[
https://issues.apache.org/jira/browse/SLING-7455?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16346787#comment-16346787
]
Robert Munteanu commented on SLING-7455:
----------------------------------------
[~nitin.nizhawan] - I sense there is a larger discussion lurking here :-) I
suggest you write an email to [email protected], discussing your proposal
> Provide a way to restrict access to servlets and scripts (jsp/ecma etc.)
> ------------------------------------------------------------------------
>
> Key: SLING-7455
> URL: https://issues.apache.org/jira/browse/SLING-7455
> Project: Sling
> Issue Type: New Feature
> Components: Resource Access Security, Servlets
> Affects Versions: Servlets Resolver 2.4.22
> Reporter: Nitin Nizhawan
> Priority: Critical
>
> *Issue*
> Most of the web servers provide a way to restrict access to urls based on
> roles/groups of users. Also, since mapping of urls and scripts (servlets/jsp)
> is internal and end user cannot define this mapping, this method effectively
> restricts access to scripts (servlets/jsp).
>
> On the other hand, sling restricts access to end point using ACLs setup of
> content nodes having sling:resourceType property set in the repository. i.e.
> nodes which have "sling:resourceType" set can be used to invoke script
> identified by value of "sling:resourceType" property by a user only if she
> also has read permission on the node
>
> But as we know that mapping of paths and scripts(servlets/jsp) is done via
> "sling:resourceType" property and since this property can written by end
> users having write access to the repository using SlingPostServlet or
> possibly other tools.
> Which means that any user having read/write access to any part of repository
> can invoke, any servlet or script by creating a node with sling:resourceType
> property with its value set to resourceType of desired script/servlet.
> Although, the scripts which make use of current user session are not
> particularly affected by this since permission checks would be done by
> repository layer once this scripts access/modify content using this session.
> But many scripts which either use service user (thus un-linking repository
> permission check from current users session) or scripts which may have
> nothing to do with repository such as contacting an external service, crypto,
> filesystem access, launching processes etc. have no way to restrict access
> other than manually checking in code for session permissions etc.)
>
> *Expected*
> A declarative method to restrict access to scripts (servlet/jsp).
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
