now, if you are in full control over your project, you can either enable
> "enableLegacyVariableReplacement" or open it up to system properties via
> the "properties" section in your pom and mentioning the property in
> "replacePropertyVariables" - but this needs to be an explicit decision.
>
> Regards
> Carsten
>
> Am 10.01.2021 um 23:58 schrieb Eric Norman:
> > I see that the changes from SLING-9503 changed the variable replacement
> in
> > slingfeature-maven-plugin to be more limited.
> >
> > Is there an expectation that the substitutions for the limited
> > "replacePropertyVariables" values would only use the property value
> > hardcoded in the pom and ignore the system property with the same name?
> >
> > I was expecting that when supplying a system property (with the same
> name)
> > on the mvn command line, that the value from the system property would be
> > used for the substitutions but is not used and the value always comes
> from
> > the property defined in the pom.
> >
> > If this is not done on purpose, I can provide a fix to check for a system
> > property value first before a fallback to the project property.
> >
> > Let me know what you think.
> >
> > -Eric
> >
>
> --
> --
> Carsten Ziegeler
> Adobe Research Switzerland
> cziege...@apache.org
>

RE: SLING-9503 control over variable replacement in feature models

[Eric Norman]

I see that the changes from SLING-9503 changed the variable replacement in
slingfeature-maven-plugin to be more limited.

Is there an expectation that the substitutions for the limited
"replacePropertyVariables" values would only use the property value
hardcoded in the pom and ignore the system property with the same name?

I was expecting that when supplying a system property (with the same name)
on the mvn command line, that the value from the system property would be
used for the substitutions but is not used and the value always comes from
the property defined in the pom.

If this is not done on purpose, I can provide a fix to check for a system
property value first before a fallback to the project property.

Let me know what you think.

-Eric

Re: Datasource selection

[Eric Norman]

For simplicity, you could probably let the framework do a bit more work for
you and remove the need for the BundleContext field by using the reference
bind method technique that sends you the service instance + the properties.

For example, something like this:

private Map dataSources = new ConcurrentHashMap<>();

@Reference(service=DataSource.class, policy = DYNAMIC, cardinality=MULTIPLE)
void bindDataSource(DataSource ds, Map properties) {
dataSources.put((String) properties.getProperty("datasource.name"), ds);
}

void unbindDataSource(DataSource ds, Map properties) {
dataSources.remove((String) properties.getProperty("datasource.name"),
ds);
}


On Tue, Dec 15, 2020 at 8:13 AM Bertrand Delacretaz 
wrote:

> On Tue, Dec 15, 2020 at 4:58 PM Robert Munteanu 
> wrote:
> > ...This way you get the datasources injected and via SCR and you get to
> > use the datasource.name as a key...
>
> sounds good and it's certainly more efficient than what I suggested.
>
> -Bertrand
>

Re: How to test other System User Access

[Eric Norman]

Hi Cris,

Have you already considered the apis provided by the PrivilegesInfo class
from [1]?  I would think that one of the
PrivilegesInfo#getEffectiveAccessRights or
PrivilegesInfo#getEffectiveAccessRightsForPrincipal apis should get you
pretty close to your requirements.

1.
https://github.com/apache/sling-org-apache-sling-jcr-jackrabbit-accessmanager/blob/master/src/main/java/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.java

Regards,
Eric

On Wed, Jul 8, 2020 at 11:59 AM Cris Rockwell  wrote:

> Hello
>
> I want to write Java code that will help evaluate system users access to
> repository paths as part of a test suite for the system setup.
> For example; given a user ID, a path and a privilege, the method returns
> true or false.
>
> boolean userHasAccess (String Path, String Privilege,
> String userID)
>
> It looks like JackrabbitAccessControlManager (
> https://jackrabbit.apache.org/oak/docs/security/accesscontrol/editing.html
> <
> https://jackrabbit.apache.org/oak/docs/security/accesscontrol/editing.html>)
> might offer this utility, but so far I’m not able to find it in a bundle
> provided by Sling 12
>
> Does anyone have a recommendation?
>
> Thanks
> Cris Rockwell
>

Re: Setting Cache-Control in response Header while accessing JSON data

[Eric Norman]

Have you considered registering a custom servlet filter to set the response
headers before forwarding on?

https://sling.apache.org/documentation/the-sling-engine/filters.html


On Wed, Mar 18, 2020 at 2:47 AM Saurabh Tiwari 
wrote:

> Hello team,
>
> I trying to set the Cache Header in the response header
> e.g Cache-Control: max-age= in response header in accessing JSON
> data.
>
> I have set up the Sling demo locally following instructions at
>
> https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html
>
> Now, while accessing the JSON data (from below URL)
> http://localhost:8080/content/apache/sling-apache-org/index.2.json
> I want to set the Cache-Control in the response header for the request
> above.
>
> Kindly let me know if we have any resources available around this.
>
> The purpose of this implementation is to increase the performance of my
> application because in my application this data doesn't change frequently.
>
> Thanks in advance!
>
> --
> Best regards,
> Saurabh Tiwari
> Enterprise Software Engineer
> *HotWax Commerce*
> *Enterprise open source experts*
> http://www.hotwax.co
>

Incomplete OSGi manifest for Commons Johnzon 1.2.0?

[Eric Norman]

It looks to me that any bundle that attempts to depend on the new
org.apache.sling.commons.johnzon:1.2.0 artifact produces a manifest for the
new bundle that now makes it not activate when deployed to the sling
runtime.

I opened https://issues.apache.org/jira/browse/SLING-9218 for tracking the
problem.

Does anyone know of any bnd-maven-plugin tricks to merge instructions from
the manifest of a bundle that is being wrapped or would that have to be
merged manually?

Alternatively, maybe there is a convenient way to adjust the
BND instructions so I can depend on the
org.apache.sling.commons.johnzon:1.2.0 artifact without requiring the
osgi.contract=JavaJSONP capability in the manifest?

Regards,
-Eric

Re: Sling XML Namespace

[Eric Norman]

I see.  So it looks like you may be looking for some tooling to
automatically generate a dynamic xsd schema for a "document view" style JCR
xml import file.  In that case, many of the details of the xsd schema would
have to be dynamically determined by inspecting whatever JCR node types are
currently defined in your target server.

Also, you may consider if you are you using well defined "structured" node
types with a fixed set of allowed properties in your xml documents.  If
not, then the xsd schema would have to be very relaxed and may not be too
useful for validation as the allowed property and element names would be
unknown for any unstructured content.  But, perhaps knowing the "defined"
properties and children could be useful to provide hints to the "code
completion" capabilities of the editor?

Anyways, the registered JCR node type details are available for
introspection via apis on the server side.  It should be possible to dig
some of the details out of the JCR node type definitions and return a
dynamic xsd schema file from a servlet.

Regards,
Eric

On Fri, Feb 14, 2020 at 7:17 AM John Kramer 
wrote:

> Sure, we use IntelliJ as a source code editor. And we build our project
> using maven and the plugin content-package-maven-plugin. All of our nodes
> are represented as XML files in our source. For example:
>
> 
>xmlns:sling="http://sling.apache.org/jcr/sling/1.0;
>   xmlns:jcr="http://www.jcp.org/jcr/1.0;
>   jcr:primaryType="sling:Folder"/>
>
> IntelliJ (and plenty of other editors) validate and even autocomplete xml
> automatically based on the provided namespace. Because it cannot retrieve
> the namespaces http://sling.apache.org/jcr/sling/1.0 or
> http://www.jcp.org/jcr/1.0 it won't do that (of course it will still
> validate xml syntax).
>
> John Kramer
> Java Software Engineer
> E-Commerce Web Team
> e: john.kra...@panerabread.com <mailto:john.kra...@panera.com>
> m: 314-435-2370
>
> On 2/13/20, 23:22, "Eric Norman"  wrote:
>
> Hi John,
>
> Would it be possible for you to provide any more details about the use
> cases where you would be using validated xml files instead of JSON
> files?
>
> Regards,
> Eric
>
> On Thu, Feb 13, 2020, 10:45 AM John Kramer <
> john.kra...@panerabread.com>
> wrote:
>
> > That's disappointing. Have you guys ever considered producing an XSD?
> > Would make it easier to understand, validate, etc.
> >
> > John Kramer
> > Java Software Engineer
> > E-Commerce Web Team
> > e: john.kra...@panerabread.com <mailto:john.kra...@panera.com>
> > m: 314-435-2370
> >
> > On 2/13/20, 02:39, "Julian Sedding"  wrote:
> >
> > Warning:  This email originated from outside of Panera. Beware of
> > clicking links and attachments.
> >
> >
> > Hi John
> >
> > XML namespace names are usually URIs, supposedly to avoid
> collisions.
> > However, they are not required to be a URI nor are they required
> to
> > point to an actual document. The Wikipedia article on XML
> namespaces
> > has more detail:
> > https://en.wikipedia.org/wiki/XML_namespace#Namespace_names
> >
> > The last sentence of the linked section sums it up nicely:
> >
> > "In general, however, users should assume that the namespace URI
> is
> > simply a name, not the address of a document on the Web."
> >
> > Regards
> > Julian
> >
> > On Wed, Feb 12, 2020 at 10:08 PM John Kramer
> >  wrote:
> > >
> > > Hi guys,
> > >
> > > Sorry if this question is a bit naïve.
> > >
> > > I see the xml namespace http://sling.apache.org/jcr/sling/1.0
> all
> > over source files, but that link is a 404. Where can I actually look
> at the
> > namespace definitions?
> > >
> > > Thanks!
> > >
> > > John Kramer
> > > Java Software Engineer
> > > E-Commerce Web Team
> > > e: john.kra...@panerabread.com<mailto:john.kra...@panera.com>
> > > m: 314-435-2370
> >
> >
> >
>
>
>

Re: Sling XML Namespace

[Eric Norman]

Hi John,

Would it be possible for you to provide any more details about the use
cases where you would be using validated xml files instead of JSON files?

Regards,
Eric

On Thu, Feb 13, 2020, 10:45 AM John Kramer 
wrote:

> That's disappointing. Have you guys ever considered producing an XSD?
> Would make it easier to understand, validate, etc.
>
> John Kramer
> Java Software Engineer
> E-Commerce Web Team
> e: john.kra...@panerabread.com 
> m: 314-435-2370
>
> On 2/13/20, 02:39, "Julian Sedding"  wrote:
>
> Warning:  This email originated from outside of Panera. Beware of
> clicking links and attachments.
>
>
> Hi John
>
> XML namespace names are usually URIs, supposedly to avoid collisions.
> However, they are not required to be a URI nor are they required to
> point to an actual document. The Wikipedia article on XML namespaces
> has more detail:
> https://en.wikipedia.org/wiki/XML_namespace#Namespace_names
>
> The last sentence of the linked section sums it up nicely:
>
> "In general, however, users should assume that the namespace URI is
> simply a name, not the address of a document on the Web."
>
> Regards
> Julian
>
> On Wed, Feb 12, 2020 at 10:08 PM John Kramer
>  wrote:
> >
> > Hi guys,
> >
> > Sorry if this question is a bit naïve.
> >
> > I see the xml namespace http://sling.apache.org/jcr/sling/1.0 all
> over source files, but that link is a 404. Where can I actually look at the
> namespace definitions?
> >
> > Thanks!
> >
> > John Kramer
> > Java Software Engineer
> > E-Commerce Web Team
> > e: john.kra...@panerabread.com
> > m: 314-435-2370
>
>
>

Re: Content Security Policy Headers

[Eric Norman]

I set these headers (and HSTS header) with a simple servlet filter.

Regards,
Eric

On Fri, Jan 10, 2020, 9:26 AM Jason E Bailey  wrote:

> If you're not familiar with them
>
> https://tools.ietf.org/html/rfc7231
> https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
>
> I'm wondering if anyone has used the CSP to secure javascript and styles
> successfully in Sling and what techniques did they use to get there.
>
> I'm about to raise an issue with our vendor because of lack of support,
> but I like to try to avoid tickets if necessary.
>
> - Jason
>

Re: OIDC or SAML2 for Sling

[Eric Norman]

Hi Cris,

It may depend on what capabilities the external OAuth provider supplies.
For example, I believe some OAuth providers may provide a way to return
group memberships via OAuth2 scopes?

Otherwise, the mechanism for group membership lookup may depend on what
additional REST APIs that your external server provides.  For example, once
you have a verified OAuth token, then you might be able to use that
identity to make additional https calls back to the OAuth provider to
retrieve additional data.  For example, with a valid facebook oauth token
you could invoke their graph APIs to get a list of the groups the user is a
member of.

