[jira] [Commented] (SLING-5135) Whitelist legit usages of loginAdministrative and administrative ResourceResolver

Wed, 09 Nov 2016 07:21:17 -0800 

    [ 
https://issues.apache.org/jira/browse/SLING-5135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15651212#comment-15651212
 ] 

Carsten Ziegeler commented on SLING-5135:
-----------------------------------------

We should also check whether the default whitelist is still correct, currently 
it is

{source}
            "org.apache.sling.discovery.commons",
            "org.apache.sling.discovery.base",
            "org.apache.sling.discovery.oak",
            "org.apache.sling.extensions.webconsolesecurityprovider",
            "org.apache.sling.i18n",
            "org.apache.sling.installer.provider.jcr",
            "org.apache.sling.jcr.base",
            "org.apache.sling.jcr.contentloader",
            "org.apache.sling.jcr.davex",
            "org.apache.sling.jcr.jackrabbit.usermanager",
            "org.apache.sling.jcr.oak.server",
            "org.apache.sling.jcr.resource",
            "org.apache.sling.jcr.webconsole",
            "org.apache.sling.jcr.webdav",
            "org.apache.sling.junit.core",
            "org.apache.sling.resourceresolver",
            "org.apache.sling.scripting.core",
            "org.apache.sling.scripting.sightly",
            "org.apache.sling.servlets.post",
            "org.apache.sling.servlets.resolver",
            "org.apache.sling.xss"
{source}

I think some of the above modules don't use login admin anymore

> Whitelist legit usages of loginAdministrative and administrative 
> ResourceResolver
> ---------------------------------------------------------------------------------
>
>                 Key: SLING-5135
>                 URL: https://issues.apache.org/jira/browse/SLING-5135
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>            Reporter: Antonio Sanso
>            Assignee: Bertrand Delacretaz
>             Fix For: JCR Base 2.4.2
>
>         Attachments: SLING-5135.patch, SLING-5135.patch
>
>
> {{AbstractSlingRepositoryManager}} contains a method that disable 
> loginAdministrative support
> {code}
>     /**
>      * Returns whether to disable the
>      * {@code SlingRepository.loginAdministrative} method or not.
>      *
>      * @return {@code true} if {@code SlingRepository.loginAdministrative} is
>      *         disabled.
>      */
>     public final boolean isDisableLoginAdministrative() 
> {code}
> This is a global configuration. It would be nice to have an extension of such 
> mechanism that contains a white list of (few) legit usage of 
> {{loginAdministrative}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to