[ https://issues.apache.org/jira/browse/SLING-5135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15651212#comment-15651212 ]
Carsten Ziegeler commented on SLING-5135: ----------------------------------------- We should also check whether the default whitelist is still correct, currently it is {source} "org.apache.sling.discovery.commons", "org.apache.sling.discovery.base", "org.apache.sling.discovery.oak", "org.apache.sling.extensions.webconsolesecurityprovider", "org.apache.sling.i18n", "org.apache.sling.installer.provider.jcr", "org.apache.sling.jcr.base", "org.apache.sling.jcr.contentloader", "org.apache.sling.jcr.davex", "org.apache.sling.jcr.jackrabbit.usermanager", "org.apache.sling.jcr.oak.server", "org.apache.sling.jcr.resource", "org.apache.sling.jcr.webconsole", "org.apache.sling.jcr.webdav", "org.apache.sling.junit.core", "org.apache.sling.resourceresolver", "org.apache.sling.scripting.core", "org.apache.sling.scripting.sightly", "org.apache.sling.servlets.post", "org.apache.sling.servlets.resolver", "org.apache.sling.xss" {source} I think some of the above modules don't use login admin anymore > Whitelist legit usages of loginAdministrative and administrative > ResourceResolver > --------------------------------------------------------------------------------- > > Key: SLING-5135 > URL: https://issues.apache.org/jira/browse/SLING-5135 > Project: Sling > Issue Type: Bug > Components: JCR > Reporter: Antonio Sanso > Assignee: Bertrand Delacretaz > Fix For: JCR Base 2.4.2 > > Attachments: SLING-5135.patch, SLING-5135.patch > > > {{AbstractSlingRepositoryManager}} contains a method that disable > loginAdministrative support > {code} > /** > * Returns whether to disable the > * {@code SlingRepository.loginAdministrative} method or not. > * > * @return {@code true} if {@code SlingRepository.loginAdministrative} is > * disabled. > */ > public final boolean isDisableLoginAdministrative() > {code} > This is a global configuration. It would be nice to have an extension of such > mechanism that contains a white list of (few) legit usage of > {{loginAdministrative}} -- This message was sent by Atlassian JIRA (v6.3.4#6332)