I guess, even if we use SlingSafeMethodsServlet and request parameter, I still have this problem of securing the servlet... I've put a servlet at paths = "/myservice/image" , and created a node at /myservice with an ACL that denies jcr: all to everyone and anonymous, and yet anonymous can still GET /myservice/image. It seems authentication still succeeds, as my Servlet can see the user ID on the request, but the authorization via Effective Policies isn't happening.
-- View this message in context: http://apache-sling.73963.n3.nabble.com/How-to-create-Rest-APIs-for-non-JCR-data-in-Sling-8-tp4069947p4069998.html Sent from the Sling - Users mailing list archive at Nabble.com.