Of course, if your external oauth provider doesn't provide any mechanism
for lookup of user/group profile data then you would need to figure
something else out.

As to where to do the group membership sync logic: If you are ok with a
short delay in the group memberships being updated, then I suppose you
could listen for login events and do the work in the async event handler.
 Otherwise, if you expect the group membership to take effect immediately
during login, then doing that work in the
AuthenticationHandler#extractCredentials call would probably be ok after
you have verified the credentials are valid.

Regards,
-Eric

On Wed, Dec 11, 2019 at 11:45 AM Cris Rockwell  wrote:

> Hi Eric
>
> Thanks for the response. OAuth2 would be a handy option for user
> authentication, user creation and perhaps user attributes. But I’m pretty
> sure group membership would not come as part of the authentication process
> data (at least not for us). With an OAuth2 approach where group membership
> data is not included, would it be necessary or advisable to also use LDAP
> to lookup the user groups and then add/remove the user from the JCR groups
> upon sign in (or a quartz ETL-like job)? If so, I image we can add a forth
> OSGI services to that list. But where should we make the call for LDAP
> group membership service? Part of the custom AuthenticationHandler?  Or is
> Oauth2 just not a good fit given the need to manage group membership at the
> identity provider?
>
> Cris
>
>
>
>
>
>
>
> > On Dec 11, 2019, at 1:55 PM, Eric Norman  wrote:
> >
> > Hi Cris,
> >
> > It should be possible.  For one of my projects I had to implement
> something
> > similar to support OAuth2 based logins to a sling based server using the
> > facebook/google/twitter oauth support.
> >
> > I basically needed 3 main custom OSGi services to make it work:
> > 1. A custom impl of AbstractAuthenticationFormServlet that was used to
> > initiate the oauth challenge from custom buttons on the login page.
> > 2. A custom org.apache.sling.auth.core.spi.AuthenticationHandler service
> > that handles the requesting/extraction/validation of the credentials from
> > the external oauth provider.  I used the scribejava library for the OAuth
> > conversations (https://github.com/scribejava/scribejava)
> > 3. A custom org.apache.felix.jaas.LoginModuleFactory service for the
> > "jackrabbit.oak" JAAS realm so the extracted oauth credentials from #2
> are
> > accepted for logging in to the oak JCR repository without knowing the
> > password.
> >
> > The impl for #2 also dealt with linking the verified external account
> > identity with a local jackrabbit.oak user and copying any required
> > attributes from the external account to the local user profile.
> >
> > Regards,
> > Eric
> >
> > On Tue, Dec 10, 2019 at 2:34 PM Cris Rockwell 
> wrote:
> >
> >> Hello Sling Users
> >>
> >> Does anyone know of a solution for SSO for Apache Sling using OIDC,
> OAuth2
> >> or SAML2 using JCR-based access controls, user creation and attribute
> >> synchronization, and group membership?
> >>
> >> This one looks interesting, but is it dead?
> >>
> >>
> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
> >> <
> >>
> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
> >>>
> >>
> >> This student project looks interesting, so is our best resource?
> >> https://github.com/apache/sling-whiteboard/pull/14 <
> >> https://github.com/apache/sling-whiteboard/pull/14>
> >>
> >>
> https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e
> >> <
> >>
> https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635

Re: OIDC or SAML2 for Sling

[Eric Norman]

Hi Cris,

It should be possible.  For one of my projects I had to implement something
similar to support OAuth2 based logins to a sling based server using the
facebook/google/twitter oauth support.

I basically needed 3 main custom OSGi services to make it work:
1. A custom impl of AbstractAuthenticationFormServlet that was used to
initiate the oauth challenge from custom buttons on the login page.
2. A custom org.apache.sling.auth.core.spi.AuthenticationHandler service
that handles the requesting/extraction/validation of the credentials from
the external oauth provider.  I used the scribejava library for the OAuth
conversations (https://github.com/scribejava/scribejava)
3. A custom org.apache.felix.jaas.LoginModuleFactory service for the
"jackrabbit.oak" JAAS realm so the extracted oauth credentials from #2 are
accepted for logging in to the oak JCR repository without knowing the
password.

The impl for #2 also dealt with linking the verified external account
identity with a local jackrabbit.oak user and copying any required
attributes from the external account to the local user profile.

Regards,
Eric

On Tue, Dec 10, 2019 at 2:34 PM Cris Rockwell  wrote:

> Hello Sling Users
>
> Does anyone know of a solution for SSO for Apache Sling using OIDC, OAuth2
> or SAML2 using JCR-based access controls, user creation and attribute
> synchronization, and group membership?
>
> This one looks interesting, but is it dead?
>
> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
> <
> https://sling.apache.org/documentation/the-sling-engine/authentication/authentication-authenticationhandler/openid-authenticationhandler.html
> >
>
> This student project looks interesting, so is our best resource?
> https://github.com/apache/sling-whiteboard/pull/14 <
> https://github.com/apache/sling-whiteboard/pull/14>
>
> https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e
> <
> https://medium.com/@hasiniwitharana/gsoc-2018-openid-connect-relying-party-implementation-for-apache-sling-635ea1e9b45e
> >
>
> https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow
> <
> https://cwiki.apache.org/confluence/display/SLING/Instructions+to+setup+the+OIDC+flow
> >
> https://github.com/apache/sling-whiteboard/tree/master/oidc-handler <
> https://github.com/apache/sling-whiteboard/tree/master/oidc-handler>
>
> There is this presentation about Keycloak, but as stated I’m looking to
> manage access controls on the content.
>
> https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
> <
> https://adapt.to/2018/en/schedule/modern-authentication-in-sling-with-openid-connect-and-keycloak.html
> >
>
> Thanks!
> Cris R
>
>
>

Re: Executing xpath query with number in path

[Eric Norman]

If I recall correctly, if you want to use paths in XPath queries then you
need to escape the path segments according to ISO9075 rules.   For your
referenced, there is a brief section about that on the wiki at [1].

Also, there is a utility class in jackrabbit that can do the ISO9075 path
encoding for you at [2] that you may utilize.

1.
http://jackrabbit.apache.org/archive/wiki/JCR/EncodingAndEscaping_115513396.html
2.
http://jackrabbit.apache.org/api/trunk/org/apache/jackrabbit/util/ISO9075.html

I hope that helps.

On Thu, Aug 29, 2019 at 8:54 AM Roy Teeuwen  wrote:

> Hey all,
>
> In the framework that we use (AEM) there is a folder structure as
> following:
>
> /content/launches/2019/08/29/my-launch/content/site-name
>
> I would like to do a query to search for subresources in this site, but it
> seems that this gives issues because an xpath query cannot take numbers as
> path names:
>
> /jcr:root/content/launches/2019(*)/08/29/my-launch/content/site-name//*[@sling:resourceType='some/components/path'];
> expected: jcr:root, /, *, @, (, .
>
> Is there any way around this to still make it work with xpath queries? Can
> I escape it in any way? Or can I say "start the query below
> /content/launches/2019/08/29/my-launch/content/site-name so that it doesnt
> see the numbers in the query
>
> Thanks!
> Roy
>
>

Re: [question] 2 sling instances behind one apache server sharing 1 session

[Eric Norman]

Please note that I have not tried to set something like this up, but I
think I might prefer a proper SSO solution to reduce the fragility, but
this is just my 2 cents.

First, in order to use the same cookie for both sling instances, the cookie
domain and path must be sent by the server from both sling instances with
values that are common to both instances.   If you have the exact same
hostname for both endpoints and are only using the request path to route
the requests to the right place then the default cookie domain is probably
ok, but you would need to ensure the cookie path was "/" or some context
path that matches both endpoints or the browser won't send the cookie to
the other server.

Second, the servlet container is unlikely to just accept a cookie with a
sessionId that it didn't create.  If the sessionId value doesn't match
something that the server-side session manager is already managing then it
would likely just ignore it and create a fresh session with a new
sessionId.  So in order to workaround that you would probably need some
sort of session replication system that persists the session data to a
shared database.  If both of the sling instances are pointing at the same
session persistence database then it may accept it?  The session data in a
shared database may have it's own quirks related to concurrency,
serialization, and data conflicts that may make it not practical.

Third, you may run into some troubles with server-side session expiration.
For example, consider this scenario:
1. Your client interacts with tenant1 first to establish a session
2. The client then switches to working with tenant2 without any further
interaction with tenant1
3. After 30 minutes if inactivity, the session manager on tenant1 decides
that the session has expired and throws it away
4. The next request to tenant2 may then discover that the user is no longer
logged in due to #3 destroying the persisted session data from the shared
database.

Anyways, to me I think you may have less troubles using a SSO solution to
identify the user and allow each sling instance to manage their own
sessions independently of each other.

Regards,
Eric

On Tue, Dec 11, 2018 at 7:16 AM Jason E Bailey  wrote:

> I'm going to start talking and saying things, and if I come across like
> I'm being pedantic I apologize in advance :)
>
> First, when we talk about logging in, we're talking about cookies. A
> cookie is used to identify a Session or store user credentials. You can't
> have a server side session or login without some form of cookie.
>
> In the case that you are describing a cookie that is assigned to the URL
> will be accessible by both servers, because regardless of the number of
> servers being used, the client see's only one end point.  So putting a
> cookie on cms.example.org will be accessible from all instances that are
> serving content for that URL.
>
> So a SSO solution is overkill in this scenario. Single Sign On is good for
> logging into multiple URL's at once where once cookies have to be created
> multiple times.
>
> It comes back to what the multiple instances know.
>
> What I mean by that, does the content server know the user's and groups
> associated with the users? Does it do fine grain permission? Or does it
> really need to know is that this request is a logged in user or not?
>
> Scenario:
> Content server only needs to know that the request is a logged in user or
> not - When the user Logs in he get's a cookie that contains an encrypted
> string with an expiration date,  maybe an IP address. There is then a
> common secret key used between the back end servers that the content server
> only needs to check to see that the cookie is a valid cookie.
>
> Scenario
> Content server not only needs to know that it's a valid cookie, but that
> the user is Joe and Joe is part of the User group and the user group is
> only permitted to know certain sections of the site. In that case you have
> the option of encoding additional information into the encrypted cookie or
> you have the cookie be a UUID that can reference another backend service
> that actually provides the details that I just mentioned. Which could then
> be cached for the life of the login.
>
> Does any of that help?
> - Jason
>
> On Sun, Dec 9, 2018, at 9:41 AM, Ruben Reusser wrote:
> > Jason,
> >
> > sorry, I should have been clear about what I am looking for
> >
> > 1 apache server, 1 domain name (say cms.example.org)
> > 2 sling instances (either on 2 servers or 2 different ports)
> >
> > from a user point of view I'd like to log in to cms.example.org and be
> > fully logged in to both sling instances (eg same full sling user on both
> > systems)
> >
> > one way of course would be to use an sso solution
> > another one would be that the authentication session in sling can be
> > shared between multiple instances
> >
> > what I am trying to get to is the following:
> >
> > - my cms uses one instance for the admin shell
> > - we use client side 

Re: ContentLoader Import problem

[Eric Norman]

Hi Jason,

Yes, I would expect that the original "overwrite" and "overwriteProperties"
directives could simply be deprecated and any existing usages in the wild
could be re-mapped to an equivalent "sync mode" by the runtime with a
warning message logged about the deprecation.  The available "sync mode"
values would just have to make sure they cover all the possible
combinations.  For example, the original "overwrite" directive could be a
"replace" sync mode where any existing content at the target path is
removed before processing the new content.

Perhaps it would be worthwhile and simpler to have different "sync mode"
values for the handling of nodes vs properties so those two types of items
could be handled differently when needed?

