Author: buildbot Date: Wed Apr 5 14:51:07 2017 New Revision: 1009864 Log: Staging update by buildbot for sling
Modified: websites/staging/sling/trunk/content/ (props changed) websites/staging/sling/trunk/content/documentation/the-sling-engine/service-authentication.html Propchange: websites/staging/sling/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Wed Apr 5 14:51:07 2017 @@ -1 +1 @@ -1790270 +1790285 Modified: websites/staging/sling/trunk/content/documentation/the-sling-engine/service-authentication.html ============================================================================== --- websites/staging/sling/trunk/content/documentation/the-sling-engine/service-authentication.html (original) +++ websites/staging/sling/trunk/content/documentation/the-sling-engine/service-authentication.html Wed Apr 5 14:51:07 2017 @@ -132,7 +132,10 @@ h2:hover > .headerlink, h3:hover > .head <li><a href="#service-user-mappings">Service User Mappings</a></li> </ul> </li> -<li><a href="#deprecation-of-administrative-authentication">Deprecation of administrative authentication</a></li> +<li><a href="#deprecation-of-administrative-authentication">Deprecation of administrative authentication</a><ul> +<li><a href="#whitelisting-bundles-for-administrative-login">Whitelisting bundles for administrative login</a></li> +</ul> +</li> </ul> </div> <h2 id="problem">Problem<a class="headerlink" href="#problem" title="Permanent link">¶</a></h2> @@ -281,8 +284,94 @@ in the near future. But there will be a support for these methods: If the method is disabled, a <code>LoginException</code> is always thrown from these methods. The JavaDoc of the methods is extended with this information.</p> +<h3 id="whitelisting-bundles-for-administrative-login">Whitelisting bundles for administrative login<a class="headerlink" href="#whitelisting-bundles-for-administrative-login" title="Permanent link">¶</a></h3> +<p>In order to be able to manage few (hopefully legit) uses of the above deprecated +methods, a whitelisting mechanism was introduced.</p> +<p>The recommended way to whitelist a bundle for administrative login is via a +<em>whitelist fragment configuration</em> is recommended. It can be created as an OSGi factory +configuration with the factoryPID <code>org.apache.sling.jcr.base.internal.LoginAdminWhitelist.fragment</code>. +E.g. a typical configuration file might be called +<code>org.apache.sling.jcr.base.internal.LoginAdminWhitelist.fragment-myapp.config</code> +and could look as follows: </p> +<div class="codehilite"><pre><span class="n">whitelist</span><span class="p">.</span><span class="n">name</span><span class="p">=</span>"<span class="n">myapp</span>" +<span class="n">whitelist</span><span class="p">.</span><span class="n">bundles</span><span class="p">=[</span> + "<span class="n">com</span><span class="p">.</span><span class="n">myapp</span><span class="p">.</span><span class="n">core</span>"<span class="p">,</span> + "<span class="n">com</span><span class="p">.</span><span class="n">myapp</span><span class="p">.</span><span class="n">commons</span>" +<span class="p">]</span> +</pre></div> + + +<table class="table"> +<thead> +<tr> +<th>Property</th> +<th>Type</th> +<th>Default</th> +<th>Description</th> +</tr> +</thead> +<tbody> +<tr> +<td><code>whitelist.name</code></td> +<td>String</td> +<td>"[unnamed]"</td> +<td>Purely informational property that allows easy identification of different fragments.</td> +</tr> +<tr> +<td><code>whitelist.bundles</code></td> +<td>String[]</td> +<td>[]</td> +<td>An array of bundle symbolic names that should be allowed to make use of the administrative login functionality.</td> +</tr> +</tbody> +</table> +<p>All configured whitelist fragments are taken into account. This makes +it easy to separate whitelists for different application layers and +purposes.</p> +<p>For example, some Sling bundles need to be whitelisted, which +could be done in a whitelist fragment named <code>sling</code>. In addition <code>myapp</code> +adds a whitelist fragment called <code>myapp</code>. For integration tests and +additional whitelist fragment <code>myapp-integration-testing</code> may be added.</p> +<p>Furthermore, there is a global configuration, which should +only be used in exceptional cases. It has a switch to turn administrative +login on globally (<code>whitelist.bypass</code>) and it allows supplying a regular +expression to whitelist matching bundle symbolic names (<code>whitelist.bundles.regexp</code>).</p> +<p>The regular expression is most useful for running PaxExam based tests, where +bundle symbolic names follow a set pattern but have randomly generated parts.</p> +<p>Example: to whitelist all bundles generated by PaxExam a configuration file named <code>org.apache.sling.jcr.base.internal.LoginAdminWhitelist.config</code> might look as follows:</p> +<div class="codehilite"><pre><span class="n">whitelist</span><span class="p">.</span><span class="n">bypass</span><span class="p">=</span><span class="n">B</span>"<span class="n">false</span>" +<span class="n">whitelist</span><span class="p">.</span><span class="n">bundles</span><span class="p">.</span><span class="n">regexp</span><span class="p">=</span>"^<span class="n">PAXEXAM</span><span class="o">.*</span>$" +</pre></div> + + +<p>The configuration PID is PID <code>org.apache.sling.jcr.base.internal.LoginAdminWhitelist</code>. +It supports the following configuration properties.</p> +<table class="table"> +<thead> +<tr> +<th>Property</th> +<th>Type</th> +<th>Default</th> +<th>Description</th> +</tr> +</thead> +<tbody> +<tr> +<td><code>whitelist.bypass</code></td> +<td>Boolean</td> +<td>false</td> +<td>Allow all bundles to use administrative login. This is <strong>NOT</strong> recommended for production and warnings will be logged.</td> +</tr> +<tr> +<td><code>whitelist.bundles.regexp</code></td> +<td>String</td> +<td>""</td> +<td>A regular expression that whitelists all matching bundle symbolic names. This is <strong>NOT</strong> recommended for production and warnings will be logged.</td> +</tr> +</tbody> +</table> <div class="timestamp" style="margin-top: 30px; font-size: 80%; text-align: right;"> - Rev. 1784705 by kwin on Tue, 28 Feb 2017 09:28:03 +0000 + Rev. 1790285 by jsedding on Wed, 5 Apr 2017 14:50:52 +0000 </div> <div class="trademarkFooter"> Apache Sling, Sling, Apache, the Apache feather logo, and the Apache Sling project