[jira] [Created] (SLING-7455) Provide a way to restrict access to servlets and scripts (jsp/ecma etc.)

Wed, 31 Jan 2018 04:35:21 -0800 

Nitin Nizhawan created SLING-7455:
-------------------------------------

             Summary: Provide a way to restrict access to servlets and scripts 
(jsp/ecma etc.)
                 Key: SLING-7455
                 URL: https://issues.apache.org/jira/browse/SLING-7455
             Project: Sling
          Issue Type: New Feature
          Components: Resource Access Security, Servlets
    Affects Versions: Servlets Resolver 2.4.22
            Reporter: Nitin Nizhawan


*Issue*

Most of the web servers provide a way to restrict access to urls based on 
roles/groups of users. Also, since mapping of urls and scripts (servlets/jsp) 
is internal and end user cannot define this mapping, this method effectively 
restricts access to scripts (servlets/jsp).

 

On the other hand, sling restricts access to end point using ACLs setup of 
content nodes having sling:resourceType property set in the repository. i.e. 
nodes which have "sling:resourceType" set can be used to invoke script 
identified by value of "sling:resourceType" property by a user only if she also 
has read permission on the node

 

But as we know that mapping of paths and scripts(servlets/jsp) is done via 
"sling:resourceType" property and since this property can written by end users 
having write access to the repository using SlingPostServlet or possibly other 
tools.

Which means that any user having read/write access to any part of repository 
can invoke, any servlet or script by creating a node with sling:resourceType 
property with its value set to resourceType of desired script/servlet. 

Although, the scripts which make use of current user session are not 
particularly affected by this since permission checks would be done by 
repository layer once this scripts access/modify content using this session.

But many scripts which either use service user (thus un-linking repository 
permission check from current users session) or scripts which may have nothing 
to do with repository such as contacting an external service, crypto, 
filesystem access, launching processes etc. have no way to restrict access 
other than manually checking in code for session permissions etc.)



 

*Expected*

A  declarative method to restrict access to scripts (servlet/jsp). 

 

 

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to