[jira] [Created] (SLING-7252) ResourceResolverImpl.map() does not invoke ResourceDecorator

2017-11-20 Thread Francisco Chicharro (JIRA) 
Francisco Chicharro created SLING-7252:
--

 Summary: ResourceResolverImpl.map() does not invoke 
ResourceDecorator
 Key: SLING-7252
 URL: https://issues.apache.org/jira/browse/SLING-7252
 Project: Sling
  Issue Type: Bug
Affects Versions: Resource Resolver 1.5.30, Resource Resolver 1.4.16
Reporter: Francisco Chicharro
 Attachments: resourceresolverimpl.patch

ResourceDecorators are invoked by ResourceResolverImpl for resource resolution 
but not for mapping.
I'm experiencing this issue with version 1.4.16, but the issue is also there 
for latest version 1.5.30.
I'm attaching a patch for 1.4.16 version.

CC: [~cziegeler]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

RE: [VOTE] Release Apache Sling JCR Resource 3.0.8 and File System ClassLoader 1.0.8

2017-11-20 Thread Stefan Seifert 
+1

[jira] [Updated] (SLING-7252) ResourceResolverImpl.map() does not invoke ResourceDecorator

2017-11-20 Thread Carsten Ziegeler (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Carsten Ziegeler updated SLING-7252:

Component/s: ResourceResolver

> ResourceResolverImpl.map() does not invoke ResourceDecorator
> 
>
> Key: SLING-7252
> URL: https://issues.apache.org/jira/browse/SLING-7252
> Project: Sling
>  Issue Type: Bug
>  Components: ResourceResolver
>Affects Versions: Resource Resolver 1.4.16, Resource Resolver 1.5.30
>Reporter: Francisco Chicharro
> Fix For: Resource Resolver 1.5.32
>
> Attachments: resourceresolverimpl.patch
>
>
> ResourceDecorators are invoked by ResourceResolverImpl for resource 
> resolution but not for mapping.
> I'm experiencing this issue with version 1.4.16, but the issue is also there 
> for latest version 1.5.30.
> I'm attaching a patch for 1.4.16 version.
> CC: [~cziegeler]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: [VOTE] Release Apache Sling JCR Resource 3.0.8 and File System ClassLoader 1.0.8

2017-11-20 Thread Radu Cotescu 
+1

On Thu, 16 Nov 2017 at 15:44 Karl Pauls  wrote:

> Please vote to approve these releases:
>
>   [ ] +1 Approve the releases
>   [ ]  0 Don't care
>   [ ] -1 Don't release, because ...
>

[jira] [Updated] (SLING-7252) ResourceResolverImpl.map() does not invoke ResourceDecorator

2017-11-20 Thread Carsten Ziegeler (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Carsten Ziegeler updated SLING-7252:

Fix Version/s: Resource Resolver 1.5.32

> ResourceResolverImpl.map() does not invoke ResourceDecorator
> 
>
> Key: SLING-7252
> URL: https://issues.apache.org/jira/browse/SLING-7252
> Project: Sling
>  Issue Type: Bug
>Affects Versions: Resource Resolver 1.4.16, Resource Resolver 1.5.30
>Reporter: Francisco Chicharro
> Fix For: Resource Resolver 1.5.32
>
> Attachments: resourceresolverimpl.patch
>
>
> ResourceDecorators are invoked by ResourceResolverImpl for resource 
> resolution but not for mapping.
> I'm experiencing this issue with version 1.4.16, but the issue is also there 
> for latest version 1.5.30.
> I'm attaching a patch for 1.4.16 version.
> CC: [~cziegeler]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: [VOTE] Release Apache Sling Health Check API 1.0.2, Health Check Core 1.2.10, and Health Check Annotations 1.0.6

2017-11-20 Thread Radu Cotescu 
+1

On Thu, 16 Nov 2017 at 12:58 Karl Pauls  wrote:

> Please vote to approve these releases:
>
>   [ ] +1 Approve the releases
>   [ ]  0 Don't care
>   [ ] -1 Don't release, because ...
>

RE: value level encryption - Donating?

