[jira] [Created] (SLING-10094) Update embedded version of xalan

[Antonio Sanso (Jira)]

Antonio Sanso created SLING-10094:
-

 Summary: Update embedded version of  xalan
 Key: SLING-10094
 URL: https://issues.apache.org/jira/browse/SLING-10094
 Project: Sling
  Issue Type: Task
  Components: XSS Protection API
Reporter: Antonio Sanso


org.apache.sling.xss 2.2.2 and above still embed Xalan 2.7.0. 
It would be beneficial to use the most recent version of Xalan: 2.7.2 or above
 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-9418) Usage of SHA-256 is insecure

[Antonio Sanso (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-9418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101654#comment-17101654
 ] 

Antonio Sanso commented on SLING-9418:
--

[~mahir.kabir] i resolved as invalid. Feel free to reopen should not agree. 
Your comments apply to hashing a password and this is not the case here.

> Usage of SHA-256 is insecure
> 
>
> Key: SLING-9418
> URL: https://issues.apache.org/jira/browse/SLING-9418
> Project: Sling
>  Issue Type: Improvement
>Reporter: Md Mahir Asef Kabir
>Priority: Major
>
> *Vulnerability Description:* In 
> “src/main/java/org/apache/sling/discovery/base/connectors/ping/TopologyRequestValidator.java”
>  file the following code was written in
> {code:java}
> private String hash(String toHash){code}
> method -
> {code:java}
> MessageDigest m = MessageDigest.getInstance("SHA-256");{code}
> The vulnerability is, using "SHA-256” as the argument to 
> MessageDigest.getInstance method.
> *Reason it’s vulnerable:* According to 
> [this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
>  “SHA256 functions do not include a salt and a separate function must be used 
> to add the salt”. Another reference can be found 
> [here|https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm].
> *Suggested Fix:* According to 
> [this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
>  “The most secure current hash functions are BCRYPT, SCRYPT, and Argon2”
> *Feedback:* Please select any of the options down below to help us get an 
> idea about how you felt about the suggestion -
>  # Liked it and will make the suggested changes
>  # Liked it but happy with the existing version
>  # Didn’t find the suggestion helpful
>  
> *Note:* Tagging *[~stefanegli]* as suggested by [~rombert] in this [pull 
> request.|https://github.com/apache/sling-org-apache-sling-discovery-base/pull/1]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Resolved] (SLING-9418) Usage of SHA-256 is insecure

[Antonio Sanso (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-9418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-9418.
--
Resolution: Invalid

> Usage of SHA-256 is insecure
> 
>
> Key: SLING-9418
> URL: https://issues.apache.org/jira/browse/SLING-9418
> Project: Sling
>  Issue Type: Improvement
>Reporter: Md Mahir Asef Kabir
>Priority: Major
>
> *Vulnerability Description:* In 
> “src/main/java/org/apache/sling/discovery/base/connectors/ping/TopologyRequestValidator.java”
>  file the following code was written in
> {code:java}
> private String hash(String toHash){code}
> method -
> {code:java}
> MessageDigest m = MessageDigest.getInstance("SHA-256");{code}
> The vulnerability is, using "SHA-256” as the argument to 
> MessageDigest.getInstance method.
> *Reason it’s vulnerable:* According to 
> [this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
>  “SHA256 functions do not include a salt and a separate function must be used 
> to add the salt”. Another reference can be found 
> [here|https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm].
> *Suggested Fix:* According to 
> [this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
>  “The most secure current hash functions are BCRYPT, SCRYPT, and Argon2”
> *Feedback:* Please select any of the options down below to help us get an 
> idea about how you felt about the suggestion -
>  # Liked it and will make the suggested changes
>  # Liked it but happy with the existing version
>  # Didn’t find the suggestion helpful
>  
> *Note:* Tagging *[~stefanegli]* as suggested by [~rombert] in this [pull 
> request.|https://github.com/apache/sling-org-apache-sling-discovery-base/pull/1]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-9418) Usage of SHA-256 is insecure

[Antonio Sanso (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-9418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101506#comment-17101506
 ] 

Antonio Sanso commented on SLING-9418:
--

[~stefanegli] I do not think the salt applie to this case. IMHO is fine as it 
is.

> Usage of SHA-256 is insecure
> 
>
> Key: SLING-9418
> URL: https://issues.apache.org/jira/browse/SLING-9418
> Project: Sling
>  Issue Type: Improvement
>Reporter: Md Mahir Asef Kabir
>Priority: Major
>
> *Vulnerability Description:* In 
> “src/main/java/org/apache/sling/discovery/base/connectors/ping/TopologyRequestValidator.java”
>  file the following code was written in
> {code:java}
> private String hash(String toHash){code}
> method -
> {code:java}
> MessageDigest m = MessageDigest.getInstance("SHA-256");{code}
> The vulnerability is, using "SHA-256” as the argument to 
> MessageDigest.getInstance method.
> *Reason it’s vulnerable:* According to 
> [this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
>  “SHA256 functions do not include a salt and a separate function must be used 
> to add the salt”. Another reference can be found 
> [here|https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm].
> *Suggested Fix:* According to 
> [this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
>  “The most secure current hash functions are BCRYPT, SCRYPT, and Argon2”
> *Feedback:* Please select any of the options down below to help us get an 
> idea about how you felt about the suggestion -
>  # Liked it and will make the suggested changes
>  # Liked it but happy with the existing version
>  # Didn’t find the suggestion helpful
>  
> *Note:* Tagging *[~stefanegli]* as suggested by [~rombert] in this [pull 
> request.|https://github.com/apache/sling-org-apache-sling-discovery-base/pull/1]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-8838) Add HEAD support to ContentDispositionFilter

[Antonio Sanso (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-8838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17012616#comment-17012616
 ] 

Antonio Sanso commented on SLING-8838:
--

[~rombert] I do not see why not...

> Add HEAD support to ContentDispositionFilter
> 
>
> Key: SLING-8838
> URL: https://issues.apache.org/jira/browse/SLING-8838
> Project: Sling
>  Issue Type: New Feature
>  Components: Extensions
>Affects Versions: Security 1.1.10
>Reporter: Ilyas Türkben
>Priority: Major
>
> As per \(*) {{ContentDispositionFilter}} doesn't seem to support HEAD 
> requests.
> It is handy to use curl with {{curl -I http://localhost/path}} in order to 
> retrieve only the response headers rather than the whole content, especially 
> with blobs.
> * 
> https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java#L205



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (SLING-8775) java.lang.StackOverflowError in XSSAPI.getValidHref

[Antonio Sanso (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-8775?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso updated SLING-8775:
-
Description: 
The regex pattern in  XSSAPI.getValidHref may cause StackOverflowError .

try 'xssAPI.getValidHref(String)' API throwing StackOverflowError. Input string 
param that has a length of '1700' or more. 

{code}
Caused by: java.lang.StackOverflowError
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at 
java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
at 
java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at 
java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
at 
java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at 
java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
at 
java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at 
java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
at 
java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at 
java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
at 
java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
at 
java.base/java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3951)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at 
java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
at 
java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736

[jira] [Created] (SLING-8775) java.lang.StackOverflowError in XSSAPI.getValidHref

[Antonio Sanso (Jira)]

Antonio Sanso created SLING-8775:


 Summary: java.lang.StackOverflowError in XSSAPI.getValidHref
 Key: SLING-8775
 URL: https://issues.apache.org/jira/browse/SLING-8775
 Project: Sling
  Issue Type: Bug
  Components: XSS Protection API
Reporter: Antonio Sanso


The regex pattern in  XSSAPI.getValidHref may cause StackOverflowError .

Test case to follow

{code}
Caused by: java.lang.StackOverflowError
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at 
java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
at 
java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at 
java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
at 
java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at 
java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
at 
java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at 
java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
at 
java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at 
java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
at 
java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
at 
java.base/java.util.regex.Pattern$BmpCharProperty.match(Pattern.java:3951)
at java.base/java.util.regex.Pattern$Branch.match(Pattern.java:4736)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base/java.util.regex.Pattern$Loop.match(Pattern.java:4928)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at java.base/java.util.regex.Pattern$BranchConn.match(Pattern.java:4700)
at java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:4850)
at 
java.base/java.util.regex.Pattern$CharPropertyGreedy.match(Pattern.java:4293)
at 
java.base/java.util.regex.Pattern$CharProperty.match(Pattern.java:3927)
at java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4791)
at java.base

[jira] [Resolved] (SLING-8405) Improve Encoding in the Logger WebConsolePlugin

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-8405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-8405.
--
Resolution: Invalid

> Improve Encoding in the Logger WebConsolePlugin 
> 
>
> Key: SLING-8405
> URL: https://issues.apache.org/jira/browse/SLING-8405
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons
>    Reporter: Antonio Sanso
>Priority: Minor
>
> It would be good to improve the encoding in the Logger WebConsolePlugin 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: [DISCUSS] Remove webconsole obr integration

[Antonio Sanso]

+1 on removing this!

Thanks Karl

antonio

On 5/7/19, 6:14 PM, "Robert Munteanu"  wrote:

On Tue, 2019-05-07 at 16:15 +0200, Karl Pauls wrote:
> Hi,
> 
> I was wondering whether we actually need to ship the webconsole obr
> plugin as part of our starter distribution - is this actually used by
> anybody?

We don't keep the Sling OBR up to date, so I doubt anyone is still
using this functionality.

If you decide to drop this, please create a Jira and label it according
to [1] so we don't forget to mention it in the release notes.

Thanks,

Robert

[1]: 
https://cwiki.apache.org/confluence/display/SLING/Releasing+a+new+version+of+the+Sling+Starter#ReleasinganewversionoftheSlingStarter-Createanewandnoteworthypage

[jira] [Created] (SLING-8405) Improve Encoding in the Log WebConsolePlugin

[Antonio Sanso (JIRA)]

Antonio Sanso created SLING-8405:


 Summary: Improve Encoding in the Log WebConsolePlugin 
 Key: SLING-8405
 URL: https://issues.apache.org/jira/browse/SLING-8405
 Project: Sling
  Issue Type: Improvement
  Components: Commons
Reporter: Antonio Sanso


It would be good to improve the encoding in the Log WebConsolePlugin 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (SLING-8405) Improve Encoding in the Logger WebConsolePlugin

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-8405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso updated SLING-8405:
-
Description: It would be good to improve the encoding in the Logger 
WebConsolePlugin   (was: It would be good to improve the encoding in the Log 
WebConsolePlugin )
Summary: Improve Encoding in the Logger WebConsolePlugin   (was: 
Improve Encoding in the Log WebConsolePlugin )

> Improve Encoding in the Logger WebConsolePlugin 
> 
>
> Key: SLING-8405
> URL: https://issues.apache.org/jira/browse/SLING-8405
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons
>    Reporter: Antonio Sanso
>Priority: Minor
>
> It would be good to improve the encoding in the Logger WebConsolePlugin 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (SLING-8389) Improve Encoding in the Servlet WebConsolePlugin

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-8389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-8389.
--
Resolution: Invalid

> Improve Encoding in the Servlet WebConsolePlugin 
> -
>
> Key: SLING-8389
> URL: https://issues.apache.org/jira/browse/SLING-8389
> Project: Sling
>  Issue Type: Improvement
>  Components: Servlets
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Major
> Fix For: Servlets Resolver 2.5.6
>
>
> It would be good to improve the Encoding in the Servlet WebConsolePlugin 
> [0] 
> https://github.com/apache/sling-org-apache-sling-servlets-resolver/blob/master/src/main/java/org/apache/sling/servlets/resolver/internal/console/WebConsolePlugin.java



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (SLING-8389) Improve Encoding in the Servlet WebConsolePlugin

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-8389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso updated SLING-8389:
-
Fix Version/s: Servlets Resolver 2.5.6

> Improve Encoding in the Servlet WebConsolePlugin 
> -
>
> Key: SLING-8389
> URL: https://issues.apache.org/jira/browse/SLING-8389
> Project: Sling
>  Issue Type: Improvement
>  Components: Servlets
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Major
> Fix For: Servlets Resolver 2.5.6
>
>
> It would be good to improve the Encoding in the Servlet WebConsolePlugin 
> [0] 
> https://github.com/apache/sling-org-apache-sling-servlets-resolver/blob/master/src/main/java/org/apache/sling/servlets/resolver/internal/console/WebConsolePlugin.java



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Assigned] (SLING-8389) Improve Encoding in the Servlet WebConsolePlugin

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-8389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso reassigned SLING-8389:


Assignee: Antonio Sanso

> Improve Encoding in the Servlet WebConsolePlugin 
> -
>
> Key: SLING-8389
> URL: https://issues.apache.org/jira/browse/SLING-8389
> Project: Sling
>  Issue Type: Improvement
>  Components: Servlets
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Major
>
> It would be good to improve the Encoding in the Servlet WebConsolePlugin 
> [0] 
> https://github.com/apache/sling-org-apache-sling-servlets-resolver/blob/master/src/main/java/org/apache/sling/servlets/resolver/internal/console/WebConsolePlugin.java



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (SLING-8403) Update composum.version to a newer version

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-8403?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-8403.
--
   Resolution: Fixed
Fix Version/s: Starter 12

Fixed in 2bc8c53fb5f3f20da1437d56013de4d25bbccd96

> Update composum.version to a newer version
> --
>
> Key: SLING-8403
> URL: https://issues.apache.org/jira/browse/SLING-8403
> Project: Sling
>  Issue Type: Task
>  Components: Starter
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
> Fix For: Starter 12
>
>
> Composum 1.9.4 was released. It would be good to Update composum.version to 
> this newer version



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (SLING-8403) Update composum.version to a newer version

[Antonio Sanso (JIRA)]

Antonio Sanso created SLING-8403:


 Summary: Update composum.version to a newer version
 Key: SLING-8403
 URL: https://issues.apache.org/jira/browse/SLING-8403
 Project: Sling
  Issue Type: Task
  Components: Starter
Reporter: Antonio Sanso
Assignee: Antonio Sanso


Composum 1.9.4 was released. It would be good to Update composum.version to 
this newer version



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (SLING-8389) Improve Encoding in the Servlet WebConsolePlugin

[Antonio Sanso (JIRA)]

Antonio Sanso created SLING-8389:


 Summary: Improve Encoding in the Servlet WebConsolePlugin 
 Key: SLING-8389
 URL: https://issues.apache.org/jira/browse/SLING-8389
 Project: Sling
  Issue Type: Improvement
  Components: Servlets
Reporter: Antonio Sanso


It would be good to improve the Encoding in the Servlet WebConsolePlugin 

[0] 
https://github.com/apache/sling-org-apache-sling-servlets-resolver/blob/master/src/main/java/org/apache/sling/servlets/resolver/internal/console/WebConsolePlugin.java



