[
https://issues.apache.org/jira/browse/SLING-6767?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608483#comment-16608483
]
Eric Norman commented on SLING-6767:
------------------------------------
[~kwin] The problem I see with that scenario is that by the time you get the
post response the damage has already been done on the server side. Wouldn't a
better solution be some validation to stop it before it stored anything in the
repository and return an appropriate status code? For example, some sort of
"reserved paths" SlingPostProcessor that blocks it from attempting to make any
changes for resources under the /system/userManager/* path?
[~joerghoh] Can you really trust the client user to send the expected
pre-condition parameters? Seems like it would be too easy to bypass the
checking. Perhaps additional validation could be done automatically on the
server side (without changing the client request) with some custom
SlingPostProcessor or a custom filter that does some additional checks and
stops it from reaching the default post servlet in the first place?
> Jackrabbit Usermanager: Allow to detect whether a POST request was treated by
> the default POST servlet or the jackrabbit.usermanager
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SLING-6767
> URL: https://issues.apache.org/jira/browse/SLING-6767
> Project: Sling
> Issue Type: Improvement
> Components: JCR
> Reporter: Konrad Windszus
> Priority: Major
> Fix For: JCR Jackrabbit User Manager 2.2.8
>
>
> Currently it is impossible to tell from the response whether a POST request
> has been answered by either the Default Sling POST servlet or the Jackrabbit
> Usermanager. Both the JSON and the HTML look exactly the same no matter, who
> answered. It should be possible to see from the client-side whether a request
> has been treated by one or the other.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
