Hi Lance, I think a better practice is to register your servlet with a resource type instead of path. For this you can use either sling.servlet.resourceType property or a newer SlingServlet annotation with resourceType property [1]. Then create a JCR note with sling:resourceType property referencing the above resource type. This way you can create resources anywhere in the resource tree and manage ACLs at any level your application requires.
The thing you should understand is that, unlike most traditional web application frameworks, in Sling a URL does not normally point to some script that knows where to find data and how to render it. Instead try to always think of creating a web object (aka resource in Sling ) and sling will automatically know how to render it via sling:resourceType + URL selectors + extension + prefix. To me this actually feels more RESTful since a URI addressable resource is the central concept. But, I think, for many developers new to Sling this is the main Sling paradigm they need to understand. After they do things become a lot easier. I am planning to provide a simple example as Bertrand asked. I just haven’t had time today. But, I believe if you browse around Sling source repo you should find some existing examples. [1] https://sling.apache.org/documentation/the-sling-engine/servlets.html <https://sling.apache.org/documentation/the-sling-engine/servlets.html> Henry > On Jan 30, 2017, at 11:37 AM, lancedolan <lance.do...@gmail.com> wrote: > > I guess, even if we use SlingSafeMethodsServlet and request parameter, I > still have this problem of securing the servlet... I've put a servlet at > paths = "/myservice/image" , and created a node at /myservice with an ACL > that denies jcr: all to everyone and anonymous, and yet anonymous can still > GET /myservice/image. It seems authentication still succeeds, as my Servlet > can see the user ID on the request, but the authorization via Effective > Policies isn't happening. > > > > -- > View this message in context: > http://apache-sling.73963.n3.nabble.com/How-to-create-Rest-APIs-for-non-JCR-data-in-Sling-8-tp4069947p4069998.html > Sent from the Sling - Users mailing list archive at Nabble.com.