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (SLING-8276) Improve the HtmlResponse template

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-8276?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-8276.
--
Resolution: Won't Fix

> Improve the HtmlResponse template
> -
>
> Key: SLING-8276
> URL: https://issues.apache.org/jira/browse/SLING-8276
> Project: Sling
>  Issue Type: Improvement
>  Components: Servlets
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
>
> it would be good to improve the HtmlResponse template



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Assigned] (SLING-6011) Register request listener through http whiteboard

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-6011?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso reassigned SLING-6011:


Assignee: Carsten Ziegeler  (was: Antonio Sanso)

> Register request listener through http whiteboard
> -
>
> Key: SLING-6011
> URL: https://issues.apache.org/jira/browse/SLING-6011
> Project: Sling
>  Issue Type: Improvement
>  Components: Authentication
>Reporter: Carsten Ziegeler
>Assignee: Carsten Ziegeler
>Priority: Major
> Fix For: Auth Core 1.3.18
>
>
> The request listener is currently registered through the Apache Felix 
> whiteboard, we should use the official http whiteboard registration instead



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Assigned] (SLING-6011) Register request listener through http whiteboard

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-6011?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso reassigned SLING-6011:


Assignee: Antonio Sanso  (was: Carsten Ziegeler)

> Register request listener through http whiteboard
> -
>
> Key: SLING-6011
> URL: https://issues.apache.org/jira/browse/SLING-6011
> Project: Sling
>  Issue Type: Improvement
>  Components: Authentication
>Reporter: Carsten Ziegeler
>    Assignee: Antonio Sanso
>Priority: Major
> Fix For: Auth Core 1.3.18
>
>
> The request listener is currently registered through the Apache Felix 
> whiteboard, we should use the official http whiteboard registration instead



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (SLING-8276) Improve the HtmlResponse template

[Antonio Sanso (JIRA)]

Antonio Sanso created SLING-8276:


 Summary: Improve the HtmlResponse template
 Key: SLING-8276
 URL: https://issues.apache.org/jira/browse/SLING-8276
 Project: Sling
  Issue Type: Improvement
  Components: Servlets
Reporter: Antonio Sanso
Assignee: Antonio Sanso


it would be good to improve the HtmlResponse template



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (SLING-7436) Wrong content/type in the Default JSON Renderer

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16681033#comment-16681033
 ] 

Antonio Sanso commented on SLING-7436:
--

[~cziegeler] AFAIR the problem is not the content content type but the fact the 
file is automatically download.

In 2. is there a contention disposition being set ?

> Wrong content/type in the Default JSON Renderer 
> 
>
> Key: SLING-7436
> URL: https://issues.apache.org/jira/browse/SLING-7436
> Project: Sling
>  Issue Type: Bug
>  Components: Servlets
>    Reporter: Antonio Sanso
>Priority: Major
>
> Steps to reproduce:
>  1.Render a page (Renderer enabled) with JSON renderer. E.g:
>  [http://localhost.com/dir/page(selector] value).json
> 2. Now, extend the url with a slash / and a name with any other extensions 
> e.g 
>  [http://localhost.com/dir/page.(value).json/file.html].]
> 3. Observe file.html was automatically downloaded
> Credit: this issue was found by Md. Sabuktagin



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Closed] (SLING-7933) Evaluate Referrer Filter also for anonymous users

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso closed SLING-7933.


> Evaluate Referrer Filter also for anonymous users
> -
>
> Key: SLING-7933
> URL: https://issues.apache.org/jira/browse/SLING-7933
> Project: Sling
>  Issue Type: Bug
>  Components: Extensions
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Major
> Fix For: Security 1.1.16
>
>
> The Referrer Filter is not evaluate for anonymous users.
> This is a mix of a by design/regression.
> Earlier the Filter were executing before authentication. This is not anymore 
> the case, hence we need a fix for it.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[RESULT}[VOTE] Release Apache Sling Security 1.1.16

[Antonio Sanso]

The vote passed with 4 binding  +1s

Re: [VOTE] Release Apache Sling Security 1.1.16

[Antonio Sanso]

My own +1

On 9/18/18, 11:54 AM, "Antonio Sanso"  wrote:

Hi,

We solved 1 issue in this release:

https://issues.apache.org/jira/browse/SLING-7933

Staging repository:
https://repository.apache.org/content/repositories/orgapachesling-1985/

You can use this UNIX script to download the release and verify the 
signatures:

https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD

Usage:
sh check_staged_release.sh 1985 /tmp/sling-staging

Please vote to approve this release:

  [ ] +1 Approve the release
  [ ]  0 Don't care
  [ ] -1 Don't release, because ...

This majority vote is open for at least 72 hours.

Regards

antonio

[VOTE] Release Apache Sling Security 1.1.16

[Antonio Sanso]

Hi,

We solved 1 issue in this release:

https://issues.apache.org/jira/browse/SLING-7933

Staging repository:
https://repository.apache.org/content/repositories/orgapachesling-1985/

You can use this UNIX script to download the release and verify the signatures:
https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD

Usage:
sh check_staged_release.sh 1985 /tmp/sling-staging

Please vote to approve this release:

  [ ] +1 Approve the release
  [ ]  0 Don't care
  [ ] -1 Don't release, because ...

This majority vote is open for at least 72 hours.

Regards

antonio

[jira] [Commented] (SLING-7933) Evaluate Referrer Filter also for anonymous users

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16618772#comment-16618772
 ] 

Antonio Sanso commented on SLING-7933:
--

fixed in 0d85834b841fa3485679f3c03583cabac8346f9d

> Evaluate Referrer Filter also for anonymous users
> -
>
> Key: SLING-7933
> URL: https://issues.apache.org/jira/browse/SLING-7933
> Project: Sling
>  Issue Type: Bug
>  Components: Extensions
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Major
> Fix For: Security 1.1.14
>
>
> The Referrer Filter is not evaluate for anonymous users.
> This is a mix of a by design/regression.
> Earlier the Filter were executing before authentication. This is not anymore 
> the case, hence we need a fix for it.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (SLING-7933) Evaluate Referrer Filter also for anonymous users

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-7933.
--
   Resolution: Fixed
Fix Version/s: Security 1.1.14

> Evaluate Referrer Filter also for anonymous users
> -
>
> Key: SLING-7933
> URL: https://issues.apache.org/jira/browse/SLING-7933
> Project: Sling
>  Issue Type: Bug
>  Components: Extensions
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Major
> Fix For: Security 1.1.14
>
>
> The Referrer Filter is not evaluate for anonymous users.
> This is a mix of a by design/regression.
> Earlier the Filter were executing before authentication. This is not anymore 
> the case, hence we need a fix for it.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (SLING-7933) Evaluate Referrer Filter also for anonymous users

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16617638#comment-16617638
 ] 

Antonio Sanso commented on SLING-7933:
--

[~cziegeler] suggested a really simple fix . It is indeed enough to rely on 
https://osgi.org/javadoc/osgi.cmpn/7.0.0/org/osgi/service/http/whiteboard/Preprocessor.html

> Evaluate Referrer Filter also for anonymous users
> -
>
> Key: SLING-7933
> URL: https://issues.apache.org/jira/browse/SLING-7933
> Project: Sling
>  Issue Type: Bug
>  Components: Extensions
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Major
>
> The Referrer Filter is not evaluate for anonymous users.
> This is a mix of a by design/regression.
> Earlier the Filter were executing before authentication. This is not anymore 
> the case, hence we need a fix for it.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (SLING-7933) Evaluate Referrer Filter also for anonymous users

[Antonio Sanso (JIRA)]

Antonio Sanso created SLING-7933:


 Summary: Evaluate Referrer Filter also for anonymous users
 Key: SLING-7933
 URL: https://issues.apache.org/jira/browse/SLING-7933
 Project: Sling
  Issue Type: Bug
  Components: Extensions
Reporter: Antonio Sanso
Assignee: Antonio Sanso


The Referrer Filter is not evaluate for anonymous users.

This is a mix of a by design/regression.

Earlier the Filter were executing before authentication. This is not anymore 
the case, hence we need a fix for it.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (SLING-7857) Unclosed ResourceResolver in org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7857?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-7857.
--
Resolution: Duplicate

> Unclosed ResourceResolver in 
> org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2
> -
>
> Key: SLING-7857
> URL: https://issues.apache.org/jira/browse/SLING-7857
> Project: Sling
>  Issue Type: Bug
>  Components: Extensions
>Reporter: Andrew Khoury
>    Assignee: Antonio Sanso
>Priority: Minor
>
> This issue is still observed with org.apache.sling.auth.core v 1.4.0 which 
> SLING-6011 specifies the issue was resolved in version 1.3.18.
> The SlingWebConsoleSecurityProvider it is handling the authentication but it 
> is not registering a servlet request listener to close the session at the end 
> of the request. 
> {noformat}
> 15.09.2017 18:07:59.044 *INFO* [Apache Sling Resource Resolver Finalizer 
> Thread] 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl 
> Unclosed ResourceResolver was created here:
> java.lang.Exception: Opening Stacktrace
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl$ResolverReference.(CommonResourceResolverFactoryImpl.java:521)
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.register(CommonResourceResolverFactoryImpl.java:218)
> at 
> org.apache.sling.resourceresolver.impl.ResourceResolverImpl.(ResourceResolverImpl.java:101)
> at 
> org.apache.sling.resourceresolver.impl.ResourceResolverImpl.(ResourceResolverImpl.java:94)
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolverInternal(CommonResourceResolverFactoryImpl.java:263)
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolver(CommonResourceResolverFactoryImpl.java:173)
> at 
> org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:105)
> at 
> org.apache.sling.auth.core.impl.SlingAuthenticator.getResolver(SlingAuthenticator.java:791)
> at 
> org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:506)
> at 
> org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:460)
> at 
> org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2.authenticate(SlingWebConsoleSecurityProvider2.java:69)
> at 
> org.apache.felix.webconsole.internal.servlet.OsgiManagerHttpContext.handleSecurity(OsgiManagerHttpContext.java:103)
> at 
> org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
> at 
> org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
> at 
> org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:128)
> at 
> org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
> at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
> at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
> at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
> at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
> at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> at 
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
> at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
> at org.eclipse.jetty.server.Server.handle(Server.java:499)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
> at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
> at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
> at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
> at java.lang.Thread.run(Thread.java:745)
> {noformat}
> We should add this.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (SLING-7552) SlingPostServlet error handling still insufficient

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16488820#comment-16488820
 ] 

Antonio Sanso commented on SLING-7552:
--

[~joerghoh] maybe a less invasive solution would be to change the default for 
{{PostResponseWithErrorHandling}} to {{true}} see [0]

 

[0]https://github.com/apache/sling-org-apache-sling-servlets-post/blob/master/src/main/java/org/apache/sling/servlets/post/impl/PostResponseWithErrorHandling.java#L59

> SlingPostServlet error handling still insufficient
> --
>
> Key: SLING-7552
> URL: https://issues.apache.org/jira/browse/SLING-7552
> Project: Sling
>  Issue Type: Improvement
>  Components: Servlets
>Affects Versions: Servlets Post 2.3.24
>Reporter: Jörg Hoh
>Priority: Major
>  Labels: patch
> Attachments: SLING-7552-patch.diff
>
>
> At the moment the default errorhandling of Sling [1] cannot be used for 
> errors caused and handled by the SlingPostServlet itself. It will always 
> return its own custom output without the chance of customizing it. Although 
> Antonio and Justing worked in SLING-2156 to improve this situation, it still 
> requires extra work (implementing a PostResponseWithErrorHandling). It would 
> be better if the output could be customized by the "standard error handling".
>  
> How to reproduce:
>  * create an error handling script in 
> /apps/sling/servlet/errorhandler/default.jsp which creates some random output.
>  * Validate this script config by doing a request which causes some exception 
> (do not use the SlingPostServlet here)
>  * Do a POST to the Sling instance which results in an exception (e.g. due to 
> insufficient permissions.
>  * The output of the second call is completely determined by the 
> SlingPostServlet, the default error handling does not kick in.
> Proposed solution:
> * The SlingPostServlet should not swallow the exception and handle it by 
> itself, but rather re-throw it, so the standard error handling is triggered.
>  
> [1] http://sling.apache.org/documentation/the-sling-engine/errorhandling.html



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Comment Edited] (SLING-7552) SlingPostServlet error handling still insufficient

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16488820#comment-16488820
 ] 

Antonio Sanso edited comment on SLING-7552 at 5/24/18 11:30 AM:


[~joerghoh] maybe a less invasive solution would be to change the default for 
{{PostResponseWithErrorHandling}} to {{true}} see [0]

 

[0]https://github.com/apache/sling-org-apache-sling-servlets-post/blob/master/src/main/java/org/apache/sling/servlets/post/impl/PostResponseWithErrorHandling.java#L59


was (Author: asanso):
[~joerghoh] maybe a less invasive solution would be to change the default for 
{{PostResponseWithErrorHandling}} to {{true}} see [0]

 

[0]https://github.com/apache/sling-org-apache-sling-servlets-post/blob/master/src/main/java/org/apache/sling/servlets/post/impl/PostResponseWithErrorHandling.java#L59

> SlingPostServlet error handling still insufficient
> --
>
> Key: SLING-7552
> URL: https://issues.apache.org/jira/browse/SLING-7552
> Project: Sling
>  Issue Type: Improvement
>  Components: Servlets
>Affects Versions: Servlets Post 2.3.24
>Reporter: Jörg Hoh
>Priority: Major
>  Labels: patch
> Attachments: SLING-7552-patch.diff
>
>
> At the moment the default errorhandling of Sling [1] cannot be used for 
> errors caused and handled by the SlingPostServlet itself. It will always 
> return its own custom output without the chance of customizing it. Although 
> Antonio and Justing worked in SLING-2156 to improve this situation, it still 
> requires extra work (implementing a PostResponseWithErrorHandling). It would 
> be better if the output could be customized by the "standard error handling".
>  
> How to reproduce:
>  * create an error handling script in 
> /apps/sling/servlet/errorhandler/default.jsp which creates some random output.
>  * Validate this script config by doing a request which causes some exception 
> (do not use the SlingPostServlet here)
>  * Do a POST to the Sling instance which results in an exception (e.g. due to 
> insufficient permissions.
>  * The output of the second call is completely determined by the 
> SlingPostServlet, the default error handling does not kick in.
> Proposed solution:
> * The SlingPostServlet should not swallow the exception and handle it by 
> itself, but rather re-throw it, so the standard error handling is triggered.
>  
> [1] http://sling.apache.org/documentation/the-sling-engine/errorhandling.html



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (SLING-7631) Wrong log debug statement in ResourceResolverImpl

