Robert Munteanu commented on SLING-5135:

I think it would be useful to have a configuration option which instead of 
replacing the default bundle list adds to it.

My reasoning is that when configuring the whitelist on a custom setup you need 

# look at the code (and you need to know where the default whitelisted bundles 
are defined)
# transform the default bundle list into the provisioning model format
# append the new bundle to the config
# create a new config for the 
{{org.apache.sling.jcr.base.internal.LoginAdminWhitelistImpl}} component

With the 'append' property exposed a user can only do steps 3 and 4, which is a 
definite improvement. I fear that if it's too complicated users will simply 
re-enable login administrative or use an unsafe regular expression.

> Whitelist legit usages of loginAdministrative and administrative 
> ResourceResolver
> ---------------------------------------------------------------------------------
>                 Key: SLING-5135
>                 URL: https://issues.apache.org/jira/browse/SLING-5135
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>            Reporter: Antonio Sanso
>            Assignee: Bertrand Delacretaz
>         Attachments: SLING-5135.patch, SLING-5135.patch
> {{AbstractSlingRepositoryManager}} contains a method that disable 
> loginAdministrative support
> {code}
>     /**
>      * Returns whether to disable the
>      * {@code SlingRepository.loginAdministrative} method or not.
>      *
>      * @return {@code true} if {@code SlingRepository.loginAdministrative} is
>      *         disabled.
>      */
>     public final boolean isDisableLoginAdministrative() 
> {code}
> This is a global configuration. It would be nice to have an extension of such 
> mechanism that contains a white list of (few) legit usage of 
> {{loginAdministrative}}

This message was sent by Atlassian JIRA

Reply via email to