Regards,
Eric

On Fri, Dec 7, 2018 at 6:25 AM Jason E Bailey  wrote:

> That would be a great addition.  It may be hard to change the existing
> options as that could break downstream use cases but I'm sure there's ways
> of updating this. I took a look at the code and I'm not familiar enough
> with oak in this use case to make that change.
>
>
>
> - Jason
>
> On Thu, Dec 6, 2018, at 2:43 PM, Eric Norman wrote:
> > Hi Jason,
> >
> > I would think the ContentLoader could be enhanced to provide more
> granular
> > import logic than the "overwrite" and "overwriteProperties" directives
> > provide.
> >
> > For a point of comparison, in a previous (non-sling) project I worked on
> we
> > had a similar mechanism for importing content into a taxonomy.  The
> > solution we ended up with for this kind of problem was to have a
> mechanism
> > to specify an import sync mode that changed how the new information was
> > interpreted.
> >
> > For example, the import "sync mode" could be set to something like this
> > with a directive (or with a special tag within the content itself):
> >
> >- default - merge the new content into the existing taxonomy
> overwriting
> >anything existing at the same location
> >- update - merge the new content into the existing taxonomy by
> >overwriting/updating existing content but don't create anything that
> >doesn't already exist
> >- add - merge the new content into the existing taxonomy but don't add
> >or update any items that already exist
> >- sync - same as "default" but remove all nodes from each of the
> parent
> >nodes if there is no equivalent item in the new content.
> >
> >
> > Regards,
> > Eric
> >
> > On Thu, Dec 6, 2018 at 10:44 AM Jason E Bailey  wrote:
> >
> > > We've set up a process to import content into our Sling instance and
> > > we're running into a problem with the ContentLoader.
> > > The use case is that a set of data that is managed in another part of
> > > our company is being provided to us in the form of a JSON object for
> > > loading into our Sling environment.
> > > This works. However, this content changes daily, sometimes properties
> > > will change and sometimes node structure.
> > > We don't want to say "overwrite" because that causes the entire tree
> > > structure to be deleted which is really intensive, however if we
> > > don't say "overwrite" then nodes that are removed from the import
> > > continue to exist.
> > > Effectively what we need is a delta, we want to delete nodes if they
> > > aren't in the import but otherwise leave it alone, the same thing with
> > > properties.
> > > Which, unless I'm missing something, is not a function the
> > > importer supports. Has anyone had to deal with this? Maybe used a
> > > different process?
> > > Thanks
> > > - Jason
> > >
> > >
> > >
>

Re: ContentLoader Import problem

[Eric Norman]

Hi Jason,

I would think the ContentLoader could be enhanced to provide more granular
import logic than the "overwrite" and "overwriteProperties" directives
provide.

For a point of comparison, in a previous (non-sling) project I worked on we
had a similar mechanism for importing content into a taxonomy.  The
solution we ended up with for this kind of problem was to have a mechanism
to specify an import sync mode that changed how the new information was
interpreted.

For example, the import "sync mode" could be set to something like this
with a directive (or with a special tag within the content itself):

   - default - merge the new content into the existing taxonomy overwriting
   anything existing at the same location
   - update - merge the new content into the existing taxonomy by
   overwriting/updating existing content but don't create anything that
   doesn't already exist
   - add - merge the new content into the existing taxonomy but don't add
   or update any items that already exist
   - sync - same as "default" but remove all nodes from each of the parent
   nodes if there is no equivalent item in the new content.


Regards,
Eric

On Thu, Dec 6, 2018 at 10:44 AM Jason E Bailey  wrote:

> We've set up a process to import content into our Sling instance and
> we're running into a problem with the ContentLoader.
> The use case is that a set of data that is managed in another part of
> our company is being provided to us in the form of a JSON object for
> loading into our Sling environment.
> This works. However, this content changes daily, sometimes properties
> will change and sometimes node structure.
> We don't want to say "overwrite" because that causes the entire tree
> structure to be deleted which is really intensive, however if we
> don't say "overwrite" then nodes that are removed from the import
> continue to exist.
> Effectively what we need is a delta, we want to delete nodes if they
> aren't in the import but otherwise leave it alone, the same thing with
> properties.
> Which, unless I'm missing something, is not a function the
> importer supports. Has anyone had to deal with this? Maybe used a
> different process?
> Thanks
> - Jason
>
>
>

Re: ACE Restrictions with jackrabbit.accessmanager

[Eric Norman]

Hi Stefan,

I took a look at the code and it seems that support for read/write of
restrictions on the ACE has not yet been implemented in the sling
jackrabbit.accessmanager REST operations (and elsewhere).  However, it
looks like adding support for read/write of ACE restrictions would not be
difficult and it looks like it could be useful to the community.

I've opened a jira ticket for tracking at SLING-8117
 if you wish to follow
the progress.

Regards,
-Eric

On Fri, Nov 16, 2018 at 1:51 AM Stefan Leisten 
wrote:

> Hello Guys,
>
> we are using the accessmanager interface [1] to manage ACEs via curl.
> Unfortunately we´d need some ACE with "rep:glob" Restriction.
>
> Is there a way to do this with the accessmanager REST interface?
>
> [1]
>
> http://sling.apache.org/documentation/bundles/managing-permissions-jackrabbit-accessmanager.html
>
> Thanks & Best Regards
> Stefan
>
>
>
>
>
> ___
>
> ERGO Direkt Lebensversicherung AG · Amtsgericht Fürth HRB 2787 ·
> UST-ID-Nr. DE159593454
> ERGO Direkt Versicherung AG · Amtsgericht Fürth HRB 2934 · UST-ID-Nr.
> DE159593438
> ERGO Direkt Krankenversicherung AG · Amtsgericht Fürth HRB 4694 ·
> UST-ID-Nr. DE159593446
> Vorsitzender des Aufsichtsrats der ERGO Direkt Lebensversicherung AG: Dr.
> Dr. Michael Fauser
> Vorsitzende des Aufsichtsrats der ERGO Direkt Versicherung AG: Dr. Monika
> Sebold-Bender
> Vorsitzender des Aufsichtsrats der ERGO Direkt Krankenversicherung AG: Dr.
> Clemens Muth
> Vorstände: Dr. Sebastian Rapsch (Vorsitzender), Ursula Clara Deschka, Dr.
> Manuel Nothelfer · Sitz: Fürth
> Karl-Martell-Straße 60 · 90344 Nürnberg · Internet: ergodirekt.de
> ERGO Direkt Lebensversicherung AG
> UniCredit Bank AG - HypoVereinsbank
> IBAN: DE63 7002 0270 0066 0714 30 · BIC: HYVEDEMMXXX
> ERGO Direkt Versicherung AG
> UniCredit Bank AG - HypoVereinsbank
> IBAN: DE71 7002 0270 0015 7563 19 · BIC: HYVEDEMMXXX
> ERGO Direkt Krankenversicherung AG
> UniCredit Bank AG - HypoVereinsbank
> IBAN: DE33 7002 0270 0015 7563 24 · BIC: HYVEDEMMXXX

Re: users@sling.apache.org

[Eric Norman]

Are you using sling standalone which has an embedded jetty servlet
container inside it?  If so, then think the general approach for putting a
httpd server in front of a jetty based server would be to use mod_proxy as
a reverse proxy.  You should be able to do a web search for "jetty
mod_proxy" to see some examples of how that configuration would look in
httpd.

However, I suspect there may be some limitations (or additional
configuration) if you are intend to use some newer technologies like http/2
or websocket with another web server sitting between the client and
sling/jetty.

Regards,
-Eric

On Fri, Sep 21, 2018 at 8:58 PM Cris Rockwell 
wrote:

> Hello
> Sling as an application server should work well behind an httpd web-server
> acting as a firewall, proxy and cache layer. Given Sling and Httpd are both
> Apache projects for the web, it seems they are pieces in the same stack.
> But I'm having trouble finding documentation other than Adobe's
> mod_dispatcher (which is not OSS afaik). Can anyone recommend resources or
> advice for configuring httpd to work with Sling?
> Thanks!
>

Custom error handling scripts that consider the request file extension?

[Eric Norman]

Does anyone have a convenient existing solution for error handling that
considers the incoming request file extension when resolving which script
to use to render the error response?

For example, I am expecting that a request to
http://localhost:8080/bogus.json should return a JSON response with the 404
error details in JSON when the resource doesn't exist.  (also similar
behavior should be possible for a .txt or .xml file extension)

What I see currently is that SlingServletResolver#handleError ignores the
incoming file extension and always returns the error page as html.

I would expect that an "errorhandler" script/servlet registered with
("sling.servlet.resourceTypes=sling/servlet/errorhandler",
"sling.servlet.extensions=json", "sling.servlet.methods=404") should be
preferred when the incoming request has a .json extension, and then use the
original html error response as a fallback for all other scenarios.

Basically I would like to have the client get JSON back when something goes
wrong instead of html that won't parse as JSON.

If no one disagrees, I can open a bug report and provide the proposed
changes to org.apache.sling.servlets.resolver

Regards,
Eric

Re: Unable to start o.a.sling.starter-10 with java 10

[Eric Norman]

Ah, ok.  Yes it does start with the --add-modules java.se.ee argument added.

On Sat, Jul 14, 2018 at 12:02 AM, Karl Pauls  wrote:

> can you try again with
>
> java —add-modules java.se.ee
>
> ?
>
> regards,
>
> Karl
>
> On Saturday, July 14, 2018, Eric Norman  wrote:
>
> > Is anyone else having troubles with staring o.a.sling.starter-10 with a
> > java 10 JRE?  The release notes for sling 10 indicated that java 10 was
> > supported, but I get the following error when attempting to startup.  I
> get
> > now errors when using a java8 JRE.
> >
> >
> > ~/Downloads $ /usr/lib/jvm/java-10-oracle/bin/java -jar
> > org.apache.sling.starter-10.jar
> > 13.07.2018 17:34:57.052 *INFO * [main] Setting sling.home=sling (default)
> > 13.07.2018 17:34:57.054 *INFO * [main] Starting Apache Sling in
> > /home/enorman/Downloads/sling
> > 13.07.2018 17:34:57.056 *INFO * [main] Sling  Extension Lib Home :
> > /home/enorman/Downloads/sling/ext
> > 13.07.2018 17:34:57.056 *INFO * [main] Checking launcher JAR in folder
> > /home/enorman/Downloads/sling
> > 13.07.2018 17:34:57.077 *INFO * [main] Installing new launcher:
> > jar:file:/home/enorman/Downloads/org.apache.sling.
> > starter-10.jar!/resources/org.apache.sling.launchpad.base.jar,
> > 5.6.10.2_6_26 (org.apache.sling.launchpad.base.jar.1531528497077)
> > 13.07.2018 17:34:57.079 *INFO * [main] Loading launcher class
> > org.apache.sling.launchpad.base.app.MainDelegate from
> > org.apache.sling.launchpad.base.jar.1531528497077
> > 13.07.2018 17:34:57.080 *INFO * [main] External Libs Home (ext) is null
> or
> > does not exists.
> > 13.07.2018 17:34:57.091 *INFO * [main] Setting
> > sling.launchpad=/home/enorman/Downloads/sling
> > 13.07.2018 17:34:57.091 *INFO * [main] Starting launcher ...
> > 13.07.2018 17:34:57.103 *INFO * [main] HTTP server port: 8080
> > WARNING: An illegal reflective access operation has occurred
> > WARNING: Illegal reflective access by
> > org.apache.felix.framework.ext.ClassPathExtenderFactory$
> > DefaultClassLoaderExtender
> > (file:/home/enorman/Downloads/sling/org.apache.sling.launchpad.base.jar.
> > 1531528497077)
> > to method java.net.URLClassLoader.addURL(java.net.URL)
> > WARNING: Please consider reporting this to the maintainers of
> > org.apache.felix.framework.ext.ClassPathExtenderFactory$
> > DefaultClassLoaderExtender
> > WARNING: Use --illegal-access=warn to enable warnings of further illegal
> > reflective access operations
> > WARNING: All illegal access operations will be denied in a future release
> > 13.07.2018 17:34:57.639 *ERROR* [FelixStartLevel] ERROR: Bundle '2' Error
> > starting slinginstall:org.apache.sling.installer.core-3.8.10.jar
> > (org.osgi.framework.BundleException: Unable to resolve
> > org.apache.sling.installer.core [2](R 2.0): missing requirement
> > [org.apache.sling.installer.core [2](R 2.0)] osgi.wiring.package;
> > (osgi.wiring.package=javax.annotation) Unresolved requirements:
> > [[org.apache.sling.installer.core [2](R 2.0)] osgi.wiring.package;
> > (osgi.wiring.package=javax.annotation)])
> > org.osgi.framework.BundleException: Unable to resolve
> > org.apache.sling.installer.core [2](R 2.0): missing requirement
> > [org.apache.sling.installer.core [2](R 2.0)] osgi.wiring.package;
> > (osgi.wiring.package=javax.annotation) Unresolved requirements:
> > [[org.apache.sling.installer.core [2](R 2.0)] osgi.wiring.package;
> > (osgi.wiring.package=javax.annotation)]
> > at org.apache.felix.framework.Felix.resolveBundleRevision(
> Felix.java:4149)
> > at org.apache.felix.framework.Felix.startBundle(Felix.java:2119)
> > at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1373)
> > at
> > org.apache.felix.framework.FrameworkStartLevelImpl.run(
> > FrameworkStartLevelImpl.java:308)
> > at java.base/java.lang.Thread.run(Thread.java:844)
> >
> >
> > Regards,
> > Eric
> >
>
>
> --
> Karl Pauls
> karlpa...@gmail.com
>

Unable to start o.a.sling.starter-10 with java 10

[Eric Norman]

Is anyone else having troubles with staring o.a.sling.starter-10 with a
java 10 JRE?  The release notes for sling 10 indicated that java 10 was
supported, but I get the following error when attempting to startup.  I get
now errors when using a java8 JRE.