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso updated SLING-7631:
-
Fix Version/s: (was: Resource Resolver 1.6.0)
   Resource Resolver 1.6.2

> Wrong log debug statement in ResourceResolverImpl
> -
>
> Key: SLING-7631
> URL: https://issues.apache.org/jira/browse/SLING-7631
> Project: Sling
>  Issue Type: Bug
>  Components: ResourceResolver
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
> Fix For: Resource Resolver 1.6.2
>
>
> There is a wrong log debug statement in {{ResourceResolverImpl#map}} in [0]
> {code:java}
> logger.debug("resolve: MapEntry {} matches, mapped path is {}", mapEntry, 
> mappedPath);{code}
> it should be 
> {code:java}
> logger.debug("map: MapEntry {} matches, mapped path is {}", mapEntry, 
> mappedPath);{code}
> [0] 
> https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/master/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverImpl.java#L568



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (SLING-7631) Wrong log debug statement in ResourceResolverImpl

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-7631.
--
   Resolution: Fixed
Fix Version/s: Resource Resolver 1.6.0

> Wrong log debug statement in ResourceResolverImpl
> -
>
> Key: SLING-7631
> URL: https://issues.apache.org/jira/browse/SLING-7631
> Project: Sling
>  Issue Type: Bug
>  Components: ResourceResolver
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
> Fix For: Resource Resolver 1.6.0
>
>
> There is a wrong log debug statement in {{ResourceResolverImpl#map}} in [0]
> {code:java}
> logger.debug("resolve: MapEntry {} matches, mapped path is {}", mapEntry, 
> mappedPath);{code}
> it should be 
> {code:java}
> logger.debug("map: MapEntry {} matches, mapped path is {}", mapEntry, 
> mappedPath);{code}
> [0] 
> https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/master/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverImpl.java#L568



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (SLING-7631) Wrong log debug statement in ResourceResolverImpl

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16460578#comment-16460578
 ] 

Antonio Sanso commented on SLING-7631:
--

fixed in rev. 31d72ce..2a87d59

> Wrong log debug statement in ResourceResolverImpl
> -
>
> Key: SLING-7631
> URL: https://issues.apache.org/jira/browse/SLING-7631
> Project: Sling
>  Issue Type: Bug
>  Components: ResourceResolver
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
>
> There is a wrong log debug statement in {{ResourceResolverImpl#map}} in [0]
> {code:java}
> logger.debug("resolve: MapEntry {} matches, mapped path is {}", mapEntry, 
> mappedPath);{code}
> it should be 
> {code:java}
> logger.debug("map: MapEntry {} matches, mapped path is {}", mapEntry, 
> mappedPath);{code}
> [0] 
> https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/master/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverImpl.java#L568



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (SLING-7631) Wrong log debug statement in ResourceResolverImpl

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso updated SLING-7631:
-
Component/s: ResourceResolver

> Wrong log debug statement in ResourceResolverImpl
> -
>
> Key: SLING-7631
> URL: https://issues.apache.org/jira/browse/SLING-7631
> Project: Sling
>  Issue Type: Bug
>  Components: ResourceResolver
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
>
> There is a wrong log debug statement in {{ResourceResolverImpl#map}} in [0]
> {code:java}
> logger.debug("resolve: MapEntry {} matches, mapped path is {}", mapEntry, 
> mappedPath);{code}
> it should be 
> {code:java}
> logger.debug("map: MapEntry {} matches, mapped path is {}", mapEntry, 
> mappedPath);{code}
> [0] 
> https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/master/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverImpl.java#L568



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Assigned] (SLING-7631) Wrong log debug statement in ResourceResolverImpl

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso reassigned SLING-7631:


Assignee: Antonio Sanso

> Wrong log debug statement in ResourceResolverImpl
> -
>
> Key: SLING-7631
> URL: https://issues.apache.org/jira/browse/SLING-7631
> Project: Sling
>  Issue Type: Bug
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
>
> There is a wrong log debug statement in {{ResourceResolverImpl#map}} in [0]
> {code:java}
> logger.debug("resolve: MapEntry {} matches, mapped path is {}", mapEntry, 
> mappedPath);{code}
> it should be 
> {code:java}
> logger.debug("map: MapEntry {} matches, mapped path is {}", mapEntry, 
> mappedPath);{code}
> [0] 
> https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/master/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverImpl.java#L568



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (SLING-7631) Wrong log debug statement in ResourceResolverImpl

[Antonio Sanso (JIRA)]

Antonio Sanso created SLING-7631:


 Summary: Wrong log debug statement in ResourceResolverImpl
 Key: SLING-7631
 URL: https://issues.apache.org/jira/browse/SLING-7631
 Project: Sling
  Issue Type: Bug
Reporter: Antonio Sanso


There is a wrong log debug statement in {{ResourceResolverImpl#map}} in [0]
{code:java}
logger.debug("resolve: MapEntry {} matches, mapped path is {}", mapEntry, 
mappedPath);{code}
it should be 
{code:java}
logger.debug("map: MapEntry {} matches, mapped path is {}", mapEntry, 
mappedPath);{code}
[0] 
https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/master/src/main/java/org/apache/sling/resourceresolver/impl/ResourceResolverImpl.java#L568



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: [VOTE] Release Apache Sling Resource Resolver 1.6.0

[Antonio Sanso]

+1
regards

antonio

On Mar 19, 2018, at 12:25 PM, Carsten Ziegeler  wrote:

> Hi,
> 
> We solved 1 issues in this release:
> 
> https://issues.apache.org/jira/projects/SLING/versions/12342885
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-1888
> 
> You can use this UNIX script to download the release and verify the
> signatures:
> http://svn.apache.org/repos/asf/sling/trunk/check_staged_release.sh
> 
> Usage:
> sh check_staged_release.sh 1888 /tmp/sling-staging
> 
> Please vote to approve this release:
> 
>  [ ] +1 Approve the release
>  [ ]  0 Don't care
>  [ ] -1 Don't release, because ...
> 
> This majority vote is open for at least 72 hours.
> 
> Regards
> Carsten
> -- 
> Carsten Ziegeler
> Adobe Research Switzerland
> cziege...@apache.org

[jira] [Closed] (SLING-7525) Content-Type missing after applying the ContentDispositionFilter twice

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso closed SLING-7525.


> Content-Type missing after applying the ContentDispositionFilter twice
> --
>
> Key: SLING-7525
> URL: https://issues.apache.org/jira/browse/SLING-7525
> Project: Sling
>  Issue Type: Bug
>Affects Versions: Security 1.1.8, Security 1.1.10
>Reporter: Orlowska
>    Assignee: Antonio Sanso
>Priority: Major
> Fix For: Security 1.1.12
>
>
> The issue started with the SLING-7219.
> When the {{ContentDispositionFilter}} is called twice (as a request filter 
> and as a forward filter) on a single request then the {{Content-Type}} is not 
> propagated and missing in the Response.
>  
> On the second pass in the {{setContentType()}} the condition [1]
> {code:java}
> if (previousContentType != null && previousContentType.equals(type)){code}
> will be fulfilled so the [2]
> {code:java}
> super.setContentType(type);{code}
> will not be called.
>  
> [1] 
> [https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java#L208]
> [2] 
> [https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java#L253]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[RESULT] [VOTE] Release Apache Sling Security 1.1.12

[Antonio Sanso]

The vote passed with 4 binding +1s

regards

antonio

Re: [VOTE] Release Apache Sling Security 1.1.12

[Antonio Sanso]

+1
On Mar 15, 2018, at 10:27 AM, Antonio Sanso <asa...@adobe.com> wrote:

> Hi,
> 
> We solved 1 issue in this release:
> https://issues.apache.org/jira/browse/SLING-7525
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-1886/
> 
> You can use this UNIX script to download the release and verify the 
> signatures:
> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
> 
> Usage:
> sh check_staged_release.sh 1886 /tmp/sling-staging
> 
> Please vote to approve this release:
> 
>  [ ] +1 Approve the release
>  [ ]  0 Don't care
>  [ ] -1 Don't release, because ...
> 
> This majority vote is open for at least 72 hours.

Re: setting up for a release

[Antonio Sanso]

hi Jason,


this is (at least partially) covered in 
http://sling.apache.org/documentation/development/release-management.html#update-jira


regards


antonio


From: Jason E Bailey 
Sent: Thursday, March 15, 2018 4:02:08 PM
To: dev@sling.apache.org
Subject: Re: setting up for a release

I appreciate the link,  for some reason I didn't make the connection.

There is one part missing , not necessarily from the release but impacts 
releases, is the management of JIRA issues and the need to associate a issues 
with Fixed versions when a solution is put into place so that it's properly 
tied to a release.

Once I get some time I'll update the Issue Tracking page.

- Jason

On Wed, Mar 14, 2018, at 12:26 PM, Bertrand Delacretaz wrote:
> Hi Jason,
>
> On Wed, Mar 14, 2018 at 5:20 PM, Jason E Bailey  wrote:
> > Looking for information on how to set up for a release. What do I need
> > to do in Jira etc
>
> http://sling.apache.org/documentation/development/release-management.html
> should have everything - if not let's fix that!
>
> -Bertrand

[VOTE] Release Apache Sling Security 1.1.12

[Antonio Sanso]

Hi,

We solved 1 issue in this release:
https://issues.apache.org/jira/browse/SLING-7525

Staging repository:
https://repository.apache.org/content/repositories/orgapachesling-1886/

You can use this UNIX script to download the release and verify the signatures:
https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD

Usage:
sh check_staged_release.sh 1886 /tmp/sling-staging

Please vote to approve this release:

  [ ] +1 Approve the release
  [ ]  0 Don't care
  [ ] -1 Don't release, because ...

This majority vote is open for at least 72 hours.

[jira] [Resolved] (SLING-7525) Content-Type missing after applying the ContentDispositionFilter twice

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-7525.
--
   Resolution: Fixed
Fix Version/s: Security 1.1.12

fixed in  2cd13b2..8e37dda

> Content-Type missing after applying the ContentDispositionFilter twice
> --
>
> Key: SLING-7525
> URL: https://issues.apache.org/jira/browse/SLING-7525
> Project: Sling
>  Issue Type: Bug
>Affects Versions: Security 1.1.8, Security 1.1.10
>Reporter: Orlowska
>    Assignee: Antonio Sanso
>Priority: Major
> Fix For: Security 1.1.12
>
>
> The issue started with the SLING-7219.
> When the {{ContentDispositionFilter}} is called twice (as a request filter 
> and as a forward filter) on a single request then the {{Content-Type}} is not 
> propagated and missing in the Response.
>  
> On the second pass in the {{setContentType()}} the condition [1]
> {code:java}
> if (previousContentType != null && previousContentType.equals(type)){code}
> will be fulfilled so the [2]
> {code:java}
> super.setContentType(type);{code}
> will not be called.
>  
> [1] 
> [https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java#L208]
> [2] 
> [https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java#L253]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (SLING-7525) Content-Type missing after applying the ContentDispositionFilter twice

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16396924#comment-16396924
 ] 

Antonio Sanso commented on SLING-7525:
--

I can reproduce. Thanks a lot [~orlowska]

> Content-Type missing after applying the ContentDispositionFilter twice
> --
>
> Key: SLING-7525
> URL: https://issues.apache.org/jira/browse/SLING-7525
> Project: Sling
>  Issue Type: Bug
>Affects Versions: Security 1.1.8, Security 1.1.10
>Reporter: Orlowska
>    Assignee: Antonio Sanso
>Priority: Major
>
> The issue started with the SLING-7219.
> When the {{ContentDispositionFilter}} is called twice (as a request filter 
> and as a forward filter) on a single request then the {{Content-Type}} is not 
> propagated and missing in the Response.
>  
> On the second pass in the {{setContentType()}} the condition [1]
> {code:java}
> if (previousContentType != null && previousContentType.equals(type)){code}
> will be fulfilled so the [2]
> {code:java}
> super.setContentType(type);{code}
> will not be called.
>  
> [1] 
> [https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java#L208]
> [2] 
> [https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java#L253]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: [ANN] New committer: David Bosschaert

[Antonio Sanso]

+1
On Mar 9, 2018, at 12:52 PM, Stefan Seifert  wrote:

> welcome david!
> 
> stefan
> 
>> -Original Message-
>> From: Carsten Ziegeler [mailto:cziege...@apache.org]
>> Sent: Friday, March 9, 2018 10:36 AM
>> To: Sling Developers
>> Subject: [ANN] New committer: David Bosschaert
>> 
>> The Project Management Committee (PMC) for Apache Sling
>> has invited David Bosschaert to become a committer and we are pleased
>> to announce that he has accepted.
>> 
>> Please welcome David.
>> 
>> David, you might want to introduce yourself.
>> 
>> Being a committer enables easier contribution to the
>> project since there is no need to go via the patch
>> submission process. This should enable better productivity.
>> Being a PMC member enables assistance with the management
>> and to guide the direction of the project.
>> 
>> Regards
>> Carsten
>> --
>> Carsten Ziegeler
>> Adobe Research Switzerland
>> cziege...@apache.org
> 

[jira] [Assigned] (SLING-2759) Provide an OpenId Connect Authentication Handler

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-2759?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso reassigned SLING-2759:


Assignee: (was: Antonio Sanso)

> Provide an OpenId Connect Authentication Handler
> 
>
> Key: SLING-2759
> URL: https://issues.apache.org/jira/browse/SLING-2759
> Project: Sling
>  Issue Type: Wish
>  Components: Authentication
>    Reporter: Antonio Sanso
>Priority: Major
>  Labels: gsoc2018
>
> It would be nice to provide an OpenId Connect [0] Authentication Handler.
> Ideally this would leverage Apache Oltu OpenId Connect support [1] and 
> pluggable login module [2]
> [0] http://openid.net/connect/
> [1] https://issues.apache.org/jira/browse/AMBER-24
> [2] https://issues.apache.org/jira/browse/SLING-2623



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (SLING-2759) Provide an OpenId Connect Authentication Handler

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-2759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16391416#comment-16391416
 ] 

Antonio Sanso commented on SLING-2759:
--

[~rombert] nop. Go for it :)

> Provide an OpenId Connect Authentication Handler
> 
>
> Key: SLING-2759
> URL: https://issues.apache.org/jira/browse/SLING-2759
> Project: Sling
>  Issue Type: Wish
>  Components: Authentication
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Major
>  Labels: gsoc2018
>
> It would be nice to provide an OpenId Connect [0] Authentication Handler.
> Ideally this would leverage Apache Oltu OpenId Connect support [1] and 
> pluggable login module [2]
> [0] http://openid.net/connect/
> [1] https://issues.apache.org/jira/browse/AMBER-24
> [2] https://issues.apache.org/jira/browse/SLING-2623



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Assigned] (SLING-7525) Content-Type missing after applying the ContentDispositionFilter twice

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso reassigned SLING-7525:


Assignee: Antonio Sanso

> Content-Type missing after applying the ContentDispositionFilter twice
> --
>
> Key: SLING-7525
> URL: https://issues.apache.org/jira/browse/SLING-7525
> Project: Sling
>  Issue Type: Bug
>Affects Versions: Security 1.1.8, Security 1.1.10
>Reporter: Orlowska
>    Assignee: Antonio Sanso
>Priority: Major
>
> The issue started with the SLING-7219.
> When the {{ContentDispositionFilter}} is called twice (as a request filter 
> and as a forward filter) on a single request then the {{Content-Type}} is not 
> propagated and missing in the Response.
>  
> On the second pass in the {{setContentType()}} the condition [1]
> {code:java}
> if (previousContentType != null && previousContentType.equals(type)){code}
> will be fulfilled so the [2]
> {code:java}
> super.setContentType(type);{code}
> will not be called.
>  
> [1] 
> [https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java#L208]
> [2] 
> [https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ContentDispositionFilter.java#L253]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (SLING-7436) Wrong content/type in the Default JSON Renderer

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso updated SLING-7436:
-
Description: 
Steps to reproduce:
 1.Render a page (Renderer enabled) with JSON renderer. E.g:
 [http://localhost.com/dir/page(selector] value).json

2. Now, extend the url with a slash / and a name with any other extensions e.g 
 [http://localhost.com/dir/page.(value).json/file.html].]