2017-11-20 Thread Jason Bailey 
Thanks Antonio. I had considered doing GCM, but I hesitated since it's not 
listed as a standard transformation that a Java platform must support. As I 
couldn't know what platform it would be running on I tried to be as much OOTB 
as possible. That desire to be OOTB is also why it's 128bit. My idea was to 
provide a generic level of encryption with the assumption that a downstream 
implementer would/should implement the EncryptionProvider service to the level 
of security their company requires.

Saying that, if the desire is to have it GCM I will get that implemented.

-Original Message-
From: Antonio Sanso [mailto:asa...@adobe.com.INVALID] 
Sent: Monday, November 20, 2017 10:29 AM
To: dev@sling.apache.org
Subject: Re: value level encryption - Donating?

EXTERNAL

hi Jason,

thanks a lot for the donation.
I already commented on the issue, just pasting inline part of the comment though

On Nov 20, 2017, at 2:50 PM, Jason Bailey  wrote:

> So I'm just about done implementing this.
>
> https://github.com/JEBailey/sling-encrypt
>
> Value level encryption. IV is stored inline so there's no repetition. 
> Accessing encrypted data via the EncryptionValueMap will decode it 
> automatically on access and will handle automatically encrypting values if an 
> encrypted value is updated.
>
> Only problem I had besides catching up on the last 15 years of 
> cryptography

I have seen you have used AES/CBC that is not  (extremely) bad. Said that if we 
really want to put this in Sling we'd better do things as the state of art 
requires.
As rule of thumbs you never (only) encrypt . You'd better add some integrity 
check mechanism (eg AES GCM or encrypt-then-mac).

regards

antonio

> was that the downstream application I use has a non configurable whitelist 
> filter for post processors that contain an '@' So I had to make the post 
> processor configurable.
>
> As mentioned earlier I wrote this with the intention of donating. I tried to 
> make it as easy as possible for it to be pulled into where it needs to go.
>
> However I don't know the process for Donating. Can someone point me the way 
> or to some documentation?
>
> Thanks.
> -Jason
>
> -Original Message-
> From: Justin Edelson [mailto:jus...@justinedelson.com]
> Sent: Friday, November 03, 2017 3:37 PM
> To: dev@sling.apache.org
> Subject: Re: value level encryption
>
> EXTERNAL
>
> In AEM, posting encrypted properties to /etc/cloudservices is historically 
> the primary use case for @Encrypted, but the PostProcessor applies to all 
> post requests.
>
> I think this would be a useful addition to Sling. We may want to have some 
> kind of SPI to support different encryption schemes, but that's an 
> implementation detail.
>
> Regards,
> Justin
>
>
> On Fri, Nov 3, 2017 at 2:48 PM Jason Bailey  wrote:
>
>> They only docs I can find on that, assuming we're talking AEM, 
>> mentions it only works for posting things into /etc/cloudservices. So that's 
>> out.
>> It's been a while, but I'm under the impression that all 
>> implementations of the java platform now come with a certain level of 
>> crypto
>>
>> https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html
>>
>> I'd probably add a configuration so you could define the level of 
>> cryptography, and then that would allow people who needed a higher 
>> level to install their own providers. Is this something that Sling 
>> would be interested in? Since I'm going to be writing this, if you're 
>> interested, I'd rather write it with the intent of directly donating it.
>>
>>
>>
>> -Original Message-
>> From: Justin Edelson [mailto:jus...@justinedelson.com]
>> Sent: Friday, November 03, 2017 1:35 PM
>> To: dev@sling.apache.org
>> Subject: Re: value level encryption
>>
>> EXTERNAL
>>
>> We have this in our commercial product. At a high level, the way it 
>> works is that there is a PostProcessor which looks for an @Encrypted 
>> postfixed property and, if that is present, the corresponding 
>> property is stored in an encrypted fashion. Decryption is all done 
>> manually, although personally the idea of an EncryptionValueMap seems really 
>> cool to me.
>>
>> I believe the challenge in bringing this into Sling relates to the 
>> encryption libraries.
>>
>> On Fri, Nov 3, 2017 at 8:45 AM Jason Bailey  wrote:
>>
>>> Here's the use case
>>>
>>> My organization has decided that to conform to the GDPR, any 
>>> sensitive data should be encrypted while at rest. From a Sling 
>>> perspective that is a challenge since we've empowered the authors to 
>>> create forms the way they want. So to be on the safe side, we're 
>>> looking at encrypting all form fields as they are persisted, and 
>>> then decrypting the values from the resource  when we need to processes 
>>> them.
>>>
>>> Now I'm thinking of an EncryptionValueMap that will simplify this 
>>> process and encapsulate the functionality. You guys are usually 
>>> ahead

