[
https://issues.apache.org/jira/browse/SLING-6130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15612627#comment-15612627
]
Oliver Lietz commented on SLING-6130:
-------------------------------------
Requesting the manually started instance at http://localhost:8080 results in:
{noformat}
Forbidden (403)
The requested URL / resulted in an error in
org.apache.sling.servlets.get.DefaultGetServlet.
Request Progress:
0 TIMER_START{Request Processing}
3 COMMENT timer_end format is {<elapsed microseconds>,<timer name>}
<optional message>
12 LOG Method=GET, PathInfo=null
24 TIMER_START{handleSecurity}
1634 TIMER_END{1607,handleSecurity} authenticator
org.apache.sling.auth.core.impl.SlingAuthenticator@781504be returns true
1862 TIMER_START{ResourceResolution}
2217 TIMER_END{353,ResourceResolution} URI=/ resolves to
Resource=JcrNodeResource, type=sling:OrderedFolder, superType=null,
path=/content
2228 LOG Resource Path Info: SlingRequestPathInfo: path='/content',
selectorString='null', extension='null', suffix='/'
2228 TIMER_START{ServletResolution}
2233 TIMER_START{resolveServlet(/content)}
2255 TIMER_END{21,resolveServlet(/content)} Using servlet
org.apache.sling.servlets.get.DefaultGetServlet
2260 TIMER_END{31,ServletResolution} URI=/ handled by
Servlet=org.apache.sling.servlets.get.DefaultGetServlet
2265 LOG Applying Requestfilters
2273 LOG Calling filter: org.apache.sling.i18n.impl.I18NFilter
2279 LOG Calling filter:
org.apache.sling.engine.impl.debug.RequestProgressTrackerLogFilter
2283 LOG Applying Componentfilters
2293 TIMER_START{org.apache.sling.servlets.get.DefaultGetServlet#0}
2320 LOG Using
org.apache.sling.servlets.get.impl.helpers.StreamRendererServlet to render for
extension=null
2358 LOG Applying Error filters
2364 LOG Calling filter: org.apache.sling.i18n.impl.I18NFilter
2369 TIMER_START{handleError:status=403}
2541 TIMER_END{171,handleError:status=403} Using handler
org.apache.sling.servlets.resolver.internal.defaults.DefaultErrorHandlerServlet
3066 TIMER_END{3064,Request Processing} Dumping SlingRequestProgressTracker
Entries
{noformat}
> Restrict access for principal everyone and move configuration to repoinit
> -------------------------------------------------------------------------
>
> Key: SLING-6130
> URL: https://issues.apache.org/jira/browse/SLING-6130
> Project: Sling
> Issue Type: Improvement
> Components: JCR, Oak
> Affects Versions: JCR Oak Server 1.1.0
> Reporter: Oliver Lietz
> Assignee: Oliver Lietz
> Labels: security
> Fix For: JCR Oak Server 1.1.2
>
> Attachments: error.log
>
>
> Currently {{everyone}} can {{read}} from {{/}} (configured in
> {{OakSlingRepositoryManager}}).
> Access for {{everyone}} should be restricted:
> * {{read}} should be restricted to {{/content}}
> * configuration of principals and ACLs should be done with _repoinit_
> # -Change path from {{/}} to {{/content}} in {{OakSlingRepositoryManager}}-
> (/) (-[r1764259|https://svn.apache.org/r1764259]-)
> # Fix modules (samples) relying on _unrestricted_ {{read}} access
> # Move configuration of ACLs to _repoinit_ (/)
> discussion on
> [dev@|https://lists.apache.org/thread.html/36908ed62ac93c63cad594a897f8abceb93f08da5bcea30dbce98e58@%3Cdev.sling.apache.org%3E]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