~/Downloads $ /usr/lib/jvm/java-10-oracle/bin/java -jar
org.apache.sling.starter-10.jar
13.07.2018 17:34:57.052 *INFO * [main] Setting sling.home=sling (default)
13.07.2018 17:34:57.054 *INFO * [main] Starting Apache Sling in
/home/enorman/Downloads/sling
13.07.2018 17:34:57.056 *INFO * [main] Sling  Extension Lib Home :
/home/enorman/Downloads/sling/ext
13.07.2018 17:34:57.056 *INFO * [main] Checking launcher JAR in folder
/home/enorman/Downloads/sling
13.07.2018 17:34:57.077 *INFO * [main] Installing new launcher:
jar:file:/home/enorman/Downloads/org.apache.sling.starter-10.jar!/resources/org.apache.sling.launchpad.base.jar,
5.6.10.2_6_26 (org.apache.sling.launchpad.base.jar.1531528497077)
13.07.2018 17:34:57.079 *INFO * [main] Loading launcher class
org.apache.sling.launchpad.base.app.MainDelegate from
org.apache.sling.launchpad.base.jar.1531528497077
13.07.2018 17:34:57.080 *INFO * [main] External Libs Home (ext) is null or
does not exists.
13.07.2018 17:34:57.091 *INFO * [main] Setting
sling.launchpad=/home/enorman/Downloads/sling
13.07.2018 17:34:57.091 *INFO * [main] Starting launcher ...
13.07.2018 17:34:57.103 *INFO * [main] HTTP server port: 8080
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by
org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
(file:/home/enorman/Downloads/sling/org.apache.sling.launchpad.base.jar.1531528497077)
to method java.net.URLClassLoader.addURL(java.net.URL)
WARNING: Please consider reporting this to the maintainers of
org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
WARNING: Use --illegal-access=warn to enable warnings of further illegal
reflective access operations
WARNING: All illegal access operations will be denied in a future release
13.07.2018 17:34:57.639 *ERROR* [FelixStartLevel] ERROR: Bundle '2' Error
starting slinginstall:org.apache.sling.installer.core-3.8.10.jar
(org.osgi.framework.BundleException: Unable to resolve
org.apache.sling.installer.core [2](R 2.0): missing requirement
[org.apache.sling.installer.core [2](R 2.0)] osgi.wiring.package;
(osgi.wiring.package=javax.annotation) Unresolved requirements:
[[org.apache.sling.installer.core [2](R 2.0)] osgi.wiring.package;
(osgi.wiring.package=javax.annotation)])
org.osgi.framework.BundleException: Unable to resolve
org.apache.sling.installer.core [2](R 2.0): missing requirement
[org.apache.sling.installer.core [2](R 2.0)] osgi.wiring.package;
(osgi.wiring.package=javax.annotation) Unresolved requirements:
[[org.apache.sling.installer.core [2](R 2.0)] osgi.wiring.package;
(osgi.wiring.package=javax.annotation)]
at org.apache.felix.framework.Felix.resolveBundleRevision(Felix.java:4149)
at org.apache.felix.framework.Felix.startBundle(Felix.java:2119)
at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1373)
at
org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
at java.base/java.lang.Thread.run(Thread.java:844)


Regards,
Eric

Re: Managing Permissions using Sling

[Eric Norman]

Hi Anjan,

It does look like something is wrong there.  Please go ahead and open a new
JIRA issue with your findings.  Patches are also welcome if you have a
proposal for how to fix the bug.

Regards,
Eric


On Sat, Aug 10, 2013 at 2:20 AM, anjan poliset...@gmail.com wrote:

 I am using Sling's REST interface to modify the permissions on a Node.  I
 noticed an issue.

 The issue I am facing can be best explained by showing the curl commands I
 executed and the output I received:

 (1) Here is the initial set of privileges present on the node:
 $ curl -u admin:admin http://localhost:8080/content/pertest.eacl.json

 {test:{principal:test,denied:[jcr:versionManagement,jcr:read,jcr:modifyAccessControl,rep:write],order:0},everyone:{principal:everyone,granted:[jcr:read,jcr:readAccessControl],order:1},administrators:{principal:administrators,granted:[jcr:all],order:2}}

 (2) Run the below command to grant all the privileges for test principal
 $ curl -u admin:admin -FprincipalId=test
 -Fprivilege@jcr:versionManagement=granted -Fprivilege@jcr:read=granted
 -Fprivilege@jcr:modifyAccessControl=granted
 -Fprivilege@jcr:nodeTypeManagement=granted  -Fprivilege@jcr:write=granted
 http://localhost:8080/content/pertest.modifyAce.json

 (3) As you can see from the below output, jcr:write is still present
 under
 denied privileges for test even though I granted all the privileges in
 the previous command
 $ curl -u admin:admin http://localhost:8080/content/pertest.eacl.json

 {test:{principal:test,granted:[jcr:nodeTypeManagement,jcr:versionManagement,jcr:read,jcr:modifyAccessControl],denied:[jcr:write],order:0},everyone:{principal:everyone,granted:[jcr:read,jcr:readAccessControl],order:1},administrators:{principal:administrators,granted:[jcr:all],order:2}}

 Initially I thought it's a bug in Jackrabbit, but after getting the
 clarification from Jackrabbit forum, I think it might need to be corrected
 in Sling.

 Here is the link to the question I raised in Jackrabbit forum:


 http://jackrabbit.510166.n4.nabble.com/Bug-or-intended-behavior-getAggregatePrivileges-td4659272.html

 Please advice and let me know, if I need to create a JIRA issue for the
 same



 --
 View this message in context:
 http://apache-sling.73963.n3.nabble.com/Managing-Permissions-using-Sling-tp4026035.html
 Sent from the Sling - Users mailing list archive at Nabble.com.

Re: adding nodes programmatically: Exc

[Eric Norman]

The child node created by your addNode(name) call has a node type that does
not declare sling:resourceType as an allowed property for the node.

So you would either need to use the addNode variant (see [1]) that
specifies a primary nodetype for the new node that does allow that
property, or add a mixin type that adds the property declaration.

For example:

//use a some primary node type where 'sling:resourceType' is already
allowed
node.addNode(name, nt:unstructured);

or:

//create a child using the default primary node type
Node child = node.addNode(name);
//add mixin type (see [2]) to make sure the 'sling:resourceType' property
is allowed
child.addMixin(sling:Resource);


1.
http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Node.html#addNode(java.lang.String,
java.lang.String)
2,
http://www.day.com/maven/jsr170/javadocs/jcr-2.0/javax/jcr/Node.html#addMixin(java.lang.String)



On Sun, Jun 2, 2013 at 9:24 AM, Christian Eugster christian.eugs...@gmx.net
 wrote:

 Hi,

 I checked the internet resources (google, sling website etc) as good as I
 can, but have not found a answer that I could follew to the following
 problem:

 I want to add Nodes to a sling repository by a service component. The
 component references SlingRepository. After getting a Session from
 loginAdministrative (thanks to Bertrand Delacretaz who showed me that way)
 I check if the node in question is already added (parent.hasNode(name). If
 yes, I get it (getNode(name) else I add a new node to the parent node with
 addNode(name).

 Because it is content I want to add the sling:resourceType property:

 documentNode.setProperty(**sling:resourceType, thun/documents);

 but get a ConstraintViolationException saying

 no matching property definition found for {http://sling.apache.org/jcr/**
 sling/1.0}resourceTypehttp://sling.apache.org/jcr/sling/1.0%7DresourceType

 What am I doing wrong?

 Thank you

 Christian


 --
 
 Christian Eugster
 Grissian 14
 I-39010 Tisens
 0039 0473 420 873
 0041 79 594 85 45
 christian.eugs...@gmx.net

Re: User Management docs

[Eric Norman]

See:
http://sling.apache.org/documentation/bundles/managing-users-and-groups-jackrabbit-usermanager.html

That should get you started.

Regards,
Eric


On Thu, Mar 21, 2013 at 9:07 AM, Fabian Christ christ.fab...@googlemail.com
 wrote:

 2013/3/21 Fabian Christ christ.fab...@googlemail.com:
  I am missing
  some overview how users should be managed for a webapp

 But I am still missing some information on user management:

 1) How do I CRUD users stored inside the JCR
 2) How would I manage to CRUD users outside the JCR? (I understand
 that I have to define the ACL for the users still at JCR level)


 --
 Fabian
 http://twitter.com/fctwitt

Re: defining a new primary node type on a fly

[Eric Norman]

Well I don't think it is that simple to protect with just ACLs. Unless
things have changed, the jackrabbit ACLs are set at the node level, not the
property level.  If you grant the jcr:modifyProperties privilege to some
user on an unstructured node, then that user now has the ability to create
additional arbitrary properties on that node.  For example, the app may
want to allow a user to edit their own comments to a blog post.  Then that
user could store their mp3 collection on your unstructured node as binary
properties by just using the REST apis provided by sling.

If you use well defined node types, there is more protection against the
above exploit since the set of properties is well known and can have
appropriate constraints set on what is allowed to be stored in each
property.

That's my 2 cents.
-Eric

On Wed, Oct 17, 2012 at 10:00 AM, Alexander Klimetschek
aklim...@adobe.comwrote:

 On 13.10.2012, at 00:37, Eric Norman eric.d.nor...@gmail.com wrote:

  I'd agree that using unstructured types can be useful for prototyping
 when
  the final structure is changing frequently.  But I would be cautious
  about
  that approach for a production system.  Unstructured node types can be a
  security hole since anyone with rights to modify properties on an
  unstructured node can add arbitrary garbage to your repository.  Well
  defined node types provide a nice guard against that since unexpected
 child
  nodes and properties can not be added.

 You should use ACLs for that. Access rights and schema are two different
 things.

 Cheers,
 Alex

Re: Avoiding to show acls, users and groups to anonymous

[Eric Norman]

Instead of denying rights to the everyone group, deny rights to the
anonymous principal instead.  Like this:

curl -FprincipalId=anonymous -Fprivilege@jcr:readAccessControl=denied
http://admin:admin@localhost:8080/.modifyAce.html

Regards,
Eric

On Sun, Sep 16, 2012 at 11:40 AM, Sandro Boehme sandro.boe...@gmx.dewrote:

 Hello,

 when logged in as anonymous I can see all users, groups and acls with the
 following URLs:
 http://localhost:8080/index.**html.eacl.jsonhttp://localhost:8080/index.html.eacl.json
 http://localhost:8080/system/**userManager/user.tidy.**infinity.jsonhttp://localhost:8080/system/userManager/user.tidy.infinity.json
 http://localhost:8080/system/**userManager/group.tidy.1.jsonhttp://localhost:8080/system/userManager/group.tidy.1.json
 http://localhost:8080/system/**userManager/user/admin.tidy.1.**jsonhttp://localhost:8080/system/userManager/user/admin.tidy.1.json

 I tried to avoid that by denying jcr:readAccessControl to the root node
 with with following statement.
 curl -FprincipalId=everyone -Fprivilege@jcr:**readAccessControl=denied
 http://admin:admin@localhost:**8080/.modifyAce.html
 The response was a http 200 status but I can still see the information as
 anonymous. Is there a way to avoid that?

 Best,

 Sandro

Re: Something like a jcr:execute privilege?

[Eric Norman]

I usually just do my own access check inside each script that is updating
something using the PrivilegesInfo class (see [1]).