[jira] [Created] (SLING-7257) Sling Models injector for resolving paths stored in the repo

2017-11-20 Thread Henry Kuijpers (JIRA) 
Henry Kuijpers created SLING-7257:
-

 Summary: Sling Models injector for resolving paths stored in the 
repo
 Key: SLING-7257
 URL: https://issues.apache.org/jira/browse/SLING-7257
 Project: Sling
  Issue Type: New Feature
Affects Versions: Sling Models Impl 1.4.4
Reporter: Henry Kuijpers


It would be great to have the ability to store paths in the repository (as a 
string or as a string array) and then resolve them with a simple annotation, 
instead of having a lot of code in the specific models to do so.

I started working on something that for now only supports resources and tags, 
but I think it should actually be possible to delegate the execution of 
transforming the resource to any object, using the injectors that are already 
available. 

I'm not sure if what I made is the way to go, but at least it's a starting 
point?

Injector:
{code}
@Component
@Slf4j
public class ResolvePathInjector implements InjectAnnotationProcessorFactory2, 
Injector {
@Override
public String getName() {
return "resolve-path";
}

@Override
public Object getValue(Object adaptable, String name, Type declaredType, 
AnnotatedElement element,
   DisposalCallbackRegistry callbackRegistry) {
final ResolvePath annotation = element.getAnnotation(ResolvePath.class);
if (annotation == null) {
return null;
}

final Resource resource = getResource(adaptable);
if (resource == null) {
throw new IllegalArgumentException("Cannot get resource resolver 
from adaptable");
}

final String[] paths = getPaths(annotation, resource);
if (paths == null) {
return null;
}

return getValue(paths, declaredType, resource.getResourceResolver());
}

private static String[] getPaths(ResolvePath annotation, Resource resource) 
{
final ValueMap map = resource.adaptTo(ValueMap.class);
if (map == null) {
return null;
}

final String[] paths = map.get(annotation.name(), String[].class);
if (paths == null || paths.length == 0) {
return null;
}
return paths;
}

private static Object getValue(String[] paths, Type declaredType, 
ResourceResolver resourceResolver) {
// TODO: Support more injections! I.e. other sling models
final boolean isTagArray = declaredType == Tag[].class;
final boolean isTag = declaredType == Tag.class;

if (!isTag && !isTagArray) {
return null;
}

final List tags = new ArrayList<>();
final TagManager tagManager = 
resourceResolver.adaptTo(TagManager.class);
if (tagManager != null) {
for (String path : paths) {
final Tag tag = tagManager.resolve(path);
if (tag != null) {
tags.add(tag);
}
}
}

if (isTag && !tags.isEmpty()) {
return tags.get(0);
}
return tags.toArray(new Tag[tags.size()]);
}

private static Resource getResource(Object adaptable) {
Resource resource = null;
if (adaptable instanceof Resource) {
resource = (Resource) adaptable;
} else if (adaptable instanceof SlingHttpServletRequest) {
resource = ((SlingHttpServletRequest) adaptable).getResource();
} else if (adaptable instanceof Adaptable) {
resource = ((Adaptable)adaptable).adaptTo(Resource.class);
}
return resource;
}

@Override
public InjectAnnotationProcessor2 createAnnotationProcessor(Object 
adaptable, AnnotatedElement element) {
// check if the element has the expected annotation
ResolvePath annotation = element.getAnnotation(ResolvePath.class);
if (annotation != null) {
return new ValueAnnotationProcessor(annotation, adaptable);
}
return null;
}
}
{code}

Annotation:
{code}
@Target({ ElementType.FIELD, ElementType.METHOD, ElementType.PARAMETER })
@Retention(RetentionPolicy.RUNTIME)
@InjectAnnotation
@Source("resolve-path")
@Qualifier
public @interface ResolvePath {
String name() default "";
InjectionStrategy injectionStrategy() default InjectionStrategy.DEFAULT;
String via() default "";
}
{code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (SLING-7256) Sling Models injector for CAConfig

2017-11-20 Thread Henry Kuijpers (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Henry Kuijpers updated SLING-7256:
--
Description: 
It would be great to have a Sling Models injector for CAConfig.

