[jira] [Commented] (SLING-5135) Whitelist legit usages of loginAdministrative and administrative ResourceResolver

Tue, 06 Sep 2016 02:49:08 -0700 

    [ 
https://issues.apache.org/jira/browse/SLING-5135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15466994#comment-15466994
 ] 

Bertrand Delacretaz commented on SLING-5135:
--------------------------------------------

You're right that this might break some things in 
{{org.apache.sling.resourceresolver}}, at least the 
{{ResourceResolverWebConsolePlugin}}. 

Apart from that I suppose calls to 
{{ResourceResolverFactory.getAdministrativeResourceResolver}} ultimately end up 
in a call to {{loginAdministrative}} which is subject to the whitelist? I'd 
need to dig deeper to confirm.

At this point we might commit this, adding 
{{org.apache.sling.resourceresolver}} to the default whitelist, and create a 
distinct ticket for implementing a similar mechanism for 
{{ResourceResolverFactory.getAdministrativeResourceResolver}}. But I won't have 
time to work on the latter in the next few weeks, so I'm not sure if it's a 
good idea to leave this half-finished in this way, unless someone can pick that 
up.

bq. Do we want an extra boolean config thats says {{enableWhiteList}} ?

{{LoginAdminWhitelistImpl}} has a {{whitelist.bypass}} configuration parameter 
that completely bypasses the whitelist, I suppose that's what you mean?

> Whitelist legit usages of loginAdministrative and administrative 
> ResourceResolver
> ---------------------------------------------------------------------------------
>
>                 Key: SLING-5135
>                 URL: https://issues.apache.org/jira/browse/SLING-5135
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>            Reporter: Antonio Sanso
>            Assignee: Bertrand Delacretaz
>         Attachments: SLING-5135.patch, SLING-5135.patch
>
>
> {{AbstractSlingRepositoryManager}} contains a method that disable 
> loginAdministrative support
> {code}
>     /**
>      * Returns whether to disable the
>      * {@code SlingRepository.loginAdministrative} method or not.
>      *
>      * @return {@code true} if {@code SlingRepository.loginAdministrative} is
>      *         disabled.
>      */
>     public final boolean isDisableLoginAdministrative() 
> {code}
> This is a global configuration. It would be nice to have an extension of such 
> mechanism that contains a white list of (few) legit usage of 
> {{loginAdministrative}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to