 

3. Observe file.html was automatically downloaded

 

Credit: this issue was found by Md. Sabuktagin

  was:
Steps to reproduce:
1.Render a page (Renderer enabled) with JSON renderer. E.g:
http://localhost.com/dir/page(selector value).json

2. Now, extend the url with a slash(/) and a name with any other extensions e.g 
[http://localhost.com/dir/page.(value).json/file.html].]

 

3. Observe file.html was automatically downloaded


> Wrong content/type in the Default JSON Renderer 
> 
>
> Key: SLING-7436
> URL: https://issues.apache.org/jira/browse/SLING-7436
> Project: Sling
>  Issue Type: Bug
>  Components: Servlets
>    Reporter: Antonio Sanso
>Priority: Major
>
> Steps to reproduce:
>  1.Render a page (Renderer enabled) with JSON renderer. E.g:
>  [http://localhost.com/dir/page(selector] value).json
> 2. Now, extend the url with a slash / and a name with any other extensions 
> e.g 
>  [http://localhost.com/dir/page.(value).json/file.html].]
>  
> 3. Observe file.html was automatically downloaded
>  
> Credit: this issue was found by Md. Sabuktagin



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (SLING-7436) Wrong content/type in the Default JSON Renderer

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso updated SLING-7436:
-
Description: 
Steps to reproduce:
 1.Render a page (Renderer enabled) with JSON renderer. E.g:
 [http://localhost.com/dir/page(selector] value).json

2. Now, extend the url with a slash / and a name with any other extensions e.g 
 [http://localhost.com/dir/page.(value).json/file.html].]

3. Observe file.html was automatically downloaded

Credit: this issue was found by Md. Sabuktagin

  was:
Steps to reproduce:
 1.Render a page (Renderer enabled) with JSON renderer. E.g:
 [http://localhost.com/dir/page(selector] value).json

2. Now, extend the url with a slash / and a name with any other extensions e.g 
 [http://localhost.com/dir/page.(value).json/file.html].]

 

3. Observe file.html was automatically downloaded

 

Credit: this issue was found by Md. Sabuktagin


> Wrong content/type in the Default JSON Renderer 
> 
>
> Key: SLING-7436
> URL: https://issues.apache.org/jira/browse/SLING-7436
> Project: Sling
>  Issue Type: Bug
>  Components: Servlets
>    Reporter: Antonio Sanso
>Priority: Major
>
> Steps to reproduce:
>  1.Render a page (Renderer enabled) with JSON renderer. E.g:
>  [http://localhost.com/dir/page(selector] value).json
> 2. Now, extend the url with a slash / and a name with any other extensions 
> e.g 
>  [http://localhost.com/dir/page.(value).json/file.html].]
> 3. Observe file.html was automatically downloaded
> Credit: this issue was found by Md. Sabuktagin



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (SLING-7436) Wrong content/type in the Default JSON Renderer

[Antonio Sanso (JIRA)]

Antonio Sanso created SLING-7436:


 Summary: Wrong content/type in the Default JSON Renderer 
 Key: SLING-7436
 URL: https://issues.apache.org/jira/browse/SLING-7436
 Project: Sling
  Issue Type: Bug
  Components: Servlets
Reporter: Antonio Sanso


Steps to reproduce:
1.Render a page (Renderer enabled) with JSON renderer. E.g:
http://localhost.com/dir/page(selector value).json

2. Now, extend the url with a slash(/) and a name with any other extensions e.g 
[http://localhost.com/dir/page.(value).json/file.html].]

 

3. Observe file.html was automatically downloaded



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

CVE-2017-15700 - Apache Sling Authentication Service vulnerability

[Antonio Sanso]

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Sling Authentication Service 1.4.0

Description:
A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid method allows 
an attacker, through the Sling login form, to trick a victim to send over their 
credentials.

Mitigation:
Users should upgrade to version 1.4.2 or later of the Apache Sling 
Authentication Service module

Credit:
François Lajeunesse-Robert
 

[jira] [Updated] (SLING-7157) metatype.properties file must not be in OSGI-INF/metatype

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7157?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso updated SLING-7157:
-
Fix Version/s: (was: Auth Core 1.4.2)
   Auth Core 1.4.4

> metatype.properties file must not be in OSGI-INF/metatype
> -
>
> Key: SLING-7157
> URL: https://issues.apache.org/jira/browse/SLING-7157
> Project: Sling
>  Issue Type: Bug
>Affects Versions: JCR Web Console 1.0.2, JCR Registration 1.0.2, JCR 
> ClassLoader 3.2.2, Form Based Authentication 1.0.8, Settings 1.3.8, Commons 
> Threads 3.2.6, Auth Core 1.4.0, SLF4J MDC Filter 1.0.0, Authentication XING 
> OAuth 0.0.2, Authentication XING Login 0.0.2, URL Rewriter 0.0.2, DataSource 
> Provider 1.0.4, NoSQL MongoDB Resource Provider 1.1.0, Commons Log 5.0.2, 
> Discovery Impl 1.2.12, Discovery Oak 1.2.18, JCR Davex 1.3.8, JCR Webdav 
> 2.3.8, JCR Installer 3.1.26
>Reporter: Carsten Ziegeler
>Priority: Blocker
> Fix For: JCR Web Console 1.0.4, JCR ClassLoader 3.2.4, Form Based 
> Authentication 1.0.10, Settings 1.3.10, Auth Core 1.4.4, Mongo Resource 
> Provider 1.0.0, Authentication XING OAuth 0.0.4, Authentication XING Login 
> 0.0.4, DataSource Provider 1.0.4, URL Rewriter 0.0.4, Commons Log 5.1.0, 
> Commons Threads 3.2.10, SLF4J MDC Filter 1.0.2, JCR Webdav 2.3.10, JCR 
> Installer 3.1.28, Discovery Impl 1.2.14, Discovery Oak 1.2.24, JCR Davex 
> 1.3.12
>
>
> According to the spec the metatype.properties file must not be inside the 
> OSGI-INF/metatype directory. This is against the spec, so we should move it 
> to OSGI-INF/l10n
> We probably should also upgrade the maven-scr-plugin for this 1.25.0
> I found the following files:
> ./bundles/auth/core/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./bundles/auth/form/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./bundles/commons/log/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./bundles/commons/threads/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./bundles/extensions/discovery/impl/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./bundles/extensions/discovery/oak/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./bundles/extensions/settings/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./bundles/jcr/classloader/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./bundles/jcr/davex/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./bundles/jcr/registration/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./bundles/jcr/webconsole/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./bundles/jcr/webdav/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./contrib/auth/org.apache.sling.auth.xing.login/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./contrib/auth/org.apache.sling.auth.xing.oauth/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./contrib/extensions/datasource/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./contrib/extensions/mongodb/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./contrib/extensions/slf4j-mdc/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./contrib/extensions/startup-filter/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./contrib/extensions/urlrewriter/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./installer/providers/jcr/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./samples/path-based-rtp/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./samples/workspacepicker/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./testing/junit/core/src/main/resources/OSGI-INF/metatype/metatype.properties
> ./testing/junit/healthcheck/src/main/resources/OSGI-INF/metatype/metatype.properties



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Closed] (SLING-7243) Improve validation in AuthUtil.isRedirectValid

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso closed SLING-7243.


> Improve validation in AuthUtil.isRedirectValid
> --
>
> Key: SLING-7243
> URL: https://issues.apache.org/jira/browse/SLING-7243
> Project: Sling
>  Issue Type: Bug
>  Components: Authentication
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
> Fix For: Auth Core 1.4.2
>
>
> The validation in {{AuthUtil.isRedirectValid}} might be improved.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[RESULT][VOTE] Release Apache Sling Authentication Service 1.4.2

[Antonio Sanso]

the vote passed with 4 binding +1s

Re: [VOTE] Release Apache Sling Authentication Service 1.4.2

[Antonio Sanso]

+1
On Dec 15, 2017, at 8:13 AM, Antonio Sanso <asa...@adobe.com.INVALID> wrote:

> Hi,
> 
> We solved 1 issue in this release:
> 
> https://issues.apache.org/jira/browse/SLING-7243
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-1837/
> 
> You can use this UNIX script to download the release and verify the 
> signatures:
> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
> 
> Usage:
> sh check_staged_release.sh 1837  /tmp/sling-staging
> 
> Please vote to approve this release:
> 
>  [ ] +1 Approve the release
>  [ ]  0 Don't care
>  [ ] -1 Don't release, because ...
> 
> This majority vote is open for at least 72 hours.

[VOTE] Release Apache Sling Authentication Service 1.4.2

[Antonio Sanso]

Hi,

We solved 1 issue in this release:
 
https://issues.apache.org/jira/browse/SLING-7243

Staging repository:
https://repository.apache.org/content/repositories/orgapachesling-1837/

You can use this UNIX script to download the release and verify the signatures:
https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD

Usage:
sh check_staged_release.sh 1837  /tmp/sling-staging

Please vote to approve this release:

  [ ] +1 Approve the release
  [ ]  0 Don't care
  [ ] -1 Don't release, because ...

This majority vote is open for at least 72 hours.

[jira] [Resolved] (SLING-7243) Improve validation in AuthUtil.isRedirectValid

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-7243.
--
   Resolution: Fixed
Fix Version/s: Auth Core 1.4.2

> Improve validation in AuthUtil.isRedirectValid
> --
>
> Key: SLING-7243
> URL: https://issues.apache.org/jira/browse/SLING-7243
> Project: Sling
>  Issue Type: Bug
>  Components: Authentication
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
> Fix For: Auth Core 1.4.2
>
>
> The validation in {{AuthUtil.isRedirectValid}} might be improved.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (SLING-7243) Improve validation in AuthUtil.isRedirectValid

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16292129#comment-16292129
 ] 

Antonio Sanso commented on SLING-7243:
--

fixed in  015fe58b22e0625e9d88b687de50303db539482b

> Improve validation in AuthUtil.isRedirectValid
> --
>
> Key: SLING-7243
> URL: https://issues.apache.org/jira/browse/SLING-7243
> Project: Sling
>  Issue Type: Bug
>  Components: Authentication
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
>
> The validation in {{AuthUtil.isRedirectValid}} might be improved.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: value level encryption - Donating?

[Antonio Sanso]

hi Jason,
firstly I really want to thank you for this great effort. 
I was more than happy to give a quick look at this solution and provide some 
feedback.
Unluckily though I do not have at this moment any free cycle to give the 
attention this donation deserves.
If any of the other committers would like to standup is more than welcome to 
continue with the donation process.
Another option would be to keep this code in github (as you already noticed 
Sling migrated to git and is highly modularized in any case)

regards

antonio

On Dec 4, 2017, at 3:55 PM, Jason Bailey <jason.bai...@sas.com> wrote:

> Hi Antonio,
> 
> I added a couple of things to the repository based on your feedback. The 
> primary change was the addition of a key provider that would allow you to 
> separate the management and the storage of secret keys away from the 
> encryption provider. I also added two implementations of that service as 
> well. One which utilizes the java keystore and the other which provides you 
> the ability to define keys in the OSGi Configuration. The secondary one being 
> useful for testing and for environments where you don't have access to the 
> filesystem. I will most likely be implementing another variant to integrate 
> with the thycotic secret server.
> 
> To support Key rotation, I added additional identifying bytes after the IV 
> that is used by the KeyProvider to provide the correct key for decryption. 
> While all encryption processes are done with the KeyProvider's primary key. 
> 
> Example of how this would work: I am using a KeyProvider with a primary key 
> for 6 months. As part of a Security Policy this needs to be changed. I then 
> take the existing primary key and add it to the secondary list and provide a 
> new key as primary. At this point all new encryptions will occur with the 
> primary key, however I will still be able to access the older encrypted 
> messages as well. To update the older keys with the new key, it's a matter of 
> iterating over the stored encrypted resources with the EncryptableValueMap 
> and using the encrypt(propertyName) method.  Which will re-encrypt the 
> property with the new primary.
> 
> I'm running with the AES/GCM because it provides the best overall security 
> and fits my use cases and the key rotation support should alleviate some 
> concerns as well.
> 
> -Jason
> 
> -Original Message-
> From: Antonio Sanso [mailto:asa...@adobe.com.INVALID] 
> Sent: Tuesday, November 21, 2017 5:37 AM
> To: dev@sling.apache.org
> Subject: Re: value level encryption - Donating?
> 
> EXTERNAL
> 
> hi Jason,
> 
> I basically see 3 options:
> 
> * ship with AES/CBC that is ok but suboptimal
> - ship with AES-GCM that is good but has the problem of the nonce highlighted 
> before. The key rotation would help but than what do you do on rotation? 
> Decrypt all the encrypted value and re-encrypt with the new key... ?
> - Encrypt-than-MAC
> 
> I have also noted that the key is stored as OSGi configuration... This might 
> also be part of a bigger discussion
> 
> regards
> 
> antonio
> 
> On Nov 20, 2017, at 10:03 PM, Jason Bailey <jason.bai...@sas.com> wrote:
> 
>> It's all good. I  have less meetings today then I normally would and the 
>> exercise was beneficial as it got me thinking about other potential vectors.
>> 
>> Since the key for this is configurable via the OSGi console I would have 
>> taken key rotation as being a business process exercise rather than a 
>> technical one. But I don't mind changing it, I'm having a lot of fun with 
>> this.
>> 
>> To make sure I'm on the same page. The direction right now is 
>> AES/CBC/PKCS5Padding but with encrypt and MAC?
>> 
>> -Original Message-
>> From: Antonio Sanso [mailto:asa...@adobe.com.INVALID]
>> Sent: Monday, November 20, 2017 3:07 PM
>> To: dev@sling.apache.org
>> Subject: Re: value level encryption - Donating?
>> 
>> EXTERNAL
>> 
>> hi Jason,
>> 
>> I get your point
>> On Nov 20, 2017, at 4:57 PM, Jason Bailey <jason.bai...@sas.com> wrote:
>> 
>>> Thanks Antonio. I had considered doing GCM, but I hesitated since it's not 
>>> listed as a standard transformation that a Java platform must support. As I 
>>> couldn't know what platform it would be running on I tried to be as much 
>>> OOTB as possible. That desire to be OOTB is also why it's 128bit. My idea 
>>> was to provide a generic level of encryption with the assumption that a 
>>> downstream implementer would/should implement the EncryptionProvider 
>>> service to the level of security their company requires.
>>> 
&g

Re: [VOTE] Release Apache Sling Resource Resolver 1.5.32

[Antonio Sanso]

+1
On Nov 24, 2017, at 1:24 PM, Karl Pauls  wrote:

> I would like to call a vote on the following release,
> 
> Apache Sling Resource Resolver 1.5.32
> 
> We solved 3 issue in this release:
> https://issues.apache.org/jira/projects/SLING/versions/12341241
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-1819/
> 
> You can use this UNIX script to download the release and verify the 
> signatures:
> http://svn.apache.org/repos/asf/sling/trunk/check_staged_release.sh
> 
> Usage:
> sh check_staged_release.sh 1819 /tmp/sling-staging
> 
> Please vote to approve these releases:
> 
>  [ ] +1 Approve the releases
>  [ ]  0 Don't care
>  [ ] -1 Don't release, because ...