An example could be:
{code}
@Component
public class ContextAwareConfigurationInjector implements Injector {
public String getName() {
return "ca-config";
}

public Object getValue(Object adaptable, String name, Type declaredType, 
AnnotatedElement element,
   DisposalCallbackRegistry callbackRegistry) {
if (isConfigurationObject(declaredType)) {
final Resource resource;
if (adaptable instanceof Resource) {
resource = (Resource) adaptable;
} else if (adaptable instanceof SlingHttpServletRequest) {
// TODO: Is this always the correct resource? (Most often we 
want the one in /content)
// So we do not want /conf/... for example
final SlingHttpServletRequest request = 
(SlingHttpServletRequest)adaptable;
final ResourceResolver resourceResolver = 
request.getResourceResolver();
resource = resourceResolver.resolve(request, 
request.getRequestURI());
} else {
throw new IllegalArgumentException("Either a resource or the 
request should be used");
}

final ConfigurationBuilder builder = 
resource.adaptTo(ConfigurationBuilder.class);
if (builder != null) {
return builder.as((Class) declaredType);
}
}
return null;
}

private static boolean isConfigurationObject(Type type) {
if (!(type instanceof Class)) {
return false;
}

Class clazz = (Class) type;
return clazz.isAnnotation() && 
clazz.isAnnotationPresent(Configuration.class);
}
}
{code}

+ annotation:
{code}
@Target({ ElementType.FIELD, ElementType.METHOD, ElementType.PARAMETER })
@Retention(RetentionPolicy.RUNTIME)
@InjectAnnotation
@Source("ca-config")
@Qualifier
public @interface CaConfig {
}
{code}

  was:
It would be great to have a Sling Models injector for CAConfig.

An example could be:
{code}
@Component
public class ContextAwareConfigurationInjector implements Injector {
public String getName() {
return "ca-config";
}

public Object getValue(Object adaptable, String name, Type declaredType, 
AnnotatedElement element,
   DisposalCallbackRegistry callbackRegistry) {
if (isConfigurationObject(declaredType)) {
final Resource resource;
if (adaptable instanceof Resource) {
// TODO: Is this always the correct resource? (Most often we 
want the one in /content)
// So we do not want /conf/... for example
resource = (Resource) adaptable;
} else if (adaptable instanceof SlingHttpServletRequest) {
final SlingHttpServletRequest request = 
(SlingHttpServletRequest)adaptable;
final ResourceResolver resourceResolver = 
request.getResourceResolver();
resource = resourceResolver.resolve(request, 
request.getRequestURI());
} else {
throw new IllegalArgumentException("Either a resource or the 
request should be used");
}

final ConfigurationBuilder builder = 
resource.adaptTo(ConfigurationBuilder.class);
if (builder != null) {
return builder.as((Class) declaredType);
}
}
return null;
}

private static boolean isConfigurationObject(Type type) {
if (!(type instanceof Class)) {
return false;
}

Class clazz = (Class) type;
return clazz.isAnnotation() && 
clazz.isAnnotationPresent(Configuration.class);
}
}
{code}

+ annotation:
{code}
@Target({ ElementType.FIELD, ElementType.METHOD, ElementType.PARAMETER })
@Retention(RetentionPolicy.RUNTIME)
@InjectAnnotation
@Source("ca-config")
@Qualifier
public @interface CaConfig {
}
{code}


> Sling Models injector for CAConfig
> --
>
> Key: SLING-7256
> URL: https://issues.apache.org/jira/browse/SLING-7256
> Project: Sling
>  Issue Type: New Feature
>Affects Versions: Sling Models Impl 1.4.4
>Reporter: Henry Kuijpers
>
> It would be great to have a Sling Models injector for CAConfig.
> An example could be:
> {code}
> @Component
> public class ContextAwareConfigurationInjector implements Injector {
> public String getName() {
> return "ca-config";
> }
> public Object getValue(Object adaptable, String name, Type declaredType, 
> AnnotatedElement element,
>DisposalCallbackRegistry callbackRegistry) {
> if

