[
https://issues.apache.org/jira/browse/SLING-2870?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13659335#comment-13659335
]
Carsten Ziegeler commented on SLING-2870:
-----------------------------------------
I don't think this is clearer: we have a default configuration, so as soon as
you hit the switch you would have to change the default configuration. If you
disable regexp you might have to change the values back.
Now, either proposal has two properties, while Mike's adds a dependency between
the two props, mine keeps them separate. I personally think having independent
properties is easier to understand :)
> Support allowed hosts patterns in ReferrerFilter
> ------------------------------------------------
>
> Key: SLING-2870
> URL: https://issues.apache.org/jira/browse/SLING-2870
> Project: Sling
> Issue Type: Improvement
> Components: Extensions
> Affects Versions: Security 1.0.2
> Reporter: Timothee Maret
> Attachments: SLING-2870.patch
>
>
> The current "allow.hosts" setting of the ReferrerFilter can be configured
> with a list of trusted hosts.
> In a setup where the list of allowed hosts is expending as the application
> runs, it becomes tricky to keep the configuration in sync.
> As an example, a service which supports wilcard uris such as
> {{<userId>.my.service.com}} would be required to modify the reference filter
> configuration for each user which is hardly doable.
> Thus, I would propose to support regex patterns for the list of
> "allow.hosts". which would still be secure.
> The example above would be configured as: {{allow.hosts=(.*).my.service.com}}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