Re: [git] Retiring the old github.com/sling project

[Antonio Sanso]

+1
On Nov 23, 2017, at 10:30 AM, Robert Munteanu  wrote:

> Hi,
> 
> We discussed the 'old' github.com/sling mirror on and off, but never
> reached a conclusion.
> 
> Based on previous emails, I proposed that we:
> 
> - rename sling to sling-archive. Github will generate redirects so
> links are not lost, but the role of the repostiory is now clear
> - change the default branch to 'archived' ( see [1] ) so first-time
> visitors will not clone it or use it for meaningful work.
> 
> Thoughts?
> 
> Thanks,
> 
> Robert
> 
> [1]: https://github.com/apache/sling/tree/archived

Re: value level encryption - Donating?

[Antonio Sanso]

hi Jason,

I basically see 3 options:

* ship with AES/CBC that is ok but suboptimal
- ship with AES-GCM that is good but has the problem of the nonce highlighted 
before. The key rotation would help but than what do you do on rotation? 
Decrypt all the encrypted value and re-encrypt with the new key… ?
- Encrypt-than-MAC 

I have also noted that the key is stored as OSGi configuration… This might also 
be part of a bigger discussion….

regards

antonio

On Nov 20, 2017, at 10:03 PM, Jason Bailey <jason.bai...@sas.com> wrote:

> It's all good. I  have less meetings today then I normally would and the 
> exercise was beneficial as it got me thinking about other potential vectors.
> 
> Since the key for this is configurable via the OSGi console I would have 
> taken key rotation as being a business process exercise rather than a 
> technical one. But I don't mind changing it, I'm having a lot of fun with 
> this.
> 
> To make sure I'm on the same page. The direction right now is 
> AES/CBC/PKCS5Padding but with encrypt and MAC?
> 
> -Original Message-
> From: Antonio Sanso [mailto:asa...@adobe.com.INVALID] 
> Sent: Monday, November 20, 2017 3:07 PM
> To: dev@sling.apache.org
> Subject: Re: value level encryption - Donating?
> 
> EXTERNAL
> 
> hi Jason,
> 
> I get your point
> On Nov 20, 2017, at 4:57 PM, Jason Bailey <jason.bai...@sas.com> wrote:
> 
>> Thanks Antonio. I had considered doing GCM, but I hesitated since it's not 
>> listed as a standard transformation that a Java platform must support. As I 
>> couldn't know what platform it would be running on I tried to be as much 
>> OOTB as possible. That desire to be OOTB is also why it's 128bit. My idea 
>> was to provide a generic level of encryption with the assumption that a 
>> downstream implementer would/should implement the EncryptionProvider service 
>> to the level of security their company requires.
>> 
>> Saying that, if the desire is to have it GCM I will get that implemented.
> 
> Thanks a lot taking this consideration and speed the implementation. You are 
> right about AES GCM. On top there is also another problem with it.
> AES GCM uses a nonce of 96 bits. It is vital important to never reuse the 
> same nonce with the same key otherwise the result is a real catastrophe 
> (cryptographically wise).
> This implies, given the birthday paradox, that we need to rotate the key 
> after 2^48 encryptions. This is a pretty big number but you know the life of 
> the key can be also long.
> Hence, without key rotation, it wouldn't probably good to ship with this (now 
> I am sorry you already jumped on it and implemented but I did not think you 
> were so fast).
> 
> Another more conservative approach would be encrypt-than-mac (or we can 
> simply keep AES/CBC as default).
> 
> An overall observation would be also that given the sensitive topic it would 
> be good to have a more extensive test suite for this feature...
> 
> my 2 cents
> 
> regards
> 
> antonio
> 
>> 
>> -Original Message-
>> From: Antonio Sanso [mailto:asa...@adobe.com.INVALID]
>> Sent: Monday, November 20, 2017 10:29 AM
>> To: dev@sling.apache.org
>> Subject: Re: value level encryption - Donating?
>> 
>> EXTERNAL
>> 
>> hi Jason,
>> 
>> thanks a lot for the donation.
>> I already commented on the issue, just pasting inline part of the 
>> comment though
>> 
>> On Nov 20, 2017, at 2:50 PM, Jason Bailey <jason.bai...@sas.com> wrote:
>> 
>>> So I'm just about done implementing this.
>>> 
>>> https://github.com/JEBailey/sling-encrypt
>>> 
>>> Value level encryption. IV is stored inline so there's no repetition. 
>>> Accessing encrypted data via the EncryptionValueMap will decode it 
>>> automatically on access and will handle automatically encrypting values if 
>>> an encrypted value is updated.
>>> 
>>> Only problem I had besides catching up on the last 15 years of 
>>> cryptography
>> 
>> I have seen you have used AES/CBC that is not  (extremely) bad. Said that if 
>> we really want to put this in Sling we'd better do things as the state of 
>> art requires.
>> As rule of thumbs you never (only) encrypt . You'd better add some integrity 
>> check mechanism (eg AES GCM or encrypt-then-mac).
>> 
>> regards
>> 
>> antonio
>> 
>>> was that the downstream application I use has a non configurable whitelist 
>>> filter for post processors that contain an '@' So I had to make the post 
>>> processor configurable.
>>> 
>>> As mentioned earlier I wr

Re: value level encryption - Donating?

[Antonio Sanso]

hi Jason,

I get your point 
On Nov 20, 2017, at 4:57 PM, Jason Bailey <jason.bai...@sas.com> wrote:

> Thanks Antonio. I had considered doing GCM, but I hesitated since it's not 
> listed as a standard transformation that a Java platform must support. As I 
> couldn't know what platform it would be running on I tried to be as much OOTB 
> as possible. That desire to be OOTB is also why it's 128bit. My idea was to 
> provide a generic level of encryption with the assumption that a downstream 
> implementer would/should implement the EncryptionProvider service to the 
> level of security their company requires.
> 
> Saying that, if the desire is to have it GCM I will get that implemented.

Thanks a lot taking this consideration and speed the implementation. You are 
right about AES GCM. On top there is also another problem with it.
AES GCM uses a nonce of 96 bits. It is vital important to never reuse the same 
nonce with the same key otherwise the result is a real catastrophe 
(cryptographically wise).
This implies, given the birthday paradox, that we need to rotate the key after 
2^48 encryptions. This is a pretty big number but you know the life of the key 
can be also long.
Hence, without key rotation, it wouldn’t probably good to ship with this (now I 
am sorry you already jumped on it and implemented but I did not think you were 
so fast).

Another more conservative approach would be encrypt-than-mac (or we can simply 
keep AES/CBC as default).

An overall observation would be also that given the sensitive topic it would be 
good to have a more extensive test suite for this feature…

my 2 cents

regards

antonio

> 
> -----Original Message-
> From: Antonio Sanso [mailto:asa...@adobe.com.INVALID] 
> Sent: Monday, November 20, 2017 10:29 AM
> To: dev@sling.apache.org
> Subject: Re: value level encryption - Donating?
> 
> EXTERNAL
> 
> hi Jason,
> 
> thanks a lot for the donation.
> I already commented on the issue, just pasting inline part of the comment 
> though
> 
> On Nov 20, 2017, at 2:50 PM, Jason Bailey <jason.bai...@sas.com> wrote:
> 
>> So I'm just about done implementing this.
>> 
>> https://github.com/JEBailey/sling-encrypt
>> 
>> Value level encryption. IV is stored inline so there's no repetition. 
>> Accessing encrypted data via the EncryptionValueMap will decode it 
>> automatically on access and will handle automatically encrypting values if 
>> an encrypted value is updated.
>> 
>> Only problem I had besides catching up on the last 15 years of 
>> cryptography
> 
> I have seen you have used AES/CBC that is not  (extremely) bad. Said that if 
> we really want to put this in Sling we'd better do things as the state of art 
> requires.
> As rule of thumbs you never (only) encrypt . You'd better add some integrity 
> check mechanism (eg AES GCM or encrypt-then-mac).
> 
> regards
> 
> antonio
> 
>> was that the downstream application I use has a non configurable whitelist 
>> filter for post processors that contain an '@' So I had to make the post 
>> processor configurable.
>> 
>> As mentioned earlier I wrote this with the intention of donating. I tried to 
>> make it as easy as possible for it to be pulled into where it needs to go.
>> 
>> However I don't know the process for Donating. Can someone point me the way 
>> or to some documentation?
>> 
>> Thanks.
>> -Jason
>> 
>> -Original Message-
>> From: Justin Edelson [mailto:jus...@justinedelson.com]
>> Sent: Friday, November 03, 2017 3:37 PM
>> To: dev@sling.apache.org
>> Subject: Re: value level encryption
>> 
>> EXTERNAL
>> 
>> In AEM, posting encrypted properties to /etc/cloudservices is historically 
>> the primary use case for @Encrypted, but the PostProcessor applies to all 
>> post requests.
>> 
>> I think this would be a useful addition to Sling. We may want to have some 
>> kind of SPI to support different encryption schemes, but that's an 
>> implementation detail.
>> 
>> Regards,
>> Justin
>> 
>> 
>> On Fri, Nov 3, 2017 at 2:48 PM Jason Bailey <jason.bai...@sas.com> wrote:
>> 
>>> They only docs I can find on that, assuming we're talking AEM, 
>>> mentions it only works for posting things into /etc/cloudservices. So 
>>> that's out.
>>> It's been a while, but I'm under the impression that all 
>>> implementations of the java platform now come with a certain level of 
>>> crypto
>>> 
>>> https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html
>>> 
>>> I'd probably add a configuration so you could define the level of 
&

Re: value level encryption - Donating?

[Antonio Sanso]

hi Jason,

thanks a lot for the donation.
I already commented on the issue, just pasting inline part of the comment though

On Nov 20, 2017, at 2:50 PM, Jason Bailey  wrote:

> So I'm just about done implementing this.
> 
> https://github.com/JEBailey/sling-encrypt
> 
> Value level encryption. IV is stored inline so there's no repetition. 
> Accessing encrypted data via the EncryptionValueMap will decode it 
> automatically on access and will handle automatically encrypting values if an 
> encrypted value is updated.
> 
> Only problem I had besides catching up on the last 15 years of cryptography

I have seen you have used AES/CBC that is not  (extremely) bad. Said that if we 
really want to put this in Sling we’d better do things as the state of art 
requires.
As rule of thumbs you never (only) encrypt . You'd better add some integrity 
check mechanism (eg AES GCM or encrypt-then-mac).
 
regards

antonio

> was that the downstream application I use has a non configurable whitelist 
> filter for post processors that contain an '@' So I had to make the post 
> processor configurable.
> 
> As mentioned earlier I wrote this with the intention of donating. I tried to 
> make it as easy as possible for it to be pulled into where it needs to go.
> 
> However I don't know the process for Donating. Can someone point me the way 
> or to some documentation?
> 
> Thanks.
> -Jason
> 
> -Original Message-
> From: Justin Edelson [mailto:jus...@justinedelson.com] 
> Sent: Friday, November 03, 2017 3:37 PM
> To: dev@sling.apache.org
> Subject: Re: value level encryption
> 
> EXTERNAL
> 
> In AEM, posting encrypted properties to /etc/cloudservices is historically 
> the primary use case for @Encrypted, but the PostProcessor applies to all 
> post requests.
> 
> I think this would be a useful addition to Sling. We may want to have some 
> kind of SPI to support different encryption schemes, but that's an 
> implementation detail.
> 
> Regards,
> Justin
> 
> 
> On Fri, Nov 3, 2017 at 2:48 PM Jason Bailey  wrote:
> 
>> They only docs I can find on that, assuming we're talking AEM, 
>> mentions it only works for posting things into /etc/cloudservices. So that's 
>> out.
>> It's been a while, but I'm under the impression that all 
>> implementations of the java platform now come with a certain level of 
>> crypto
>> 
>> https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html
>> 
>> I'd probably add a configuration so you could define the level of 
>> cryptography, and then that would allow people who needed a higher 
>> level to install their own providers. Is this something that Sling 
>> would be interested in? Since I'm going to be writing this, if you're 
>> interested, I'd rather write it with the intent of directly donating it.
>> 
>> 
>> 
>> -Original Message-
>> From: Justin Edelson [mailto:jus...@justinedelson.com]
>> Sent: Friday, November 03, 2017 1:35 PM
>> To: dev@sling.apache.org
>> Subject: Re: value level encryption
>> 
>> EXTERNAL
>> 
>> We have this in our commercial product. At a high level, the way it 
>> works is that there is a PostProcessor which looks for an @Encrypted 
>> postfixed property and, if that is present, the corresponding property 
>> is stored in an encrypted fashion. Decryption is all done manually, 
>> although personally the idea of an EncryptionValueMap seems really cool to 
>> me.
>> 
>> I believe the challenge in bringing this into Sling relates to the 
>> encryption libraries.
>> 
>> On Fri, Nov 3, 2017 at 8:45 AM Jason Bailey  wrote:
>> 
>>> Here's the use case
>>> 
>>> My organization has decided that to conform to the GDPR, any 
>>> sensitive data should be encrypted while at rest. From a Sling 
>>> perspective that is a challenge since we've empowered the authors to 
>>> create forms the way they want. So to be on the safe side, we're 
>>> looking at encrypting all form fields as they are persisted, and 
>>> then decrypting the values from the resource  when we need to processes 
>>> them.
>>> 
>>> Now I'm thinking of an EncryptionValueMap that will simplify this 
>>> process and encapsulate the functionality. You guys are usually 
>>> ahead of me when I come up with this stuff and I don't like 
>>> replicating effort. So is there any functionality currently or 
>>> planned to handle encryption of resource values?
>>> 
>>> Thanks
>>> Jason
>>> 
>> 

[jira] [Commented] (SLING-7255) Donating Sling Resource Encryption Utils

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16259339#comment-16259339
 ] 

Antonio Sanso commented on SLING-7255:
--

[~jebailey] thanks for your donation.