[jira] [Created] (SLING-7256) Sling Models injector for CAConfig

2017-11-20 Thread Henry Kuijpers (JIRA) 
Henry Kuijpers created SLING-7256:
-

 Summary: Sling Models injector for CAConfig
 Key: SLING-7256
 URL: https://issues.apache.org/jira/browse/SLING-7256
 Project: Sling
  Issue Type: New Feature
Affects Versions: Sling Models Impl 1.4.4
Reporter: Henry Kuijpers


It would be great to have a Sling Models injector for CAConfig.

An example could be:
{code}
@Component
public class ContextAwareConfigurationInjector implements Injector {
public String getName() {
return "ca-config";
}

public Object getValue(Object adaptable, String name, Type declaredType, 
AnnotatedElement element,
   DisposalCallbackRegistry callbackRegistry) {
if (isConfigurationObject(declaredType)) {
final Resource resource;
if (adaptable instanceof Resource) {
// TODO: Is this always the correct resource? (Most often we 
want the one in /content)
// So we do not want /conf/... for example
resource = (Resource) adaptable;
} else if (adaptable instanceof SlingHttpServletRequest) {
final SlingHttpServletRequest request = 
(SlingHttpServletRequest)adaptable;
final ResourceResolver resourceResolver = 
request.getResourceResolver();
resource = resourceResolver.resolve(request, 
request.getRequestURI());
} else {
throw new IllegalArgumentException("Either a resource or the 
request should be used");
}

final ConfigurationBuilder builder = 
resource.adaptTo(ConfigurationBuilder.class);
if (builder != null) {
return builder.as((Class) declaredType);
}
}
return null;
}

private static boolean isConfigurationObject(Type type) {
if (!(type instanceof Class)) {
return false;
}

Class clazz = (Class) type;
return clazz.isAnnotation() && 
clazz.isAnnotationPresent(Configuration.class);
}
}
{code}

+ annotation:
{code}
@Target({ ElementType.FIELD, ElementType.METHOD, ElementType.PARAMETER })
@Retention(RetentionPolicy.RUNTIME)
@InjectAnnotation
@Source("ca-config")
@Qualifier
public @interface CaConfig {
}
{code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (SLING-7257) Sling Models injector for resolving paths stored in the repo

2017-11-20 Thread Justin Edelson (JIRA) 

[ 
https://issues.apache.org/jira/browse/SLING-7257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16259561#comment-16259561
 ] 

Justin Edelson commented on SLING-7257:
---

Leaving aside the Tags-specific piece (which appears to depends upon AEM APIs  
and so doesn't belong in Sling), how is this different than the existing 
ResourcePath injector?

In terms of the Tags, since AEM Tags are not stored (or at least shouldn't be 
stored) as traditional paths but rather Tag IDs, the existing ResourcePath 
injector won't work. This could be submitted to ACS AEM Commons or wcm.io as a 
contribution.

