[ https://issues.apache.org/jira/browse/SLING-6130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15612627#comment-15612627 ]
Oliver Lietz commented on SLING-6130: ------------------------------------- Requesting the manually started instance at http://localhost:8080 results in: {noformat} Forbidden (403) The requested URL / resulted in an error in org.apache.sling.servlets.get.DefaultGetServlet. Request Progress: 0 TIMER_START{Request Processing} 3 COMMENT timer_end format is {<elapsed microseconds>,<timer name>} <optional message> 12 LOG Method=GET, PathInfo=null 24 TIMER_START{handleSecurity} 1634 TIMER_END{1607,handleSecurity} authenticator org.apache.sling.auth.core.impl.SlingAuthenticator@781504be returns true 1862 TIMER_START{ResourceResolution} 2217 TIMER_END{353,ResourceResolution} URI=/ resolves to Resource=JcrNodeResource, type=sling:OrderedFolder, superType=null, path=/content 2228 LOG Resource Path Info: SlingRequestPathInfo: path='/content', selectorString='null', extension='null', suffix='/' 2228 TIMER_START{ServletResolution} 2233 TIMER_START{resolveServlet(/content)} 2255 TIMER_END{21,resolveServlet(/content)} Using servlet org.apache.sling.servlets.get.DefaultGetServlet 2260 TIMER_END{31,ServletResolution} URI=/ handled by Servlet=org.apache.sling.servlets.get.DefaultGetServlet 2265 LOG Applying Requestfilters 2273 LOG Calling filter: org.apache.sling.i18n.impl.I18NFilter 2279 LOG Calling filter: org.apache.sling.engine.impl.debug.RequestProgressTrackerLogFilter 2283 LOG Applying Componentfilters 2293 TIMER_START{org.apache.sling.servlets.get.DefaultGetServlet#0} 2320 LOG Using org.apache.sling.servlets.get.impl.helpers.StreamRendererServlet to render for extension=null 2358 LOG Applying Error filters 2364 LOG Calling filter: org.apache.sling.i18n.impl.I18NFilter 2369 TIMER_START{handleError:status=403} 2541 TIMER_END{171,handleError:status=403} Using handler org.apache.sling.servlets.resolver.internal.defaults.DefaultErrorHandlerServlet 3066 TIMER_END{3064,Request Processing} Dumping SlingRequestProgressTracker Entries {noformat} > Restrict access for principal everyone and move configuration to repoinit > ------------------------------------------------------------------------- > > Key: SLING-6130 > URL: https://issues.apache.org/jira/browse/SLING-6130 > Project: Sling > Issue Type: Improvement > Components: JCR, Oak > Affects Versions: JCR Oak Server 1.1.0 > Reporter: Oliver Lietz > Assignee: Oliver Lietz > Labels: security > Fix For: JCR Oak Server 1.1.2 > > Attachments: error.log > > > Currently {{everyone}} can {{read}} from {{/}} (configured in > {{OakSlingRepositoryManager}}). > Access for {{everyone}} should be restricted: > * {{read}} should be restricted to {{/content}} > * configuration of principals and ACLs should be done with _repoinit_ > # -Change path from {{/}} to {{/content}} in {{OakSlingRepositoryManager}}- > (/) (-[r1764259|https://svn.apache.org/r1764259]-) > # Fix modules (samples) relying on _unrestricted_ {{read}} access > # Move configuration of ACLs to _repoinit_ (/) > discussion on > [dev@|https://lists.apache.org/thread.html/36908ed62ac93c63cad594a897f8abceb93f08da5bcea30dbce98e58@%3Cdev.sling.apache.org%3E] -- This message was sent by Atlassian JIRA (v6.3.4#6332)