Without going to deep into the API layer (other people might comments on it), 
IMHO would be best to use some way of authenticated encryption rather than 
AES/CBC. 

As rule of thumbs you never (only) encrypt . You'd better add some integrity 
check mechanism (eg AES GCM or encrypt-then-mac)

> Donating Sling Resource Encryption Utils
> 
>
> Key: SLING-7255
> URL: https://issues.apache.org/jira/browse/SLING-7255
> Project: Sling
>  Issue Type: Task
>Reporter: Jason E Bailey
> Attachments: sling-encrypt-0.0.1-beta.zip
>
>
> Issue to track donation of Sling resource encryption
> Codebase
> https://github.com/JEBailey/sling-encrypt
> source code is attached with sha1 checksum of 
> 717e84c0ec45191d14d93cebbe8795961b393610



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (SLING-7244) Correct require capability for http whiteboard

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7244?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso updated SLING-7244:
-
Fix Version/s: (was: Security 1.1.8)
   Security 1.1.10

> Correct require capability for http whiteboard
> --
>
> Key: SLING-7244
> URL: https://issues.apache.org/jira/browse/SLING-7244
> Project: Sling
>  Issue Type: Bug
>  Components: Engine, Extensions
>Affects Versions: i18n 2.5.8, Feature Flags 1.2.0, Engine 2.6.8, Security 
> 1.1.6
>Reporter: Carsten Ziegeler
>Assignee: Carsten Ziegeler
> Fix For: Feature Flags 1.2.2, Engine 2.6.10, Security 1.1.10, 
> i18n 2.5.10
>
>
> The require capability should not use a fixed version but a version range, 
> otherwise it will not resolve once we update the http implementation



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Closed] (SLING-7219) Add scope forward to ContentDispositionFilter

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso closed SLING-7219.


> Add scope forward to ContentDispositionFilter
> -
>
> Key: SLING-7219
> URL: https://issues.apache.org/jira/browse/SLING-7219
> Project: Sling
>  Issue Type: Improvement
>  Components: Extensions
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
> Fix For: Security 1.1.8
>
>
> The {{ContentDispositionFilter}} sets the  filter scope to request
> {code}
> @Component(property={"sling.filter.scope=request", 
> "service.ranking:Integer=25000"})
> {code}
> it would be good to add as well the scope forward



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[RESULT][VOTE] Release Apache Sling Security 1.1.8

[Antonio Sanso]

The vote passed with 4 binding +1s

regards

antonio

Re: [ANN] New Apache Sling PMC Chair: Robert Munteanu

[Antonio Sanso]

+1
On Nov 16, 2017, at 3:27 PM, Karl Pauls  wrote:

> +1
> 
> Congrats Robert!
> 
> regards,
> 
> Karl
> 
> On Thu, Nov 16, 2017 at 3:25 PM, Carsten Ziegeler  
> wrote:
>> Hi,
>> 
>> it's my pleasure to announce that Robert took up the role as our new PMC
>> chair.
>> 
>> Congrats Robert!
>> 
>> Regards
>> Carsten
>> --
>> Carsten Ziegeler
>> Adobe Research Switzerland
>> cziege...@apache.org
> 
> 
> 
> -- 
> Karl Pauls
> karlpa...@gmail.com

Re: [VOTE] Release Apache Sling Security 1.1.8

[Antonio Sanso]

+1
On Nov 15, 2017, at 2:20 PM, Antonio Sanso <asa...@adobe.com.INVALID> wrote:

> Hi,
> 
> We solved 2 issues in this release:
> https://issues.apache.org/jira/projects/SLING/versions/12341288
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-1811/
> 
> You can use this UNIX script to download the release and verify the 
> signatures:
> http://svn.apache.org/repos/asf/sling/trunk/check_staged_release.sh
> 
> Usage:
> sh check_staged_release.sh 1811 /tmp/sling-staging
> 
> Please vote to approve this release:
> 
>  [ ] +1 Approve the release
>  [ ]  0 Don't care
>  [ ] -1 Don't release, because ...
> 
> This majority vote is open for at least 72 hours.

Re: [VOTE] Release Apache Sling JCR Davex 1.3.10

[Antonio Sanso]

+1
On Nov 16, 2017, at 1:07 PM, Karl Pauls  wrote:

> I would like to call a vote on the following release,
> 
> Apache Sling JCR Davex 1.3.10
> 
> We solved 2 issue in this release:
> https://issues.apache.org/jira/projects/SLING/versions/12339343
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-1813/
> 
> You can use this UNIX script to download the release and verify the 
> signatures:
> http://svn.apache.org/repos/asf/sling/trunk/check_staged_release.sh
> 
> Usage:
> sh check_staged_release.sh 1813 /tmp/sling-staging
> 
> Please vote to approve these releases:
> 
>  [ ] +1 Approve the releases
>  [ ]  0 Don't care
>  [ ] -1 Don't release, because ...

[jira] [Created] (SLING-7243) Improve validation in AuthUtil.isRedirectValid

[Antonio Sanso (JIRA)]

Antonio Sanso created SLING-7243:


 Summary: Improve validation in AuthUtil.isRedirectValid
 Key: SLING-7243
 URL: https://issues.apache.org/jira/browse/SLING-7243
 Project: Sling
  Issue Type: Bug
  Components: Authentication
Reporter: Antonio Sanso
Assignee: Antonio Sanso
Priority: Minor


The validation in {{AuthUtil.isRedirectValid}} might be improved.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[VOTE] Release Apache Sling Security 1.1.8

[Antonio Sanso]

Hi,

We solved 2 issues in this release:
https://issues.apache.org/jira/projects/SLING/versions/12341288

Staging repository:
https://repository.apache.org/content/repositories/orgapachesling-1811/

You can use this UNIX script to download the release and verify the signatures:
http://svn.apache.org/repos/asf/sling/trunk/check_staged_release.sh

Usage:
sh check_staged_release.sh 1811 /tmp/sling-staging

Please vote to approve this release:

  [ ] +1 Approve the release
  [ ]  0 Don't care
  [ ] -1 Don't release, because ...

This majority vote is open for at least 72 hours.

Re: value level encryption

[Antonio Sanso]

hi Jason,

leaving aside the API design for a second and focusing on the mere crypto.
I would really be careful on what you are defining as default. AES ECB is 
almost = to no encryption. Same as providing a fixed IV…

just saying…..
regards

antonio
On Nov 10, 2017, at 9:53 PM, Jason Bailey  wrote:

> Wanted to give a heads up in the direction I'm going with this.
> 
> https://github.com/JEBailey/sling-encrypt
> 
> CipherProvider is a service interface to provide pre-initialized Cipher 
> Objects for encoding and decoding content.
> EncryptionValueMap encompasses the functionality to encrypt and decrypt 
> specific fields, currently focusing on String and String[] value types. Put 
> and Get methods not implemented yet.
> EncryptionValueMapDecorator to wrap a map.
> 
> For the EncryptionValueMap, I'm recording the properties that are encrypted 
> in a separate property field, so that accessing those fields can be done 
> seamlessly from any place that you are instantiate the EncryptionValueMap.
> 
> Feedback appreciated.
> 
> -Original Message-
> From: Justin Edelson [mailto:jus...@justinedelson.com] 
> Sent: Friday, November 03, 2017 3:37 PM
> To: dev@sling.apache.org
> Subject: Re: value level encryption
> 
> EXTERNAL
> 
> In AEM, posting encrypted properties to /etc/cloudservices is historically 
> the primary use case for @Encrypted, but the PostProcessor applies to all 
> post requests.
> 
> I think this would be a useful addition to Sling. We may want to have some 
> kind of SPI to support different encryption schemes, but that's an 
> implementation detail.
> 
> Regards,
> Justin
> 
> 
> On Fri, Nov 3, 2017 at 2:48 PM Jason Bailey  wrote:
> 
>> They only docs I can find on that, assuming we're talking AEM, 
>> mentions it only works for posting things into /etc/cloudservices. So that's 
>> out.
>> It's been a while, but I'm under the impression that all 
>> implementations of the java platform now come with a certain level of 
>> crypto
>> 
>> https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html
>> 
>> I'd probably add a configuration so you could define the level of 
>> cryptography, and then that would allow people who needed a higher 
>> level to install their own providers. Is this something that Sling 
>> would be interested in? Since I'm going to be writing this, if you're 
>> interested, I'd rather write it with the intent of directly donating it.
>> 
>> 
>> 
>> -Original Message-
>> From: Justin Edelson [mailto:jus...@justinedelson.com]
>> Sent: Friday, November 03, 2017 1:35 PM
>> To: dev@sling.apache.org
>> Subject: Re: value level encryption
>> 
>> EXTERNAL
>> 
>> We have this in our commercial product. At a high level, the way it 
>> works is that there is a PostProcessor which looks for an @Encrypted 
>> postfixed property and, if that is present, the corresponding property 
>> is stored in an encrypted fashion. Decryption is all done manually, 
>> although personally the idea of an EncryptionValueMap seems really cool to 
>> me.
>> 
>> I believe the challenge in bringing this into Sling relates to the 
>> encryption libraries.
>> 
>> On Fri, Nov 3, 2017 at 8:45 AM Jason Bailey  wrote:
>> 
>>> Here's the use case
>>> 
>>> My organization has decided that to conform to the GDPR, any 
>>> sensitive data should be encrypted while at rest. From a Sling 
>>> perspective that is a challenge since we've empowered the authors to 
>>> create forms the way they want. So to be on the safe side, we're 
>>> looking at encrypting all form fields as they are persisted, and 
>>> then decrypting the values from the resource  when we need to processes 
>>> them.
>>> 
>>> Now I'm thinking of an EncryptionValueMap that will simplify this 
>>> process and encapsulate the functionality. You guys are usually 
>>> ahead of me when I come up with this stuff and I don't like 
>>> replicating effort. So is there any functionality currently or 
>>> planned to handle encryption of resource values?
>>> 
>>> Thanks
>>> Jason
>>> 
>> 

Re: [VOTE] Release Apache Sling API 2.16.4, JCR Resource Resolver 3.0.6, Default GET Servlets 2.1.29

[Antonio Sanso]

+1

On Nov 2, 2017, at 5:49 PM, Ian Boston  wrote:

> Hi,
> 
> I would like to call a vote on the following release,
> 
> Apache Sling API 2.16.4
> Apache Sling JCR Resource Resolver 3.0.6
> Apache Sling Default GET Servlets 2.1.29
> 
> We solved 11 issue in this release:
> *https://issues.apache.org/jira/projects/SLING/versions/12338864
> *
> 
> *https://issues.apache.org/jira/projects/SLING/versions/12341120
> *
> 
> *https://issues.apache.org/jira/projects/SLING/versions/12340579
> *
> 
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-1805/
> You can use this UNIX script to download the release and verify the
> signatures:
> http://svn.apache.org/repos/asf/sling/trunk/check_staged_release.sh
> 
> Usage:
> sh check_staged_release.sh 1805 /tmp/sling-staging
> 
> Please vote to approve these releases:
> 
>  [ ] +1 Approve the releases
>  [ ]  0 Don't care
>  [ ] -1 Don't release, because ...
> 
> 
> Thanks
> Ian

Re: [VOTE] Release Apache Sling Service User Mapper 1.3.6

[Antonio Sanso]

+1
On Nov 2, 2017, at 5:15 PM, Karl Pauls  wrote:

> I would like to call a vote on the following release,
> 
> Apache Sling Service User Mapper 1.3.6
> 
> We solved 2 issue in this release:
> https://issues.apache.org/jira/projects/SLING/versions/12341841
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-1804/
> 
> You can use this UNIX script to download the release and verify the 
> signatures:
> http://svn.apache.org/repos/asf/sling/trunk/check_staged_release.sh
> 
> Usage:
> sh check_staged_release.sh 1804 /tmp/sling-staging
> 
> Please vote to approve these releases:
> 
>  [ ] +1 Approve the releases
>  [ ]  0 Don't care
>  [ ] -1 Don't release, because ...

[jira] [Resolved] (SLING-7219) Add scope forward to ContentDispositionFilter

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-7219.
--
   Resolution: Fixed
Fix Version/s: Security 1.1.8

> Add scope forward to ContentDispositionFilter
> -
>
> Key: SLING-7219
> URL: https://issues.apache.org/jira/browse/SLING-7219
> Project: Sling
>  Issue Type: Improvement
>  Components: Extensions
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
> Fix For: Security 1.1.8
>
>
> The {{ContentDispositionFilter}} sets the  filter scope to request
> {code}
> @Component(property={"sling.filter.scope=request", 
> "service.ranking:Integer=25000"})
> {code}
> it would be good to add as well the scope forward



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (SLING-7219) Add scope forward to ContentDispositionFilter

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1687#comment-1687
 ] 

Antonio Sanso commented on SLING-7219:
--

resolved in 6807642..640ae29

> Add scope forward to ContentDispositionFilter
> -
>
> Key: SLING-7219
> URL: https://issues.apache.org/jira/browse/SLING-7219
> Project: Sling
>  Issue Type: Improvement
>  Components: Extensions
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
> Fix For: Security 1.1.8
>
>
> The {{ContentDispositionFilter}} sets the  filter scope to request
> {code}
> @Component(property={"sling.filter.scope=request", 
> "service.ranking:Integer=25000"})
> {code}
> it would be good to add as well the scope forward



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (SLING-7218) NPE in org.apache.sling.security.impl.ContentDispositionFilter#activate

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16221908#comment-16221908
 ] 

Antonio Sanso commented on SLING-7218:
--

[~kwin] this seems has been introduced in SLING-6316.