> Sling Models injector for resolving paths stored in the repo
> 
>
> Key: SLING-7257
> URL: https://issues.apache.org/jira/browse/SLING-7257
> Project: Sling
>  Issue Type: New Feature
>Affects Versions: Sling Models Impl 1.4.4
>Reporter: Henry Kuijpers
>
> It would be great to have the ability to store paths in the repository (as a 
> string or as a string array) and then resolve them with a simple annotation, 
> instead of having a lot of code in the specific models to do so.
> I started working on something that for now only supports resources and tags, 
> but I think it should actually be possible to delegate the execution of 
> transforming the resource to any object, using the injectors that are already 
> available. 
> I'm not sure if what I made is the way to go, but at least it's a starting 
> point?
> Injector:
> {code}
> @Component
> @Slf4j
> public class ResolvePathInjector implements 
> InjectAnnotationProcessorFactory2, Injector {
> @Override
> public String getName() {
> return "resolve-path";
> }
> @Override
> public Object getValue(Object adaptable, String name, Type declaredType, 
> AnnotatedElement element,
>DisposalCallbackRegistry callbackRegistry) {
> final ResolvePath annotation = 
> element.getAnnotation(ResolvePath.class);
> if (annotation == null) {
> return null;
> }
> final Resource resource = getResource(adaptable);
> if (resource == null) {
> throw new IllegalArgumentException("Cannot get resource resolver 
> from adaptable");
> }
> final String[] paths = getPaths(annotation, resource);
> if (paths == null) {
> return null;
> }
> return getValue(paths, declaredType, resource.getResourceResolver());
> }
> private static String[] getPaths(ResolvePath annotation, Resource 
> resource) {
> final ValueMap map = resource.adaptTo(ValueMap.class);
> if (map == null) {
> return null;
> }
> final String[] paths = map.get(annotation.name(), String[].class);
> if (paths == null || paths.length == 0) {
> return null;
> }
> return paths;
> }
> private static Object getValue(String[] paths, Type declaredType, 
> ResourceResolver resourceResolver) {
> // TODO: Support more injections! I.e. other sling models
> final boolean isTagArray = declaredType == Tag[].class;
> final boolean isTag = declaredType == Tag.class;
> if (!isTag && !isTagArray) {
> return null;
> }
> final List tags = new ArrayList<>();
> final TagManager tagManager = 
> resourceResolver.adaptTo(TagManager.class);
> if (tagManager != null) {
> for (String path : paths) {
> final Tag tag = tagManager.resolve(path);
> if (tag != null) {
> tags.add(tag);
> }
> }
> }
> if (isTag && !tags.isEmpty()) {
> return tags.get(0);
> }
> return tags.toArray(new Tag[tags.size()]);
> }
> private static Resource getResource(Object adaptable) {
> Resource resource = null;
> if (adaptable instanceof Resource) {
> resource = (Resource) adaptable;
> } else if (adaptable instanceof SlingHttpServletRequest) {
> resource = ((SlingHttpServletRequest) adaptable).getResource();
> } else if (adaptable instanceof Adaptable) {
> resource = ((Adaptable)adaptable).adaptTo(Resource.class);
> }
> return resource;
> }
> @Override
> public InjectAnnotationProcessor2 createAnnotationProcessor(Object 
> adaptable, AnnotatedElement element) {
> // check if the element has the expected annotation
> ResolvePath annotation = element.getAnnotation(ResolvePath.class);
> if (annotation != null) {
> return new ValueAnnotationProcessor(annotation, adaptable);
> }
> return null;
> }
> }
> {code}
> Annotation:
> {code}
> @Target({ ElementType.FIELD,

Re: [VOTE] Release Apache Sling Health Check API 1.0.2, Health Check Core 1.2.10, and Health Check Annotations 1.0.6

2017-11-20 Thread Karl Pauls 
+1

regards,

Karl

On Mon, Nov 20, 2017 at 10:41 AM, Radu Cotescu  wrote:
> +1
>
> On Thu, 16 Nov 2017 at 12:58 Karl Pauls  wrote:
>
>> Please vote to approve these releases:
>>
>>   [ ] +1 Approve the releases
>>   [ ]  0 Don't care
>>   [ ] -1 Don't release, because ...
>>



-- 
Karl Pauls
karlpa...@gmail.com

[jira] [Closed] (SLING-6946) Make HC servlet send CORS header Access-Control-Allow-Origin

2017-11-20 Thread Karl Pauls (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-6946?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls closed SLING-6946.
-

> Make HC servlet send CORS header Access-Control-Allow-Origin
> 
>
> Key: SLING-6946
> URL: https://issues.apache.org/jira/browse/SLING-6946
> Project: Sling
>  Issue Type: Improvement
>  Components: Health Check
>Reporter: Georg Henzler
>Assignee: Georg Henzler
> Fix For: Health Check Core 1.2.10
>
>
> There is no reason why the HC servlet should not be allowed to be called from 
> a webpage that was served from another domain. Hence the header 
> {{Access-Control-Allow-Origin}} shall be added with a default value {{*}} 
> (configurable in case it is really needed, but allowing general access as 
> default makes sense here).
> Concrete Use Case: A Jenkins HTML Report that aggregates HC results from 
> multiple sling instances.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Closed] (SLING-6855) Sticky Results Support