For example, something like this:

%
   var privilegesInfo = new
Packages.org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo();
   if (!privilegesInfo.canModifyProperties(currentNode)) {
   //not allowed, so respond that this page doesn't exist for the
current user
   response.sendError(404);
   } else {
%
TODO: render your page here.
%
   } /* end else */
%

1.
http://sling.apache.org/apidocs/sling6/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.html

On Sun, Sep 16, 2012 at 11:41 AM, Sandro Boehme sandro.boe...@gmx.dewrote:

 Hello,

 I understand that I can deny jcr:all for /apps and also for a script path
 that is mounted from a bundle via
 Sling-Initial-Contentfolder/**in/bundle;overwrite:=true;**
 path:=/folder/in/resource/**tree/Sling-Initial-Content
 . After that the user will not see the scripts anymore. But if they are
 called to render a resource they are still executed. Is there a way to have
 something like jcr:execute to specify which user are allowed to execute the
 scripts?

 Best,

 Sandro

Re: Sling and html templates?

[Eric Norman]

There are probably numerous ways to do that depending on what style of
framework you prefer.  If you want to use simple esp scripts (jsp would be
similar), you can delegate rendering to another script by using the
sling.include(..) techniques,

For example, the usermanager-ui sample (see [1]) has a common page template
script (see [2]).  All the other pages that want to use the same page
shell (i.e [3]) set some request attributes to pass parameters and then
delegate to the common page script to assemble the response output.

1. http://svn.apache.org/viewvc/sling/trunk/samples/usermanager-ui/
2.
http://svn.apache.org/viewvc/sling/trunk/samples/usermanager-ui/src/main/resources/libs/sling/usermgmt/page.html.esp?view=markup
3.
http://svn.apache.org/viewvc/sling/trunk/samples/usermanager-ui/src/main/resources/libs/sling/user/html.esp?view=markup

Regards,
Eric

On Fri, Sep 7, 2012 at 6:50 PM, Günther Schmidt guenther.schm...@kmmd.dewrote:

 Hi,

 I'm just giving Sling another try, as a cms, since I don't want to use
 wordpress, joomla or any of the others.
 Getting the hang of sling is gonna cost me some time in any case but
 there's one thing I'm wondering about upfront:

 Does sling allow to build basic templates, so that I do not need to write
 the main, ie. outer html every time?

 I'd just like to have one single outer html file for let's say a list and
 a detail view.

 Günther

Re: letting resourceSuperType's script to handle the request before/after current script

[Eric Norman]

Maybe you can just forward the request and specify a different resourceType?

Something like this:

sling:forward resource=${resource} resourceType=sling/servlet/default/



On Mon, Jul 23, 2012 at 11:28 AM, sam ” skyn...@gmail.com wrote:

 Hey,

 I have:
 /apps/image/base
 /apps/image/derived/POST.jsp
 /content/image/sling:resourceType = image/derived

 POST /content/image

 is handled by /apps/image/derived/POST.jsp, which is what I want.

 I want POST.jsp  to be same as SlingPostServlet  but add some custom logic
 (read properties from other Resource, transform, and  persist to current
 Node  if criteria is met).

 I tried this in POST.jsp:
 %
 final SlingRequestProcessor requestProcessor =
 sling.getService(SlingRequestProcessor.class);
 requestProcessor.processRequest(slingRequest, slingResponse,
 resourceResolver);
 %

 caused infinite recursion and crashed sling instance.

 I tried:
 %
 final SlingPostServlet postServlet =
 sling.getService(SlingPostServlet.class);
 postServlet.doPost(slingRequest, slingResponse);
 %

 but .doPost() is protected.



 I don't need to call SlingPostServlet specifically.  I want to have
 resourceSuperType's script to handle request first before my POST.jsp
 handles the request.
 Or, I want POST.jsp  to massage request object  and persist some properties
 to repository before delegating request handling to resourceSuperType.

 Is this possible?

Re: Redirect User after deleting his account.

[Eric Norman]

Hi Chris,

I believe you should be able to just redirect to the logout servlet and
pass it the resource you want to go to after the logout is processed.  The
logout servlet will clear out the old auth info and the redirect to your
target resource.

For example, something like this:

response.sendRedirect(/system/sling/logout?resource=/system/sling/login);

Regards,
Eric

On Sat, Jul 21, 2012 at 6:14 PM, Chris Papagrigoriou 
chris.grigori...@googlemail.com wrote:

 Hey there,

 im trying to give the user the posibility to delete his own profile. After
 deleting his profile I want to redirect him to the login.html

 When I delete the user in my Servlet though, his session is destroyed and
 response.sendRedirect(login.**html); doesnt work. Instead I get
 redirected to the sling login page saying Invalid Credentials.

 Does anyone know a good way to do this?

Re: securing SlingPostServlet

[Eric Norman]

I usually try to avoid using the nt:unstructured node type (and anything
similar) to prevent issues where an authorized user is able to add
unexpected content to the repository.

If you define JCR node types you can explicitly declare what properties and
child nodes are allowed along with some simple constraints.

Then I also usually register a POST servlet for each of the custom JCR node
types that does some pre-validation of the submitted request parameters.
 If any of the validation fails, you can forward back to the original page
to display the validation errors.  If validation passes, you can just
forward the request on to the default sling POST servlet to do the rest of
the work.

Regards,
Eric

On Tue, Jun 12, 2012 at 2:07 AM, Davide getting...@gmail.com wrote:

 On 12/06/2012 07:13, Carsten Ziegeler wrote:
  Another solution is to not rely on the Sling post servlet but write
  special post scripts for the resource types you want to support.

 Thanks everyone for the suggestions.

 My rough idea was to use the JSON import for creating the initial
 strucuture. Let's call it 1st POST. Then using the
 resourceTypes+selectors+POST to update the already existing structures
 (2nd POSTs).

 About the user having the rights and messing with the data it's always
 possible. I'd just like to reduce the risk of people messing around just
 for fun.

  Btw, I still think that we need something in this area - along with
  better validation. I started a prototype long time ago, but never got
  it to a point to share it. But I plan to have something for the next
  adaptTo in September...

 I'll give a look at all the suggestions but I really think that Sling
 should provide some security mechanism against misusage of PostServlet.

 Cheers
 davide

Re: SysXML content importer

[Eric Norman]

What kind of errors are you seeing?  Is it running out of memory?  Can you
break the import into smaller chunks?

If this is a backup/restore scenario, you may be able to use the guidelines
from jackrabbit to migrate your data.  See
http://wiki.apache.org/jackrabbit/BackupAndMigration

Regards,
Eric

On Thu, Dec 29, 2011 at 1:09 AM, Christian Sprecher kindofw...@gmail.comwrote:

 Hi Eric

 Thanks, it is working. But there still are other problems with importing
 larger datasets via system xml and curl. What is best practise regarding
 importing larger (some megs...) datasets into sling? Should I generate an
 OSGI bundle?

 Cheers

 Chris

 On Wed, Dec 28, 2011 at 11:47 PM, Eric Norman eric.d.nor...@gmail.com
 wrote:

  If I recall correctly, I believe the :contentType value for that system
  view sample file should be jcr.xml instead of xml.
 
  On Wed, Dec 28, 2011 at 12:38 PM, Christian Sprecher
  kindofw...@gmail.comwrote:
 
   Hi all
  
   I am trying to import a JCR System XML (see attached sample.xml), using
   this curl-command:
  
   curl -F:operation=import -F:contentType=xml -F:name=secaudit
   -F:contentFile=@sample.xml http://localhost:8080/test --user
 admin:admin
  
   (test resource has been created, sample.xml created from launchpad)
  
   This results in a exception:
  
   28.12.2011 21:02:46.199 *ERROR* [0:0:0:0:0:0:0:1 [1325102566157] POST
   /test HTTP/1.1]
   org.apache.sling.servlets.post.impl.operations.ImportOperation
 Exception
   during response processing. java.lang.NullPointerException
   at
  
 
 org.apache.jackrabbit.core.NodeImpl.resolveRelativePropertyPath(NodeImpl.java:191)
   at
   org.apache.jackrabbit.core.NodeImpl.hasProperty(NodeImpl.java:2723)
   at
  
 
 org.apache.sling.jcr.contentloader.internal.DefaultContentCreator.createProperty(DefaultContentCreator.java:311)
   at
  
 
 org.apache.sling.jcr.contentloader.internal.readers.XmlReader$PropertyDescription.create(XmlReader.java:456)
   at
  
 
 org.apache.sling.jcr.contentloader.internal.readers.XmlReader.parseInternal(XmlReader.java:271)
   at
  
 
 org.apache.sling.jcr.contentloader.internal.readers.XmlReader.parse(XmlReader.java:185)
   at
  
 
 org.apache.sling.jcr.contentloader.internal.DefaultContentImporter.importContent(DefaultContentImporter.java:108)
   at
  
 
 org.apache.sling.servlets.post.impl.operations.ImportOperation.doRun(ImportOperation.java:150)
   at
  
 
 org.apache.sling.servlets.post.AbstractSlingPostOperation.run(AbstractSlingPostOperation.java:92)
   at
  
 
 org.apache.sling.servlets.post.impl.SlingPostServlet.doPost(SlingPostServlet.java:242)
   
  
   What am I doing wrong here?
  
   Thx in advance
  
   Chris
  
 

Re: SysXML content importer

[Eric Norman]

If I recall correctly, I believe the :contentType value for that system
view sample file should be jcr.xml instead of xml.

On Wed, Dec 28, 2011 at 12:38 PM, Christian Sprecher
kindofw...@gmail.comwrote:

 Hi all

 I am trying to import a JCR System XML (see attached sample.xml), using
 this curl-command:

 curl -F:operation=import -F:contentType=xml -F:name=secaudit
 -F:contentFile=@sample.xml http://localhost:8080/test --user admin:admin

 (test resource has been created, sample.xml created from launchpad)

 This results in a exception:

 28.12.2011 21:02:46.199 *ERROR* [0:0:0:0:0:0:0:1 [1325102566157] POST
 /test HTTP/1.1]
 org.apache.sling.servlets.post.impl.operations.ImportOperation Exception
 during response processing. java.lang.NullPointerException
 at
 org.apache.jackrabbit.core.NodeImpl.resolveRelativePropertyPath(NodeImpl.java:191)
 at
 org.apache.jackrabbit.core.NodeImpl.hasProperty(NodeImpl.java:2723)
 at
 org.apache.sling.jcr.contentloader.internal.DefaultContentCreator.createProperty(DefaultContentCreator.java:311)
 at
 org.apache.sling.jcr.contentloader.internal.readers.XmlReader$PropertyDescription.create(XmlReader.java:456)
 at
 org.apache.sling.jcr.contentloader.internal.readers.XmlReader.parseInternal(XmlReader.java:271)
 at
 org.apache.sling.jcr.contentloader.internal.readers.XmlReader.parse(XmlReader.java:185)
 at
 org.apache.sling.jcr.contentloader.internal.DefaultContentImporter.importContent(DefaultContentImporter.java:108)
 at
 org.apache.sling.servlets.post.impl.operations.ImportOperation.doRun(ImportOperation.java:150)
 at
 org.apache.sling.servlets.post.AbstractSlingPostOperation.run(AbstractSlingPostOperation.java:92)
 at
 org.apache.sling.servlets.post.impl.SlingPostServlet.doPost(SlingPostServlet.java:242)
 

 What am I doing wrong here?

 Thx in advance

 Chris

Re: JsonQueryServlet NullPointerException on Simple XPATH Query

[Eric Norman]

Hi Roger,

For your reference, the discussion related to discouraging the query
servlet is at [1].  So basically the query servlet has been moved to a
compatibility bundle that will not be installed by default, but if you
really need it you can still install it.

Allowing the full query string to be supplied as a request parameter can be
easily abused to do denial-of-service or unintended information
disclosure attack.

1. http://markmail.org/message/sxurvywelnyt3ntz


On Mon, Dec 5, 2011 at 5:21 PM, Roger Reed rogerr...@yahoo.com wrote:

 Thanks for pointing me to the related JIRA ticket.

 I'm assuming the get servlets are still safe to use, and those are the only
 available servlets that come with the default Sling install.

 Are there any plans to add a working query servlet?  I think a query
 servlet
 with the ability to output entire nodes' as JSON, and not just the path,
 would be very useful.


 On 12/4/11 12:20 PM, Eric Norman eric.d.nor...@gmail.com wrote:

  Per SLING-2226 (see [1] )  usage of the JsonQueryServlet is discouraged.
 