Before the default value for {{contentDispostionExcludedPathsArray}} used to be 
{{""}} now is {{null}}.
How do you suggest to handle this? Putting back the default to {{""}} or handle 
the {{null}} value?

> NPE in org.apache.sling.security.impl.ContentDispositionFilter#activate
> ---
>
> Key: SLING-7218
> URL: https://issues.apache.org/jira/browse/SLING-7218
> Project: Sling
>  Issue Type: Bug
>  Components: Extensions
>Reporter: Antonio Sanso
>Assignee: Antonio Sanso
>
> {noformat}
> 09.10.2017 07:05:55.216 *ERROR* [FelixStartLevel] org.apache.sling.security 
> [org.apache.sling.security.impl.ContentDispositionFilter(96)] The activate 
> method has thrown an exception (java.lang.NullPointerException)
> java.lang.NullPointerException: null
>  at java.util.Objects.requireNonNull(Objects.java:203)
>  at java.util.Arrays$ArrayList.(Arrays.java:3813)
>  at java.util.Arrays.asList(Arrays.java:3800)
> 09.10.2017 07:05:55.219 *ERROR* [FelixDispatchQueue] org.apache.sling.engine 
> FrameworkEvent ERROR (org.osgi.framework.ServiceException: Service factory 
> returned null. (Component: 
> org.apache.sling.security.impl.ContentDispositionFilter (96)))
> org.osgi.framework.ServiceException: Service factory returned null. 
> (Component: org.apache.sling.security.impl.ContentDispositionFilter (96))
>  at 
> org.apache.felix.framework.ServiceRegistrationImpl.getFactoryUnchecked(ServiceRegistrationImpl.java:380)
>  at 
> org.apache.felix.framework.ServiceRegistrationImpl.getService(ServiceRegistrationImpl.java:247)
>  at 
> org.apache.felix.framework.ServiceRegistry.getService(ServiceRegistry.java:350)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (SLING-7219) Add scope forward to ContentDispositionFilter

[Antonio Sanso (JIRA)]

Antonio Sanso created SLING-7219:


 Summary: Add scope forward to ContentDispositionFilter
 Key: SLING-7219
 URL: https://issues.apache.org/jira/browse/SLING-7219
 Project: Sling
  Issue Type: Improvement
  Components: Extensions
Reporter: Antonio Sanso
Assignee: Antonio Sanso
Priority: Minor


The {{ContentDispositionFilter}} sets the  filter scope to request

{code}
@Component(property={"sling.filter.scope=request", 
"service.ranking:Integer=25000"})
{code}

it would be good to add as well the scope forward



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Assigned] (SLING-7218) NPE in org.apache.sling.security.impl.ContentDispositionFilter#activate

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso reassigned SLING-7218:


Assignee: Antonio Sanso

> NPE in org.apache.sling.security.impl.ContentDispositionFilter#activate
> ---
>
> Key: SLING-7218
> URL: https://issues.apache.org/jira/browse/SLING-7218
> Project: Sling
>  Issue Type: Bug
>  Components: Extensions
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>
> {noformat}
> 09.10.2017 07:05:55.216 *ERROR* [FelixStartLevel] org.apache.sling.security 
> [org.apache.sling.security.impl.ContentDispositionFilter(96)] The activate 
> method has thrown an exception (java.lang.NullPointerException)
> java.lang.NullPointerException: null
>  at java.util.Objects.requireNonNull(Objects.java:203)
>  at java.util.Arrays$ArrayList.(Arrays.java:3813)
>  at java.util.Arrays.asList(Arrays.java:3800)
> 09.10.2017 07:05:55.219 *ERROR* [FelixDispatchQueue] org.apache.sling.engine 
> FrameworkEvent ERROR (org.osgi.framework.ServiceException: Service factory 
> returned null. (Component: 
> org.apache.sling.security.impl.ContentDispositionFilter (96)))
> org.osgi.framework.ServiceException: Service factory returned null. 
> (Component: org.apache.sling.security.impl.ContentDispositionFilter (96))
>  at 
> org.apache.felix.framework.ServiceRegistrationImpl.getFactoryUnchecked(ServiceRegistrationImpl.java:380)
>  at 
> org.apache.felix.framework.ServiceRegistrationImpl.getService(ServiceRegistrationImpl.java:247)
>  at 
> org.apache.felix.framework.ServiceRegistry.getService(ServiceRegistry.java:350)
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (SLING-7218) NPE in org.apache.sling.security.impl.ContentDispositionFilter#activate

[Antonio Sanso (JIRA)]

Antonio Sanso created SLING-7218:


 Summary: NPE in 
org.apache.sling.security.impl.ContentDispositionFilter#activate
 Key: SLING-7218
 URL: https://issues.apache.org/jira/browse/SLING-7218
 Project: Sling
  Issue Type: Bug
  Components: Extensions
Reporter: Antonio Sanso


{noformat}
09.10.2017 07:05:55.216 *ERROR* [FelixStartLevel] org.apache.sling.security 
[org.apache.sling.security.impl.ContentDispositionFilter(96)] The activate 
method has thrown an exception (java.lang.NullPointerException)
java.lang.NullPointerException: null
 at java.util.Objects.requireNonNull(Objects.java:203)
 at java.util.Arrays$ArrayList.(Arrays.java:3813)
 at java.util.Arrays.asList(Arrays.java:3800)
09.10.2017 07:05:55.219 *ERROR* [FelixDispatchQueue] org.apache.sling.engine 
FrameworkEvent ERROR (org.osgi.framework.ServiceException: Service factory 
returned null. (Component: 
org.apache.sling.security.impl.ContentDispositionFilter (96)))
org.osgi.framework.ServiceException: Service factory returned null. (Component: 
org.apache.sling.security.impl.ContentDispositionFilter (96))
 at 
org.apache.felix.framework.ServiceRegistrationImpl.getFactoryUnchecked(ServiceRegistrationImpl.java:380)
 at 
org.apache.felix.framework.ServiceRegistrationImpl.getService(ServiceRegistrationImpl.java:247)
 at 
org.apache.felix.framework.ServiceRegistry.getService(ServiceRegistry.java:350)
{noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Resolved] (SLING-7152) Unclosed ResourceResolver in org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7152?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso resolved SLING-7152.
--
Resolution: Duplicate

> Unclosed ResourceResolver in 
> org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2
> -
>
> Key: SLING-7152
> URL: https://issues.apache.org/jira/browse/SLING-7152
> Project: Sling
>  Issue Type: Bug
>  Components: Extensions
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
>
> The SlingWebConsoleSecurityProvider it is handling the authentication but it 
> is not registering a servlet request listener to close the session at the end 
> of the request. 
> {noformat}
> 15.09.2017 18:07:59.044 *INFO* [Apache Sling Resource Resolver Finalizer 
> Thread] 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl 
> Unclosed ResourceResolver was created here:
> java.lang.Exception: Opening Stacktrace
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl$ResolverReference.(CommonResourceResolverFactoryImpl.java:521)
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.register(CommonResourceResolverFactoryImpl.java:218)
> at 
> org.apache.sling.resourceresolver.impl.ResourceResolverImpl.(ResourceResolverImpl.java:101)
> at 
> org.apache.sling.resourceresolver.impl.ResourceResolverImpl.(ResourceResolverImpl.java:94)
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolverInternal(CommonResourceResolverFactoryImpl.java:263)
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolver(CommonResourceResolverFactoryImpl.java:173)
> at 
> org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:105)
> at 
> org.apache.sling.auth.core.impl.SlingAuthenticator.getResolver(SlingAuthenticator.java:791)
> at 
> org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:506)
> at 
> org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:460)
> at 
> org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2.authenticate(SlingWebConsoleSecurityProvider2.java:69)
> at 
> org.apache.felix.webconsole.internal.servlet.OsgiManagerHttpContext.handleSecurity(OsgiManagerHttpContext.java:103)
> at 
> org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
> at 
> org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
> at 
> org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:128)
> at 
> org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
> at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
> at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
> at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
> at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
> at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> at 
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
> at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
> at org.eclipse.jetty.server.Server.handle(Server.java:499)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
> at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
> at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
> at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
> at java.lang.Thread.run(Thread.java:745)
> {noformat}
> We should add this.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (SLING-7152) Unclosed ResourceResolver in org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16189410#comment-16189410
 ] 

Antonio Sanso commented on SLING-7152:
--

[~cziegeler] of course you are right :S

how about this other (simpler) approach?

{code}
Index: 
src/main/java/org/apache/sling/extensions/webconsolesecurityprovider/internal/SlingWebConsoleSecurityProvider2.java
===
--- 
src/main/java/org/apache/sling/extensions/webconsolesecurityprovider/internal/SlingWebConsoleSecurityProvider2.java
 (revision 1810355)
+++ 
src/main/java/org/apache/sling/extensions/webconsolesecurityprovider/internal/SlingWebConsoleSecurityProvider2.java
 (working copy)
@@ -97,6 +97,12 @@
 @Override
 public void logout(HttpServletRequest request, HttpServletResponse 
response) {
 this.authenticator.logout(request, response);
+//SLING-7152
+Object resolverAttr = 
request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
+if (resolverAttr instanceof ResourceResolver) {
+((ResourceResolver) resolverAttr).close();
+
request.removeAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
+}
 }
{code}

> Unclosed ResourceResolver in 
> org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2
> -
>
> Key: SLING-7152
> URL: https://issues.apache.org/jira/browse/SLING-7152
> Project: Sling
>  Issue Type: Bug
>  Components: Extensions
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
>
> The SlingWebConsoleSecurityProvider it is handling the authentication but it 
> is not registering a servlet request listener to close the session at the end 
> of the request. 
> {noformat}
> 15.09.2017 18:07:59.044 *INFO* [Apache Sling Resource Resolver Finalizer 
> Thread] 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl 
> Unclosed ResourceResolver was created here:
> java.lang.Exception: Opening Stacktrace
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl$ResolverReference.(CommonResourceResolverFactoryImpl.java:521)
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.register(CommonResourceResolverFactoryImpl.java:218)
> at 
> org.apache.sling.resourceresolver.impl.ResourceResolverImpl.(ResourceResolverImpl.java:101)
> at 
> org.apache.sling.resourceresolver.impl.ResourceResolverImpl.(ResourceResolverImpl.java:94)
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolverInternal(CommonResourceResolverFactoryImpl.java:263)
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolver(CommonResourceResolverFactoryImpl.java:173)
> at 
> org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:105)
> at 
> org.apache.sling.auth.core.impl.SlingAuthenticator.getResolver(SlingAuthenticator.java:791)
> at 
> org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:506)
> at 
> org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:460)
> at 
> org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2.authenticate(SlingWebConsoleSecurityProvider2.java:69)
> at 
> org.apache.felix.webconsole.internal.servlet.OsgiManagerHttpContext.handleSecurity(OsgiManagerHttpContext.java:103)
> at 
> org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
> at 
> org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
> at 
> org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:128)
> at 
> org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
> at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
> at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
> at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(Session

[jira] [Commented] (SLING-7152) Unclosed ResourceResolver in org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-7152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16188115#comment-16188115
 ] 

Antonio Sanso commented on SLING-7152:
--

{code}
Index: 
src/main/java/org/apache/sling/extensions/webconsolesecurityprovider/internal/AbstractWebConsoleSecurityProvider.java
===
--- 
src/main/java/org/apache/sling/extensions/webconsolesecurityprovider/internal/AbstractWebConsoleSecurityProvider.java
   (revision 1810355)
+++ 
src/main/java/org/apache/sling/extensions/webconsolesecurityprovider/internal/AbstractWebConsoleSecurityProvider.java
   (working copy)
@@ -23,8 +23,12 @@
 import java.util.Dictionary;
 import java.util.HashSet;
 import java.util.Set;
-
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletRequestEvent;
+import javax.servlet.ServletRequestListener;
 import org.apache.felix.webconsole.WebConsoleSecurityProvider;
+import org.apache.sling.api.resource.ResourceResolver;
+import org.apache.sling.auth.core.AuthenticationSupport;
 import org.osgi.service.cm.ConfigurationException;
 import org.osgi.service.cm.ManagedService;
 import org.slf4j.Logger;
@@ -35,7 +39,7 @@
  * It handles the configuration of the service.
  */
 public abstract class AbstractWebConsoleSecurityProvider
-implements WebConsoleSecurityProvider, ManagedService {
+implements WebConsoleSecurityProvider, ManagedService, 
ServletRequestListener {
 
 // name of the property providing list of authorized users
 private static final String PROP_USERS = "users";
@@ -86,4 +90,19 @@
 }
 return groups;
 }
+
+@Override
+public void requestDestroyed(ServletRequestEvent sre) {
+ServletRequest request = sre.getServletRequest();
+Object resolverAttr = 
request.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
+if (resolverAttr instanceof ResourceResolver) {
+((ResourceResolver) resolverAttr).close();
+
request.removeAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
+}
+}
+
+@Override
+public void requestInitialized(ServletRequestEvent sre) {
+//nothing to do
+}
 }
Index: 
src/main/java/org/apache/sling/extensions/webconsolesecurityprovider/internal/ServicesListener.java
===
--- 
src/main/java/org/apache/sling/extensions/webconsolesecurityprovider/internal/ServicesListener.java
 (revision 1810355)
+++ 
src/main/java/org/apache/sling/extensions/webconsolesecurityprovider/internal/ServicesListener.java
 (working copy)
@@ -22,7 +22,7 @@
 import java.util.Dictionary;
 import java.util.Hashtable;
 import java.util.concurrent.atomic.AtomicBoolean;
-
+import javax.servlet.ServletRequestListener;
 import org.apache.felix.webconsole.WebConsoleSecurityProvider;
 import org.apache.sling.launchpad.api.StartupListener;
 import org.apache.sling.launchpad.api.StartupMode;
@@ -171,7 +171,7 @@
 props.put(Constants.SERVICE_DESCRIPTION, "Apache Sling Web Console 
Security Provider 2");
 props.put(Constants.SERVICE_VENDOR, "The Apache Software Foundation");
 this.provider2Reg = this.bundleContext.registerService(
-new String[] {ManagedService.class.getName(), 
WebConsoleSecurityProvider.class.getName()},
+new String[] {ManagedService.class.getName(), 
WebConsoleSecurityProvider.class.getName(), 
ServletRequestListener.class.getName()},
   new SlingWebConsoleSecurityProvider2(authSupport, 
authenticator), props);
 this.registrationState = State.PROVIDER2;
 }
@@ -182,7 +182,7 @@
 props.put(Constants.SERVICE_DESCRIPTION, "Apache Sling Web Console 
Security Provider");
 props.put(Constants.SERVICE_VENDOR, "The Apache Software Foundation");
 this.providerReg = this.bundleContext.registerService(
-new String[] {ManagedService.class.getName(), 
WebConsoleSecurityProvider.class.getName()}, new 
SlingWebConsoleSecurityProvider(repository), props);
+new String[] {ManagedService.class.getName(), 
WebConsoleSecurityProvider.class.getName(), 
ServletRequestListener.class.getName()}, new 
SlingWebConsoleSecurityProvider(repository), props);
 this.registrationState = State.PROVIDER;
 }
{code}

attaching path. [~cziegeler] WDYT?

