[jira] [Comment Edited] (SLING-5135) Whitelist legit usages of loginAdministrative and administrative ResourceResolver

Thu, 10 Nov 2016 00:20:16 -0800 

    [ 
https://issues.apache.org/jira/browse/SLING-5135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15652007#comment-15652007
 ] 

Julian Sedding edited comment on SLING-5135 at 11/10/16 8:19 AM:
-----------------------------------------------------------------

I think the {{DefaultWhitelist}} can be reduced to the following:
{code}
            "org.apache.sling.discovery.commons",
            "org.apache.sling.discovery.base",
            "org.apache.sling.discovery.oak",
            "org.apache.sling.extensions.webconsolesecurityprovider",
            "org.apache.sling.i18n",
            "org.apache.sling.installer.provider.jcr",
            "org.apache.sling.jcr.base",
            "org.apache.sling.jcr.contentloader",
            "org.apache.sling.jcr.davex",
            "org.apache.sling.jcr.jackrabbit.usermanager",
            "org.apache.sling.jcr.oak.server",
            "org.apache.sling.jcr.repoinit",
            "org.apache.sling.jcr.resource",
            "org.apache.sling.jcr.webconsole",
            "org.apache.sling.resourceresolver",
            "org.apache.sling.servlets.post", // remove when 2.3.16 is released
            "org.apache.sling.servlets.resolver"
{code}

I'll run a full build to confirm that this works.


was (Author: jsedding):
I think the {{DefaultWhitelist}} can be reduced to the following:
{code}
            "org.apache.sling.extensions.webconsolesecurityprovider",
            "org.apache.sling.installer.provider.jcr",
            "org.apache.sling.jcr.base",
            "org.apache.sling.jcr.contentloader",
            "org.apache.sling.jcr.davex",
            "org.apache.sling.jcr.jackrabbit.usermanager",
            "org.apache.sling.jcr.oak.server",
            "org.apache.sling.jcr.repoinit",
            "org.apache.sling.jcr.resource",
            "org.apache.sling.jcr.webconsole",
            "org.apache.sling.servlets.post"
{code}

I'll run a full build to confirm that this works.

> Whitelist legit usages of loginAdministrative and administrative 
> ResourceResolver
> ---------------------------------------------------------------------------------
>
>                 Key: SLING-5135
>                 URL: https://issues.apache.org/jira/browse/SLING-5135
>             Project: Sling
>          Issue Type: Bug
>          Components: JCR
>            Reporter: Antonio Sanso
>            Assignee: Bertrand Delacretaz
>             Fix For: JCR Base 2.4.2
>
>         Attachments: SLING-5135.patch, SLING-5135.patch
>
>
> {{AbstractSlingRepositoryManager}} contains a method that disable 
> loginAdministrative support
> {code}
>     /**
>      * Returns whether to disable the
>      * {@code SlingRepository.loginAdministrative} method or not.
>      *
>      * @return {@code true} if {@code SlingRepository.loginAdministrative} is
>      *         disabled.
>      */
>     public final boolean isDisableLoginAdministrative() 
> {code}
> This is a global configuration. It would be nice to have an extension of such 
> mechanism that contains a white list of (few) legit usage of 
> {{loginAdministrative}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to