  As to the cause of this NPE, I believe [2] is the revision of that class
  that you are using.  On line 193 of that file where the NPE was thrown,
 it
  looks like either the row returned by the query was null or the row
 didn't
  have a 'jcr:path' column value for some reason.  You may be able to tell
  for sure by attaching a java debugger to the sling process.
 
  I also see some code changes for SLING-1533 [3] that injects the
 'jcr:path'
  if it is missing from the column list, so perhaps your problem is related
  to what that was fixing.
 
  1. https://issues.apache.org/jira/browse/SLING-2226
  2.
 
 http://svn.apache.org/viewvc/sling/trunk/bundles/servlets/get/src/main/java/or
 
 g/apache/sling/servlets/get/impl/JsonQueryServlet.java?revision=983310view=ma
  rkuppathrev=983310
  3.
 
 https://fisheye6.atlassian.com/viewrep/sling/trunk/bundles/jcr/resource/src/ma
 
 in/java/org/apache/sling/jcr/resource/internal/JcrResourceResolver.java?r1=113
  1133r2=1131257
 
  On Fri, Dec 2, 2011 at 5:52 PM, Roger Reed rogerr...@yahoo.com wrote:
 
  Hello,
 
  I¹m getting a NullPointerException when executing a simple XPATH query
 via
  the JsonQueryServlet.  How stable is the JsonQueryServlet?  I¹m using
 the
  servlet in version 6 WAR.  This does work fine when I have
 different/less
  data in the repository.
 
  Thanks,
 
  Roger
 
 
 
 
 http://localhost:7070/sling/content.query.json?queryType=xpathstatement=//*
  [@jcr:primaryType='test:imageReference']
 
  java.lang.NullPointerException
 at
 
 
 org.apache.sling.servlets.get.impl.JsonQueryServlet.dumpResult(JsonQueryServ
  let.java:193)
 at
 
 
 org.apache.sling.servlets.get.impl.JsonQueryServlet.doGet(JsonQueryServlet.j
  ava:106)
 at
 
 
 org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMe
  thodsServlet.java:268)
 at
 
 
 org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMetho
  dsServlet.java:344)
 at
 
 
 org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMetho
  dsServlet.java:375)
 at
 
 
 org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:52
  9)
 at
 
 
 org.apache.sling.engine.impl.SlingRequestProcessorImpl.processComponent(Slin
  gRequestProcessorImpl.java:274)
 at
 
 
 org.apache.sling.engine.impl.filter.RequestSlingFilterChain.render(RequestSl
  ingFilterChain.java:49)
 at
 
 
 org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(Abstra
  ctSlingFilterChain.java:64)
 at
 
 
 org.apache.sling.engine.impl.debug.RequestProgressTrackerLogFilter.doFilter(
  RequestProgressTrackerLogFilter.java:59)
 at
 
 
 org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(Abstra
  ctSlingFilterChain.java:60)
 at
 
 
 org.apache.sling.engine.impl.SlingRequestProcessorImpl.processRequest(SlingR
  equestProcessorImpl.java:161)
 at
 
 
 org.apache.sling.engine.impl.SlingMainServlet.service(SlingMainServlet.java:
  183)
 at
 
 
 org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletH
  andler.java:96)
 at
 
 
 org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHan
  dler.java:79)
 at
 
 
 org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletP
  ipeline.java:42)
 at
 
 
 org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(
  InvocationFilterChain.java:49)
 at
 
 
 org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFi
  lterChain.java:33)
 at
 
 
 org.apache.felix.http.base.internal.dispatch.FilterPipeline.dispatch(FilterP
  ipeline.java:48)
 at
 
 
 org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.
  java:39)
 at
 
 
 org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServ
  let.java:67)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:820

Re: JsonQueryServlet NullPointerException on Simple XPATH Query

[Eric Norman]

Per SLING-2226 (see [1] )  usage of the JsonQueryServlet is discouraged.

As to the cause of this NPE, I believe [2] is the revision of that class
that you are using.  On line 193 of that file where the NPE was thrown, it
looks like either the row returned by the query was null or the row didn't
have a 'jcr:path' column value for some reason.  You may be able to tell
for sure by attaching a java debugger to the sling process.

I also see some code changes for SLING-1533 [3] that injects the 'jcr:path'
if it is missing from the column list, so perhaps your problem is related
to what that was fixing.

1. https://issues.apache.org/jira/browse/SLING-2226
2.
http://svn.apache.org/viewvc/sling/trunk/bundles/servlets/get/src/main/java/org/apache/sling/servlets/get/impl/JsonQueryServlet.java?revision=983310view=markuppathrev=983310
3.
https://fisheye6.atlassian.com/viewrep/sling/trunk/bundles/jcr/resource/src/main/java/org/apache/sling/jcr/resource/internal/JcrResourceResolver.java?r1=1131133r2=1131257

On Fri, Dec 2, 2011 at 5:52 PM, Roger Reed rogerr...@yahoo.com wrote:

 Hello,

 I¹m getting a NullPointerException when executing a simple XPATH query via
 the JsonQueryServlet.  How stable is the JsonQueryServlet?  I¹m using the
 servlet in version 6 WAR.  This does work fine when I have different/less
 data in the repository.

 Thanks,

 Roger



 http://localhost:7070/sling/content.query.json?queryType=xpathstatement=//*
 [@jcr:primaryType='test:imageReference']

 java.lang.NullPointerException
at

 org.apache.sling.servlets.get.impl.JsonQueryServlet.dumpResult(JsonQueryServ
 let.java:193)
at

 org.apache.sling.servlets.get.impl.JsonQueryServlet.doGet(JsonQueryServlet.j
 ava:106)
at

 org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMe
 thodsServlet.java:268)
at

 org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMetho
 dsServlet.java:344)
at

 org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMetho
 dsServlet.java:375)
at

 org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:52
 9)
at

 org.apache.sling.engine.impl.SlingRequestProcessorImpl.processComponent(Slin
 gRequestProcessorImpl.java:274)
at

 org.apache.sling.engine.impl.filter.RequestSlingFilterChain.render(RequestSl
 ingFilterChain.java:49)
at

 org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(Abstra
 ctSlingFilterChain.java:64)
at

 org.apache.sling.engine.impl.debug.RequestProgressTrackerLogFilter.doFilter(
 RequestProgressTrackerLogFilter.java:59)
at

 org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(Abstra
 ctSlingFilterChain.java:60)
at

 org.apache.sling.engine.impl.SlingRequestProcessorImpl.processRequest(SlingR
 equestProcessorImpl.java:161)
at

 org.apache.sling.engine.impl.SlingMainServlet.service(SlingMainServlet.java:
 183)
at

 org.apache.felix.http.base.internal.handler.ServletHandler.doHandle(ServletH
 andler.java:96)
at

 org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHan
 dler.java:79)
at

 org.apache.felix.http.base.internal.dispatch.ServletPipeline.handle(ServletP
 ipeline.java:42)
at

 org.apache.felix.http.base.internal.dispatch.InvocationFilterChain.doFilter(
 InvocationFilterChain.java:49)
at

 org.apache.felix.http.base.internal.dispatch.HttpFilterChain.doFilter(HttpFi
 lterChain.java:33)
at

 org.apache.felix.http.base.internal.dispatch.FilterPipeline.dispatch(FilterP
 ipeline.java:48)
at

 org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.
 java:39)
at

 org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServ
 let.java:67)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at
 org.apache.felix.http.proxy.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at

 org.apache.sling.launchpad.base.webapp.SlingServletDelegate.service(SlingSer
 vletDelegate.java:277)
at

 org.apache.sling.launchpad.webapp.SlingServlet.service(SlingServlet.java:148
 )
at

 weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSe
 curityHelper.java:227)
at

 weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelpe
 r.java:125)
at
 weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at
 weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
at

 weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
 ebAppServletContext.java:3498)
at

 weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubjec
 t.java:321)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at

 weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletC
 ontext.java:2180)
at

 

Re: Regarding user manager sample UI compatibility

[Eric Norman]

Hi Anuj,

The sling jackrabbit server bundle was updated to use jackrabbit 2.2.5 for
SLING-2044 https://issues.apache.org/jira/browse/SLING-2044  which is
scheduled to be released in version 2.1.2 of that bundle.

Since it it not yet a released bundle, you could try the building it locally
and use the local snapshot build of the bundle.

Regards,
Eric


On Sun, Aug 7, 2011 at 7:27 AM, Anuj Kumar anujs...@gmail.com wrote:

 Hello Everyone,

 I was trying to install sample user manager UI provided under the samples
 of
 the Sling trunk. I get this error when I try to install the bundle-

 (org.osgi.framework.BundleException: Unresolved constraint in bundle
 org.apache.sling.samples.usermanager.ui [81]: Unable to resolve 81.0:
 missing requirement [81.0] package;
 ((package=org.apache.jackrabbit.api.security.user)(version=2.2.0)))
 org.osgi.framework.BundleException: Unresolved constraint in bundle
 org.apache.sling.samples.usermanager.ui [81]: Unable to resolve 81.0:
 missing requirement [81.0] package;
 ((package=org.apache.jackrabbit.api.security.user)(version=2.2.0))
 at org.apache.felix.framework.Felix.resolveBundle(Felix.java:3443)
 at org.apache.felix.framework.Felix.startBundle(Felix.java:1727)
 at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:922)
 at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:909)
 at

 org.apache.felix.webconsole.internal.core.InstallHelper.doRun(InstallHelper.java:67)
 at

 org.apache.felix.webconsole.internal.core.BaseUpdateInstallHelper.doRun(BaseUpdateInstallHelper.java:89)
 at

 org.apache.felix.webconsole.internal.core.BaseUpdateInstallHelper.run(BaseUpdateInstallHelper.java:121)
 at java.lang.Thread.run(Thread.java:679)

 I understand that it is not able to find the required version 2.2.0 of
 Jackrabbit. This is required for the Query class that is not available with
 the 2.1.1 Jackrabbit bundle provided with the sling installation. So, if
 anyone has tried installing it before, please let me know the correct way
 of
 resolving this issue?

 Is there a bundle available for Jackrabbit 2.2.0?

 Thanks for your help,
 Anuj

Re: creating or giving users full write access?

[Eric Norman]

Hi Craig,

The permissions in the jackrabbit implementation are inherited from the
parent, so if you grant the permissions at the root or some other parent
folder, it applies to the children as well.

A quick way to see what privileges in effect for a node to to view the
effective permissions json as described [1]

1.
http://sling.apache.org/site/managing-permissions-jackrabbitaccessmanager.html

Regards,
Eric

On Wed, Jul 27, 2011 at 10:17 AM, Craig Ganoe cga...@psu.edu wrote:


 I did look at that page which seems to suggest that I would need to
 individually set permissions for each and every node. That isn't what I
 want, unless child nodes inherit parent permissions.

 I did the list users on the page I linked and even the admin user does
 not seem to be a member of anything. Is there a group that has full write
 access by default that I could add the users to?


 On Jul 27, 2011, at 12:39 PM, Julian Sedding wrote:

  Hi Craig

 Your newly created user is probably doesn't have any permissions and
 is not in a group from which it could inherit permissions. Did you see
 the documentation about managing permissions[0] in Sling?

 Regards
 Julian

 [0] http://sling.apache.org/site/**managing-permissions-**
 jackrabbitaccessmanager.htmlhttp://sling.apache.org/site/managing-permissions-jackrabbitaccessmanager.html




 On Wed, Jul 27, 2011 at 6:33 PM, Craig Ganoe cga...@psu.edu wrote:


 How can I create a user that has full write access (including adding
 nodes
 and modifying their properties)?

 I followed the instructions here under Create user:
 http://sling.apache.org/site/**managing-users-and-groups-**
 jackrabbitusermanager.htmlhttp://sling.apache.org/site/managing-users-and-groups-jackrabbitusermanager.html

 But the users I create using the instructions seem to have read-only
 access.
 I even tried adding -u admin:admin to the curl command which seemed to
 let
 me get around the Self-Registration Enabled setting (I was hoping this
 would
 make the accounts non-anonymous), but they still end up with read-only
 access.

 The Jackrabbit docs talk about 3 classes of users: anonymous, normal and
 system the latter 2 of which have full read/write, but I don't see
 anywhere
 there about how to control that either.

 Sorry if this is already explained somewhere that I'm missing. Thanks!

 Craig

Re: Reset user pwd

[Eric Norman]

Hi Markus,

I just added some services for usermanager and accessmanager that mirror the
functionality of the REST operations to resolve SLING-2083 and SLING-1555.