> Unclosed ResourceResolver in 
> org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2
> -
>
> Key: SLING-7152
> URL: https://issues.apache.org/jira/browse/SLING-7152
> Project: Sling
>  Issue Type: Bug
>  Components: E

[jira] [Created] (SLING-7152) Unclosed ResourceResolver in org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2

[Antonio Sanso (JIRA)]

Antonio Sanso created SLING-7152:


 Summary: Unclosed ResourceResolver in 
org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2
 Key: SLING-7152
 URL: https://issues.apache.org/jira/browse/SLING-7152
 Project: Sling
  Issue Type: Bug
  Components: Extensions
Reporter: Antonio Sanso
Priority: Minor


The SlingWebConsoleSecurityProvider it is handling the authentication but it is 
not registering a servlet request listener to close the session at the end of 
the request. 

{noformat}
15.09.2017 18:07:59.044 *INFO* [Apache Sling Resource Resolver Finalizer 
Thread] 
org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl 
Unclosed ResourceResolver was created here:
java.lang.Exception: Opening Stacktrace
at 
org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl$ResolverReference.(CommonResourceResolverFactoryImpl.java:521)
at 
org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.register(CommonResourceResolverFactoryImpl.java:218)
at 
org.apache.sling.resourceresolver.impl.ResourceResolverImpl.(ResourceResolverImpl.java:101)
at 
org.apache.sling.resourceresolver.impl.ResourceResolverImpl.(ResourceResolverImpl.java:94)
at 
org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolverInternal(CommonResourceResolverFactoryImpl.java:263)
at 
org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolver(CommonResourceResolverFactoryImpl.java:173)
at 
org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:105)
at 
org.apache.sling.auth.core.impl.SlingAuthenticator.getResolver(SlingAuthenticator.java:791)
at 
org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:506)
at 
org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:460)
at 
org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2.authenticate(SlingWebConsoleSecurityProvider2.java:69)
at 
org.apache.felix.webconsole.internal.servlet.OsgiManagerHttpContext.handleSecurity(OsgiManagerHttpContext.java:103)
at 
org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
at 
org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
at 
org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:128)
at 
org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
at 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
at 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at 
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at 
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
{noformat}


We should add this.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Assigned] (SLING-7152) Unclosed ResourceResolver in org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-7152?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso reassigned SLING-7152:


Assignee: Antonio Sanso

> Unclosed ResourceResolver in 
> org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2
> -
>
> Key: SLING-7152
> URL: https://issues.apache.org/jira/browse/SLING-7152
> Project: Sling
>  Issue Type: Bug
>  Components: Extensions
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
>Priority: Minor
>
> The SlingWebConsoleSecurityProvider it is handling the authentication but it 
> is not registering a servlet request listener to close the session at the end 
> of the request. 
> {noformat}
> 15.09.2017 18:07:59.044 *INFO* [Apache Sling Resource Resolver Finalizer 
> Thread] 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl 
> Unclosed ResourceResolver was created here:
> java.lang.Exception: Opening Stacktrace
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl$ResolverReference.(CommonResourceResolverFactoryImpl.java:521)
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.register(CommonResourceResolverFactoryImpl.java:218)
> at 
> org.apache.sling.resourceresolver.impl.ResourceResolverImpl.(ResourceResolverImpl.java:101)
> at 
> org.apache.sling.resourceresolver.impl.ResourceResolverImpl.(ResourceResolverImpl.java:94)
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolverInternal(CommonResourceResolverFactoryImpl.java:263)
> at 
> org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolver(CommonResourceResolverFactoryImpl.java:173)
> at 
> org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:105)
> at 
> org.apache.sling.auth.core.impl.SlingAuthenticator.getResolver(SlingAuthenticator.java:791)
> at 
> org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:506)
> at 
> org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:460)
> at 
> org.apache.sling.extensions.webconsolesecurityprovider.internal.SlingWebConsoleSecurityProvider2.authenticate(SlingWebConsoleSecurityProvider2.java:69)
> at 
> org.apache.felix.webconsole.internal.servlet.OsgiManagerHttpContext.handleSecurity(OsgiManagerHttpContext.java:103)
> at 
> org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)
> at 
> org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)
> at 
> org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:128)
> at 
> org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
> at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)
> at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
> at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
> at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
> at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
> at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> at 
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
> at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
> at org.eclipse.jetty.server.Server.handle(Server.java:499)
> at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
> at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
> at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
> at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
> at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
> at java.lang.Thread.run(Thread.java:745)
> {noformat}
> We should add this.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: Mappings and Authentication

[Antonio Sanso]

hi Lars,

thanks a lot for your mail.

FWIW this was already discussed in 
https://issues.apache.org/jira/browse/SLING-6394

regards

antonio

On Sep 21, 2017, at 10:39 AM, Lars Krapf  wrote:

> Hello list
> 
> IIUC the Sling Authenticator chooses an authentication handler based on
> the request path, and *not* on the mapped path.
> 
> So (please correct me if I'm wrong), it seems not possible to have two
> different internalRedirects from domain-names to sub-paths, which are
> covered by two different authentication handlers.
> 
> E.g.
> 
> + /etc/map/http/bla.4502
>  - sling:internalRedirect = /content/bla
> + /etc/map/http/fasel.4502
>  - sling:internalRedirect = /content/fasel
> 
> with two different authentication handlers, one registered for
> /content/bla and one for /content/fasel is *not* possible, correct?
> 
> Now, two questions
> 
> a) what is the reasoning behind having the authenticator select handlers
> *before* the mapping
> b) is it possible to make this work somehow?
> 
> Also, to me, this slightly smells of a privilege escalation.
> Say I have write access to /etc/map, I will be able to change
> authentication handlers for an arbitrary sub-pat, potentially disabling
> authentication altogether (by mapping a path without authentication
> requirements to the target path). Of course, in most cases this will not
> achieve anything, because you still won't have access to the resources,
> but it does seem a little "shady" at least. No?
> 
> 
> Thanks for your thoughts
> Lars

Re: [VOTE] Release Apache Sling Security 1.1.6

[Antonio Sanso]

+1
On Aug 4, 2017, at 2:47 PM, Carsten Ziegeler  wrote:

> Hi,
> We solved 1 issues in this release:
> 
> https://issues.apache.org/jira/browse/SLING-7030
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-1762/
> You can use this UNIX script to download the release and verify the
> signatures:
> http://svn.apache.org/repos/asf/sling/trunk/check_staged_release.sh
> Usage:
> sh check_staged_release.sh 1762 /tmp/sling-staging
> 
> Please vote to approve this release:
> 
> [ ] +1 Approve the release
> [ ] 0 Don't care
> [ ] -1 Don't release, because ...
> 
> This majority vote is open for at least 72 hours.
> 
> Thanks,
> Carsten
> -- 
> Carsten Ziegeler
> Adobe Research Switzerland
> cziege...@apache.org

ANN] New Apache Sling committer: Simone Tripodi

[Antonio Sanso]

Hi *,

Please welcome Simone Tripodi as a new committer of the Apache Sling project. 
The Apache Sling PMC recently decided to offer Simone committership based on 
his contributions.
I'm happy to announce that he accepted the offer.

Welcome to the team, Simo!

@Simo if you want to honor the old tradition of new committers
briefly introducing themselves to the list, feel free.

regards

antonio

Re: [VOTE] Release Apache Sling Resource Resolver 1.5.26

[Antonio Sanso]

+1
On Jul 5, 2017, at 4:04 PM, Karl Pauls  wrote:

> I would like to call a vote on the following release,
> 
> Apache Sling Resource Resolver 1.5.26
> 
> We solved 1 issue in this release:
> https://issues.apache.org/jira/projects/SLING/versions/12340514
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-1751/
> 
> You can use this UNIX script to download the release and verify the 
> signatures:
> http://svn.apache.org/repos/asf/sling/trunk/check_staged_release.sh
> 
> Usage:
> sh check_staged_release.sh 1751 /tmp/sling-staging
> 
> Please vote to approve these releases:
> 
>  [ ] +1 Approve the releases
>  [ ]  0 Don't care
>  [ ] -1 Don't release, because ...

Re: RTC - Add IMS Provider to AEM quickstart

[Antonio Sanso]

hi guys,

yeah sorry for the noise :(

regards

antonio

On Jul 3, 2017, at 10:11 AM, Ian Boston <i...@tfd.co.uk> wrote:

> Hi Antonio,
> Wrong list perhaps ?
> Best Regards
> Ian
> 
> On 3 July 2017 at 08:16, Antonio Sanso <asa...@adobe.com.invalid> wrote:
> 
>> please cast your vote:
>> 
>> JIRA issue: https://jira.corp.adobe.com/browse/GRANITE-15927
>> Github repository:  https://git.corp.adobe.com/Granite/com.adobe.granite.
>> auth.ims
>> Wiki: https://wiki.corp.adobe.com/display/~asanso/AEM+Managed+
>> Services+IMS+Authentication+Support
>> 
>> regards
>> 
>> antonio

RTC - Add IMS Provider to AEM quickstart

[Antonio Sanso]

please cast your vote:

JIRA issue: https://jira.corp.adobe.com/browse/GRANITE-15927
Github repository:  
https://git.corp.adobe.com/Granite/com.adobe.granite.auth.ims
Wiki: 
https://wiki.corp.adobe.com/display/~asanso/AEM+Managed+Services+IMS+Authentication+Support

regards

antonio

[jira] [Closed] (SLING-6972) Add a request attribute in the SlingAuthenticator containing the list of request URI suffixes handled by the default authenticator

[Antonio Sanso (JIRA)]

 [ 
https://issues.apache.org/jira/browse/SLING-6972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso closed SLING-6972.


> Add a request attribute in the SlingAuthenticator containing the list of 
> request URI suffixes handled by the default authenticator
> --
>
> Key: SLING-6972
> URL: https://issues.apache.org/jira/browse/SLING-6972
> Project: Sling
>  Issue Type: Improvement
>  Components: Authentication
>    Reporter: Antonio Sanso
>    Assignee: Antonio Sanso
> Fix For: Auth Core 1.4.0
>
>
> It would be useful to add a request attribute in the SlingAuthenticator 
> containing the list of request URI suffixes handled by the default 
> authenticator. In this way thge login JSPs can post j_username and j_password 
> to the correct dynamic URI.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[RESULT] [VOTE] Release Apache Sling Authentication Service

[Antonio Sanso]

The vote passed with 4 binding  and 1 not binding +1s

[jira] [Commented] (SLING-6957) Failing tests when updating version of org.apache.sling.serviceusermapper to 1.3.2

[Antonio Sanso (JIRA)]

[ 
https://issues.apache.org/jira/browse/SLING-6957?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16067838#comment-16067838
 ] 

Antonio Sanso commented on SLING-6957:
--

see also SLING-5667

> Failing tests when updating version of org.apache.sling.serviceusermapper to 
> 1.3.2
> --
>
> Key: SLING-6957
> URL: https://issues.apache.org/jira/browse/SLING-6957
> Project: Sling
>  Issue Type: Bug
>  Components: JCR
>Reporter: angela
>    Assignee: Antonio Sanso
> Fix For: JCR Base 3.0.4
>
>
> when updating the version of {{org.apache.sling.serviceusermapper}} from 
> _1.0.0_ to _1.3.2_ within the pom.xml of {{org.apache.sling.jcr.base}}, the 
> build of this module fails the following tests:
> {code}
> Running org.apache.sling.jcr.base.RepositoryInitializersTest
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.155 sec <<< 
> FAILURE! - in org.apache.sling.jcr.base.RepositoryInitializersTest
> inOrderInitializers(org.apache.sling.jcr.base.RepositoryInitializersTest)  
> Time elapsed: 0.121 sec  <<< ERROR!
> java.lang.RuntimeException: Unable to initialize JCR_MOCK resource resolver 
> factory: No matching activation method with name 'configure'  found in class 
> org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl
>   at 
> org.apache.sling.testing.mock.sling.context.ContextResourceResolverFactory.get(ContextResourceResolverFactory.java:69)
>   at 
> org.apache.sling.testing.mock.sling.context.SlingContextImpl.newResourceResolverFactory(SlingContextImpl.java:107)
>   at 
> org.apache.sling.testing.mock.sling.context.SlingContextImpl.setUp(SlingContextImpl.java:98)
>   at 
> org.apache.sling.testing.mock.sling.junit.SlingContext.access$000(SlingContext.java:32)
>   at 
> org.apache.sling.testing.mock.sling.junit.SlingContext$1.before(SlingContext.java:113)
>   at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:46)
>   at org.junit.rules.RunRules.evaluate(RunRules.java:20)
>   at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
>   at 
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
>   at 
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
>   at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
>   at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
>   at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
>   at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
>   at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
>   at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
>   at 
> org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:283)
>   at 
> org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:173)
>   at 
> org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:153)
>   at 
> org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:128)
>   at 
> org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:203)
>   at 
> org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:155)
>   at 
> org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:103)
> Caused by: java.lang.RuntimeException: No matching activation method with 
> name 'configure'  found in class 
> org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl
>   at 
> org.apache.sling.testing.mock.osgi.OsgiServiceUtil.activateDeactivate(OsgiServiceUtil.java:157)
>   at 
> org.apache.sling.testing.mock.osgi.MockOsgi.activate(MockOsgi.java:190)
>   at 
> org.apache.sling.testing.mock.sling.ResourceResolverFactoryInitializer.registerServiceIfNotPresent(ResourceResolverFactoryInitializer.java:160)
>   at 
> org.apache.sling.testing.mock.sling.ResourceResolverFactoryInitializer.ensureResourceResolverFactoryActivatorDependencies(ResourceResolverFactoryInitializer.java:117)
>   at 
> org.apache.sling.testing.mock.sling.ResourceResolverFactoryInitializer.setUp(ResourceResolverFactoryInitializer.java:74)
>   at 
> org.apache.sling.testing.mock.sling.MockSling.newResourceResolverFactory(MockSling.java:88)
>   at 
> org.apache.sling.testing.mock.sling.context.ContextResourceResolverFactory.get(ContextResourceR