[jira] [Updated] (SLING-5135) Whitelist legit usages of loginAdministrative and administrative ResourceResolver

Mon, 05 Sep 2016 06:26:48 -0700 

     [ 
https://issues.apache.org/jira/browse/SLING-5135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bertrand Delacretaz updated SLING-5135:
---------------------------------------
    Attachment: SLING-5135.patch

I have attached a new SLING-5135.patch including a default configuration that 
whitelists bundles that currently require loginAdmin and are included in in the 
Sling Launchpad . As discussed on our dev list at 
https://lists.apache.org/thread.html/5e47be07292b1d2eee8625ed2d27103c588a4b2b82ce5a3031cd0723@%3Cdev.sling.apache.org%3E

Also introduced a whitelist regexp configuration parameter, that's needed when 
running tests with Pax Exam for example which generates bundles with 
semi-random bundle symbolic names using a common prefix. That parameter is 
meant for testing and logs the following warning:

{code}
*WARN* [OsgiInstallerImpl] 
org.apache.sling.jcr.base.internal.LoginAdminWhitelistImpl A whitelist.regexp 
is configured, this is NOT RECOMMENDED for production: <configured regexp here>
{code}

All tests pass with this patch applied to the current trunk.

@asanso, could you have a look before I commit this?

> Whitelist legit usages of loginAdministrative and administrative 
> ResourceResolver
> ---------------------------------------------------------------------------------
>
>                 Key: SLING-5135
>                 URL: https://issues.apache.org/jira/browse/SLING-5135
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>            Reporter: Antonio Sanso
>            Assignee: Bertrand Delacretaz
>         Attachments: SLING-5135.patch, SLING-5135.patch
>
>
> {{AbstractSlingRepositoryManager}} contains a method that disable 
> loginAdministrative support
> {code}
>     /**
>      * Returns whether to disable the
>      * {@code SlingRepository.loginAdministrative} method or not.
>      *
>      * @return {@code true} if {@code SlingRepository.loginAdministrative} is
>      *         disabled.
>      */
>     public final boolean isDisableLoginAdministrative() 
> {code}
> This is a global configuration. It would be nice to have an extension of such 
> mechanism that contains a white list of (few) legit usage of 
> {{loginAdministrative}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to