Please try it out when you get a chance to verify that it is sufficient to
solve your use case.

Regards,
Eric

On Sat, May 7, 2011 at 11:29 AM, Eric Norman eric.d.nor...@gmail.comwrote:

 Hi Markus,

 Yes, that is a good point.  I was reviewing the open issues and it looks
 like we already have an issue 
 (SLING-1555https://issues.apache.org/jira/browse/SLING-1555)
 requesting OSGi services for the user management actions.

 Of course, patches are welcome to add this functionality.  If no one else
 gets to it, I can take a look when I get some free time.

 Regards,
 Eric

 On Sun, May 1, 2011 at 11:56 PM, Markus Joschko 
 markus.josc...@gmail.comwrote:

 Hi Eric,

 this sounds great but is already quite specific and has to deal with
 quite some configuration.
 (mailserver configuration, mail templates (maybe localized etc))

 I think it would be sufficient to extract a password service which is
 available in the osgi environment
 and allows other components to request a pw change.

 The applications are then free to build their own PW reset workflow
 while the configuration for the PW reset (digest etc)
 is still kept in one place.

 WDYT?

 Regards,
  Markus

 On Sat, Apr 30, 2011 at 9:05 PM, Eric Norman eric.d.nor...@gmail.com
 wrote:
  Hi Markus,
 
  Yes, you are right, the existing usermgmt bundle doesn't handle that use
  case.
 
  We could probably add that feature to the usermgmt bundle with a patch
 and a
  new release of the usermgmt bundle.
 
  To reset the password in a secure way, I am thinking of something like
 this:
 
1. A new RequestResetPwd servlet generates some random reset pwd token
(that expires after n days) when invoked.  Then it sends an email to
 the
user with a link containing the token.
2. The target user gets the reset pwd email and clicks the link
 contained
in it.
3. A sling script handles the link request, validates the reset pwd
 token
and, if valid, displays a form where the user can enter a new
 password.
4. A POST from the form in #3 targets a new ResetPwdWithToken servlet
that validates the reset pwd token again and then assigns the new
 password
and removes the reset pwd token so it can not be used again.
 
  Does that look ok?
 
  Regards,
  Eric
 
  On Sat, Apr 30, 2011 at 6:46 AM, Markus Joschko 
 markus.josc...@gmail.comwrote:
 
  Hi,
  I am currently developing an UI for the sling usermgmt and found that
  I can't realize a common use case:
  - PW reset (manually by admin or automatically by user)
 
  The old PW is always required but in the given use case it is most
  likely that the PW is no longer available.
  I would implement this on my own but the only two ways I see seem to
  be suboptimal:
  1) Create a new overwritePW which accepts only requests from admins.
  However as I can not extend AbstractUserPostServlet
from my code, I have no access to the digestPassword method and
  would have to copy code and even worse make sure, that the digest
  algorithm
is then always configured the same on the create user? servlet and
  the overwritePW servlet which is suboptimal.
  2) Create a filter to provide the oldPW automatically to the changePW
  servlet in case an admin overwrites a PW.
 That won't work with the CryptedSimpleCredentials I guess.
 
  So I am stuck. How to realize PW reset?
 
  Thanks,
   Markus
 
 

Re: Reset user pwd

[Eric Norman]

Hi Markus,

Yes, that is a good point.  I was reviewing the open issues and it looks
like we already have an issue
(SLING-1555https://issues.apache.org/jira/browse/SLING-1555)
requesting OSGi services for the user management actions.

Of course, patches are welcome to add this functionality.  If no one else
gets to it, I can take a look when I get some free time.

Regards,
Eric

On Sun, May 1, 2011 at 11:56 PM, Markus Joschko markus.josc...@gmail.comwrote:

 Hi Eric,

 this sounds great but is already quite specific and has to deal with
 quite some configuration.
 (mailserver configuration, mail templates (maybe localized etc))

 I think it would be sufficient to extract a password service which is
 available in the osgi environment
 and allows other components to request a pw change.

 The applications are then free to build their own PW reset workflow
 while the configuration for the PW reset (digest etc)
 is still kept in one place.

 WDYT?

 Regards,
  Markus

 On Sat, Apr 30, 2011 at 9:05 PM, Eric Norman eric.d.nor...@gmail.com
 wrote:
  Hi Markus,
 
  Yes, you are right, the existing usermgmt bundle doesn't handle that use
  case.
 
  We could probably add that feature to the usermgmt bundle with a patch
 and a
  new release of the usermgmt bundle.
 
  To reset the password in a secure way, I am thinking of something like
 this:
 
1. A new RequestResetPwd servlet generates some random reset pwd token
(that expires after n days) when invoked.  Then it sends an email to
 the
user with a link containing the token.
2. The target user gets the reset pwd email and clicks the link
 contained
in it.
3. A sling script handles the link request, validates the reset pwd
 token
and, if valid, displays a form where the user can enter a new password.
4. A POST from the form in #3 targets a new ResetPwdWithToken servlet
that validates the reset pwd token again and then assigns the new
 password
and removes the reset pwd token so it can not be used again.
 
  Does that look ok?
 
  Regards,
  Eric
 
  On Sat, Apr 30, 2011 at 6:46 AM, Markus Joschko 
 markus.josc...@gmail.comwrote:
 
  Hi,
  I am currently developing an UI for the sling usermgmt and found that
  I can't realize a common use case:
  - PW reset (manually by admin or automatically by user)
 
  The old PW is always required but in the given use case it is most
  likely that the PW is no longer available.
  I would implement this on my own but the only two ways I see seem to
  be suboptimal:
  1) Create a new overwritePW which accepts only requests from admins.
  However as I can not extend AbstractUserPostServlet
from my code, I have no access to the digestPassword method and
  would have to copy code and even worse make sure, that the digest
  algorithm
is then always configured the same on the create user? servlet and
  the overwritePW servlet which is suboptimal.
  2) Create a filter to provide the oldPW automatically to the changePW
  servlet in case an admin overwrites a PW.
 That won't work with the CryptedSimpleCredentials I guess.
 
  So I am stuck. How to realize PW reset?
 
  Thanks,
   Markus
 
 

Re: Creating usersgroups

[Eric Norman]

Hi Markus,

Thanks for reporrting your findings.  My quick take is: no, that is not on
purpose.  It looks like a bug to me. Please file a new issue in jira.

I can try to take a look at it later today or tomorrow.

Regards,
Eric

On Mon, May 2, 2011 at 2:38 AM, Markus Joschko markus.josc...@gmail.comwrote:

 I have to correct myself:
 It works fine for GroupAdmin. Users in this group can create/modify groups.
 However users being in the group UserAdmin can't create new users.
 Is this by purpose?

 Regards,
  MArkus

 On Mon, May 2, 2011 at 11:27 AM, Markus Joschko
 markus.josc...@gmail.com wrote:
  As I am currently implementing an UI for usermgmt I stumbled upon the
  fact, that only THE admin user can create users and groups.
  Is that true?
  As there are UserAdmin and GroupAdmin groups I always assumed, that
  all users belonging to one of these groups
  can administer them.
  However that doesn't seem to be the case.
 
  What are these groups then for?
  Would it be worthwhile to delegate mgmt of users and groups to these
 groups?
 
  Regards,
   Markus
 

Re: Reset user pwd

[Eric Norman]

Hi Markus,

Yes, you are right, the existing usermgmt bundle doesn't handle that use
case.

We could probably add that feature to the usermgmt bundle with a patch and a
new release of the usermgmt bundle.

To reset the password in a secure way, I am thinking of something like this:

   1. A new RequestResetPwd servlet generates some random reset pwd token
   (that expires after n days) when invoked.  Then it sends an email to the
   user with a link containing the token.
   2. The target user gets the reset pwd email and clicks the link contained
   in it.
   3. A sling script handles the link request, validates the reset pwd token
   and, if valid, displays a form where the user can enter a new password.
   4. A POST from the form in #3 targets a new ResetPwdWithToken servlet
   that validates the reset pwd token again and then assigns the new password
   and removes the reset pwd token so it can not be used again.

Does that look ok?

Regards,
Eric

On Sat, Apr 30, 2011 at 6:46 AM, Markus Joschko markus.josc...@gmail.comwrote:

 Hi,
 I am currently developing an UI for the sling usermgmt and found that
 I can't realize a common use case:
 - PW reset (manually by admin or automatically by user)

 The old PW is always required but in the given use case it is most
 likely that the PW is no longer available.
 I would implement this on my own but the only two ways I see seem to
 be suboptimal:
 1) Create a new overwritePW which accepts only requests from admins.
 However as I can not extend AbstractUserPostServlet
   from my code, I have no access to the digestPassword method and
 would have to copy code and even worse make sure, that the digest
 algorithm
   is then always configured the same on the create user? servlet and
 the overwritePW servlet which is suboptimal.
 2) Create a filter to provide the oldPW automatically to the changePW
 servlet in case an admin overwrites a PW.
That won't work with the CryptedSimpleCredentials I guess.

 So I am stuck. How to realize PW reset?

 Thanks,
  Markus

Re: Reset user pwd

[Eric Norman]

One more thing.  It probably makes sense to allow the admin user (or group)
to use the existing 'changePassword' servlet without supplying the old
password.  Can you file a new bug report for that?

Regards,
Eric

On Sat, Apr 30, 2011 at 12:05 PM, Eric Norman eric.d.nor...@gmail.comwrote:

 Hi Markus,

 Yes, you are right, the existing usermgmt bundle doesn't handle that use
 case.

 We could probably add that feature to the usermgmt bundle with a patch and
 a new release of the usermgmt bundle.

 To reset the password in a secure way, I am thinking of something like
 this:

1. A new RequestResetPwd servlet generates some random reset pwd token
(that expires after n days) when invoked.  Then it sends an email to the
user with a link containing the token.
2. The target user gets the reset pwd email and clicks the link
contained in it.
3. A sling script handles the link request, validates the reset pwd
token and, if valid, displays a form where the user can enter a new
password.
4. A POST from the form in #3 targets a new ResetPwdWithToken servlet
that validates the reset pwd token again and then assigns the new password
and removes the reset pwd token so it can not be used again.

 Does that look ok?

 Regards,
 Eric

 On Sat, Apr 30, 2011 at 6:46 AM, Markus Joschko 
 markus.josc...@gmail.comwrote:

 Hi,
 I am currently developing an UI for the sling usermgmt and found that
 I can't realize a common use case:
 - PW reset (manually by admin or automatically by user)

 The old PW is always required but in the given use case it is most
 likely that the PW is no longer available.
 I would implement this on my own but the only two ways I see seem to
 be suboptimal:
 1) Create a new overwritePW which accepts only requests from admins.
 However as I can not extend AbstractUserPostServlet
   from my code, I have no access to the digestPassword method and
 would have to copy code and even worse make sure, that the digest
 algorithm
   is then always configured the same on the create user? servlet and
 the overwritePW servlet which is suboptimal.
 2) Create a filter to provide the oldPW automatically to the changePW
 servlet in case an admin overwrites a PW.
That won't work with the CryptedSimpleCredentials I guess.

 So I am stuck. How to realize PW reset?

 Thanks,
  Markus

Re: upgrading to Jackrabbit 2.2.5

[Eric Norman]

Hi All,

I found a use case where I could also use an upgrade to jackrabbit 2.2.5 to
utilize some changes in user/group management.  I filed JIRA
issue SLING-2044 for tracking and will attempt the upgrade today.

Regards,
Eric

On Fri, Mar 25, 2011 at 8:23 AM, Justin Edelson jus...@justinedelson.comwrote:

 On Fri, Mar 25, 2011 at 9:03 AM, Ian Boston i...@tfd.co.uk wrote:
 
  On 25 Mar 2011, at 12:54, Justin Edelson wrote:
 
 
 
  On Mar 24, 2011, at 5:06 PM, Ian Boston i...@tfd.co.uk wrote:
 
 
  On 24 Mar 2011, at 20:44, Craig Ganoe wrote:
 
 
  Is there any documentation for upgrading the jackrabbit version in the
 Sling build?
 
  AFAIK, there is not.
  Ian
 
  There is, in a sense. Look at JIRA and Subversion and you'll see the
 exact set of changes made for prior upgrades.
 
  good point,
 
 
 https://issues.apache.org/jira/browse/SLING-1660?page=com.atlassian.jira.plugin.ext.subversion%3Asubversion-commits-tabpanel#issue-tabs
 
  http://svn.apache.org/viewvc?view=revisionrevision=987559
 
  was that the right issue ?

