[ 
https://issues.apache.org/jira/browse/SLING-6130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15612627#comment-15612627
 ] 

Oliver Lietz commented on SLING-6130:
-------------------------------------

Requesting the manually started instance at http://localhost:8080 results in:
{noformat}
Forbidden (403)

The requested URL / resulted in an error in 
org.apache.sling.servlets.get.DefaultGetServlet.

Request Progress:

      0 TIMER_START{Request Processing}
      3 COMMENT timer_end format is {<elapsed microseconds>,<timer name>} 
<optional message>
     12 LOG Method=GET, PathInfo=null
     24 TIMER_START{handleSecurity}
   1634 TIMER_END{1607,handleSecurity} authenticator 
org.apache.sling.auth.core.impl.SlingAuthenticator@781504be returns true
   1862 TIMER_START{ResourceResolution}
   2217 TIMER_END{353,ResourceResolution} URI=/ resolves to 
Resource=JcrNodeResource, type=sling:OrderedFolder, superType=null, 
path=/content
   2228 LOG Resource Path Info: SlingRequestPathInfo: path='/content', 
selectorString='null', extension='null', suffix='/'
   2228 TIMER_START{ServletResolution}
   2233 TIMER_START{resolveServlet(/content)}
   2255 TIMER_END{21,resolveServlet(/content)} Using servlet 
org.apache.sling.servlets.get.DefaultGetServlet
   2260 TIMER_END{31,ServletResolution} URI=/ handled by 
Servlet=org.apache.sling.servlets.get.DefaultGetServlet
   2265 LOG Applying Requestfilters
   2273 LOG Calling filter: org.apache.sling.i18n.impl.I18NFilter
   2279 LOG Calling filter: 
org.apache.sling.engine.impl.debug.RequestProgressTrackerLogFilter
   2283 LOG Applying Componentfilters
   2293 TIMER_START{org.apache.sling.servlets.get.DefaultGetServlet#0}
   2320 LOG Using 
org.apache.sling.servlets.get.impl.helpers.StreamRendererServlet to render for 
extension=null
   2358 LOG Applying Error filters
   2364 LOG Calling filter: org.apache.sling.i18n.impl.I18NFilter
   2369 TIMER_START{handleError:status=403}
   2541 TIMER_END{171,handleError:status=403} Using handler 
org.apache.sling.servlets.resolver.internal.defaults.DefaultErrorHandlerServlet
   3066 TIMER_END{3064,Request Processing} Dumping SlingRequestProgressTracker 
Entries
{noformat}

> Restrict access for principal everyone and move configuration to repoinit
> -------------------------------------------------------------------------
>
>                 Key: SLING-6130
>                 URL: https://issues.apache.org/jira/browse/SLING-6130
>             Project: Sling
>          Issue Type: Improvement
>          Components: JCR, Oak
>    Affects Versions: JCR Oak Server 1.1.0
>            Reporter: Oliver Lietz
>            Assignee: Oliver Lietz
>              Labels: security
>             Fix For: JCR Oak Server 1.1.2
>
>         Attachments: error.log
>
>
> Currently {{everyone}} can {{read}} from {{/}} (configured in 
> {{OakSlingRepositoryManager}}).
> Access for {{everyone}} should be restricted:
> * {{read}} should be restricted to {{/content}}
> * configuration of principals and ACLs should be done with _repoinit_
> # -Change path from {{/}} to {{/content}} in {{OakSlingRepositoryManager}}- 
> (/) (-[r1764259|https://svn.apache.org/r1764259]-)
> # Fix modules (samples) relying on _unrestricted_ {{read}} access
> # Move configuration of ACLs to _repoinit_ (/)
> discussion on 
> [dev@|https://lists.apache.org/thread.html/36908ed62ac93c63cad594a897f8abceb93f08da5bcea30dbce98e58@%3Cdev.sling.apache.org%3E]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to