 SLING-1531 too...

 
  Ian
 
 
 
  Justin
 
 
  Thanks.
 
  Craig
 
 
 
 

Re: User managment

[Eric Norman]

I added SLING-1642 for tracking and changed the default (+fixed the affected
integration tests) in revision 984646.

Please verify when you get a chance.

Regards,
Eric

On Wed, Aug 11, 2010 at 6:18 AM, Felix Meschberger fmesc...@gmail.comwrote:

 +1 (and yes, don't care for backwards compatibility here. Security is
 more important)

 Regards
 Felix

 On 11.08.2010 09:15, Mike Müller wrote:
  Hi
 
  Wouldn't it be safer if this feature is turned off be default?
 
  best regards
  mike
 
  -Original Message-
  From: Eric Norman [mailto:eric.d.nor...@gmail.com]
  Sent: Wednesday, August 11, 2010 2:57 AM
  To: users@sling.apache.org
  Subject: Re: User managment
 
 
  Hi Tony,
 
  Looks to me like you have discovered a bug.  The self-reg
  enabled flag is
  not handled correctly when activating the component.
 
  I filed a new bug report
  (*SLING-1639https://issues.apache.org/jira/browse/SLING-1639
  )* to track the defect and I will fix it now.
 
  Regards,
  -Eric
 
  On Tue, Aug 10, 2010 at 11:08 AM, Tony Giaccone
  t...@giaccone.org wrote:
 
 
  I'm reading from the Sling web site:
 
  The jackrabbit-usermanager bundle delivers a REST
  interface to create,
  update and delete users
 
  And I have been able to successfully add a user, by
  executing the following
  curl cmnd.
 
  curl -F:name=reader -Fpwd=ourReader -FpwdConfirm=ourReader
  -Fdesc=Read
  only access
  http://localhost:8080/sling/system/userManager/user.create.html
 
  Except that it seems that anyone at any time can post to
  this URL and
  create a user.
 
 
  So I looked at the configuration for that bundle and found
  a checkbox
  labled:
 
  Self-Registration Enabled
 
 When selected, the anonymous user is allowed to
  register a new user
  with the system. (self.registration.enabled)
 
 
  And that checkbox was checked. So it seems that I should be
  able to uncheck
  that box and prevent anonymous user creation.
 
  However, it doesn't work. I can still create new users as anonymous.
 
  What am I doing wrong?
 
 
  Tony
 
 

Re: Created node property

[Eric Norman]

Hi Federico,

No, the 'created' property is not an implicit property of every node.  The
form that creates the blog post in the espblog sample has a hidden input
field that adds the created property.  The value of the 'created' property
is auto-generated by sling.  The documentation could probably be enhanced to
make that more clear.

See line 88 of this script:
http://svn.apache.org/viewvc/sling/trunk/samples/espblog/src/main/resources/initial-content/apps/espblog/edit.esp?revision=949738view=markup

Regards,
Eric

On Tue, Aug 10, 2010 at 7:58 AM, Federico Paparoni 
federico.papar...@gmail.com wrote:

 Hi all,

 I see from the espblog example that when there a query among all nodes, the
 results are ordered by created property descending

 var query =
 queryManager.createQuery(/jcr:root/content/espblog/posts/element(*,
 nt:unstructured) order by @created descending, xpath);

 Is this an implicit property of every node?
 I don't see it using a JCR browser.
 If it isn't, how is it created in the espblog example?

 Bye,

 --
 Federico

Re: ESP again...

[Eric Norman]

I think in your case the code would look something like this:

   % var items = currentNode.lineItems; %
   % var nodeIterator = items.nodes; %
   % while (nodeIterator.hasNext()) %
   % { %
   %var itemNode = nodeIterator.nextNode();
%
   %= itemNode.itemDescr %
   % } %
   b End of loop/bbr/


On Thu, Aug 5, 2010 at 9:28 PM, Tony Giaccone t...@giaccone.org wrote:

 Justin,

 Not that I'm trying to be intentionally dense, but... when i google JCR API
 NodeIterator I get a bunch of references to java.jcr classes, which clearly
 aren't going to work in the esp transform.

 Is there a javascript/esp version of the jcr API?

 Or are you telling me I need to use  java/jsp pages?


 Tony




 On Aug 5, 2010, at 10:03 PM, Justin Edelson wrote:

  Not being purposely vague here (am away from a computer and don't have
 the syntax memorized), but... You need to use the JCR API. Something like
 getting a NodeIterator and using the typical hasNext() and nextNode()
 methods.
 
  On Aug 5, 2010, at 7:47 PM, Tony Giaccone t...@giaccone.org wrote:
 
 
 
 
  So I'm trying to get the data in the lineItems.
 
  Here's the XML fragment
 
  lineItems jcr:primaryType=sling:OrderedFolder
 jcr:created=2010-08-02T19:54:57.329-04:00 jcr:createdBy=admin
_x0031_ jcr:primaryType=nt:unstructured lineItemSeq=1 itemId=55
  itemDescr=Item selected to purchase
 sling:resourceType=mll/item/lineItems
 
 
  I tried this:
 
 
% var items = currentNode.lineItems; %
% for (var i = 0;iitems.length;i++) %
% { %
%= currentNode.lineItems[i].itemDescr %
% } %
b End of loop/bbr/
 
  And get this message:
 
  TypeError: Cannot read property shortDescr from undefined
 
 
 
 
 
  So I change it to this:
 
% var items = currentNode.lineItems; %
% for (var i = 0;iitems.length;i++) %
% { %
%= currentNode.lineItems[i] %
% } %
b End of loop/bbr/
 
  This is what I get..
  undefined End of loop
 
  Change the code to this:
 
% var items = currentNode.lineItems; %
% for (var i = 0;iitems.length;i++) %
% { %
%= currentNode.lineItems %
% } %
b End of loop/bbr/
 
  And I get this:
 
  content/Documents/2008/1155383/Order/2_1280793297315/lineItems
  End of loop
 
  I'm guessing I need to do something to load that node(?) into the page?
 
 
  Tony

Re: XPATH Child query

[Eric Norman]

Hi Federico,

I believe the following query would do what you are asking for.  The xpath
query uses the // abbreviation for the descendant-or-self axis.

var query =
queryManager.createQuery(/jcr:root/content/david//element(*,
nt:unstructured) order by @created descending, xpath);

Regards,
-Eric

On Thu, Jul 29, 2010 at 8:01 AM, Federico Paparoni 
federico.papar...@gmail.com wrote:

 2010/7/29 Federico Paparoni federico.papar...@gmail.com

  Hi all,
 
  I easily put my contents under path like this
  http://localhost:8080/content/david/2010/07/25/example.html
 
  but I don't really understand how can I create a query to search a
 property
  on all the children of my application root node.
  I tried some XPATH queries but probably there is something I don't
  understand.
  Can someone help me with this issue?
 
  Bye
 
  --
  Federico
 


 I solved the issue using the next query

 var query =
 queryManager.createQuery(/jcr:root/content/david/*/*/*/element(*,
 nt:unstructured) order by @created descending, xpath);

 because all my nodes are like /YEAR/MONTH/DAY/entry. But If I want to make
 a
 full search on every children?

 --
 Federico

Re: Creating a file

[Eric Norman]

Hi Audrey,
It looks ok to me.  Did you call session.save() at the end?

On Jul 29, 2010 10:03 AM, Audrey Colbrant audrey.colbr...@inria.fr
wrote:

Hi,

I am trying to create a file from server side following some examples, but
no way, the file is not created.
I have had a look to server logs but I don't find any error and the source
code is not throwing anything.

Here the piece of code:
   Node root = session.getRootNode();
   Node userRoute=root.getNode(content/myProjectNode);

   Node fileNode = userRoute.addNode(myFile.gpx, nt:file);
   Node resNode = fileNode.addNode(jcr:content, nt:resource);

   resNode.setProperty(jcr:mimeType, text/xml);
   resNode.setProperty(jcr:encoding, UTF-8);

 
resNode.setProperty(jcr:lastModified,Calendar.getInstance().getTimeInMillis());
   resNode.setProperty(jcr:data,new
ByteArrayInputStream(myString.getBytes()) );

Does anybody find something wrong?

Thanks in advance,

Audrey

Re: How to implement 'everyone-except' access control in Jackrabbit 2.0

[Eric Norman]

Thanks Ray,

I've committed the fix in r927532.

I updated the AccessControlUtil.replaceAccessControlEntry(..) API to take an
additional 'order' parameter which is used to ensure the added/updated ACE
is placed at the specified position in the ACL.  Also, the ModifyAceServlet
also looks for the 'order' request parameter when modifying an ACE via
http.  I've outlined the possible values of the 'order' parameter on the
wiki for the jackrabbit.accessmanager bundle at [1].

Please review the changes when you have time to verify it works as expected.

[1]
http://cwiki.apache.org/SLINGxSITE/managing-permissions-jackrabbitaccessmanager.html

Regards,
Eric

On Tue, Mar 23, 2010 at 11:30 AM, Ray Davis r...@media.berkeley.edu wrote:

 Thanks, Eric. I'm going to be unavailable for the rest of this week, but I
 would love to contribute to the effort next week if possible.

 Best,
 Ray


 On 3/23/10 8:54 AM, Eric Norman wrote:

 Hi Ray,

 Thanks for providing this good information.  I'm replying to the sling
 users
 mailing list to continue discussion about how this information affects
 sling.

 Since the order of the ACEs is important in resolving the access control
 in
 jackrabbit, we need to make sure that the sling jackrabbit.accessmanager
 bundle does the following:

 1. Preserves the order of the ACEs when merging changes (during import and
 via the ModifyAceServlet). see
 SLING-1457https://issues.apache.org/jira/browse/SLING-1457

 2. Contains a mechanism to re-order the ACEs in the access control list
 (during import and via a new RESTful servlet). see
 SLING-1458https://issues.apache.org/jira/browse/SLING-1458


 I have filed issues in jira to address those two items (see
 SLING-1457https://issues.apache.org/jira/browse/SLING-1457
  and SLING-1458https://issues.apache.org/jira/browse/SLING-1458).


 Regards,
 -Eric

 On Mon, Mar 22, 2010 at 9:52 AM, Ray Davisr...@media.berkeley.edu
  wrote:

  (This isn't a question -- just wanted to document it in case it helps
 anyone else or in case I got something badly wrong.)

 It's not uncommon to want to restrict a resource's access to only a
 specific set of groups or users. For example, we might want the resource
 tree rooted at /marketing_dept to be mostly traversable by the general
 public but /marketing_dept/budget.pdf to only be readable by members of
 the marketing.department Principal.

 The default resource AccessControlList provider in Jackrabbit 2 enables
 this, but you have to be aware that its AccessControlEntry resolves
 potential conflicts in an ordered fashion:

 - More recent User ACEs override earlier User ACEs.
 - Any User ACEs override any Group ACEs.
 - More recent Group ACEs override earlier Group ACEs.

 Thus, to get the desired access control for /marketing_dept/budget.pdf,
 its ACL could be created as follows:

 Privilege[] readPrivs =
 {accessControlManager.privilegeFromName(Privilege.JCR_READ)};

 jackrabbitAccessControlList.addEntry(principalManager.getPrincipal(SecurityConstants.ANONYMOUS_ID),
 readPrivs, false);
 jackrabbitAccessControlList.addEntry(principalManager.getEveryone(),
 readPrivs, false);

 jackrabbitAccessControlList.addEntry(principalManager.getPrincipal(marketing.department),
 readPrivs, true);

 If instead the everyone ACE appeared last in the ACL, it would block
 read
 access by members of the marketing.department (since they are also
 members
 of everyone).

 Best,
 Ray

Re: Using a mysql db in sling trunk

[Eric Norman]

We should probably add optional imports for all the common jdbc drivers to
the embedded server bundle so updating/rebuilding it would not be
necessary.  Would you mind filing a new issue in JIRA for tracking?

Thanks,
Eric

On Mar 17, 2010 3:44 PM, Michael Yin yincr...@gmail.com wrote:

I rebuilt the embedded server jar with an optional import for
com.mysql.jdbc, and that seemed to have done the trick.


On Wed, Mar 17, 2010 at 5:56 PM, Michael Yin yincr...@gmail.com wrote:

 I am trying to use the ...