2017-11-20 Thread Karl Pauls (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-6855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls closed SLING-6855.
-

> Sticky Results Support
> --
>
> Key: SLING-6855
> URL: https://issues.apache.org/jira/browse/SLING-6855
> Project: Sling
>  Issue Type: New Feature
>  Components: Health Check
>Reporter: Clinton H Goudie-Nice
>Assignee: Georg Henzler
> Fix For: Health Check Annotations 1.0.6, Health Check Core 
> 1.2.10, Health Check API 1.0.2
>
>
> Introduce HC service property {{hc.warningsStickForMinutes}} to allow old 
> WARN/CRITICAL/HEALTH_CHECK_ERROR results to be sticky (see also 
> http://sling.markmail.org/thread/tawikgt7bqxvnlj5#query:+page:1+mid:57hhg55hekr7ib33+state:results)
> --- Original Request 
> *Create ResultRegistry to provide health check behavior for executing code 
> that does not want a HealthCheck* 
> I want to provide a Registry service that can be leveraged to provide health 
> check results.
> These results can be for a period of time through an expiration, until the 
> JVM is restarted, or added and later removed.
> This can be useful when code observes a specific (possibly bad) state, and 
> wants to alert through the health check API that this state has taken place.
>  Some examples: 
>  An event pool has filled, and some events will be thrown away.
>   This is a failure case that requires a restart of the instance.
>   It would be appropriate to trigger a permanent failure.
>
>  A quota has been tripped. This quota may immediately recover, but it is 
> sensible to alert for 30 minutes that the quota has been tripped.
>  If you expect the failure will clear itself within a certain window, setting 
> the expiration to that window can be ideal.
> GHPR to follow



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Closed] (SLING-6804) Request to allow the health check servlet to directly query a single health check by name

2017-11-20 Thread Karl Pauls (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-6804?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls closed SLING-6804.
-

> Request to allow the health check servlet to directly query a single health 
> check by name
> -
>
> Key: SLING-6804
> URL: https://issues.apache.org/jira/browse/SLING-6804
> Project: Sling
>  Issue Type: Improvement
>  Components: Health Check
>Reporter: Clinton H Goudie-Nice
>Assignee: Justin Edelson
>Priority: Minor
> Fix For: Health Check Core 1.2.10, Health Check API 1.0.2
>
> Attachments: SLING-6804-allow-hc.name-in-hc-urls-simple.patch, 
> SLING-6804.diff
>
>
> AMS has a request to be able to access an individual health check by name
> For example: 
> http://localhost:4502/system/health/named/Sling%20Get%20Servlet.json
> And have it return the results for only this named health check.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: [VOTE] Release Apache Sling JCR Davex 1.3.10

2017-11-20 Thread Karl Pauls 
+1

regards,

Karl

On Thu, Nov 16, 2017 at 4:28 PM, Karl Pauls  wrote:
> On Thu, Nov 16, 2017 at 3:54 PM, Julian Reschke  wrote:
>> On 2017-11-16 13:07, Karl Pauls wrote:
>>>
>>> I would like to call a vote on the following release,
>>>
>>> Apache Sling JCR Davex 1.3.10
>>> ...
>>
>>
>> I'm about to branch Jackrabbit 2.16 and release 2.16.0 subsequently - so
>> this seems to be minimally bad timing :-).
>
> Oh well, no harm done. I missed SLING-7212 because it didn't have the
> fixVersion set.
>
> Anyways, this release will conclude before 2.16 is out - hence, I'll
> added JCR Davex 1.3.12 to the fixVersion so that we don't forget.
>
> regards,
>
> Karl
>
> --
> Karl Pauls
> karlpa...@gmail.com



-- 
Karl Pauls
karlpa...@gmail.com

Re: [RESULT][VOTE] Release Apache Sling JCR Davex 1.3.10

2017-11-20 Thread Karl Pauls 
Time to call the vote on the Apache Sling JCR Davex 1.3.10 release.

* +1 votes from Antonio Sanso, Stefan Egli, Carsten Ziegeler, and Karl Pauls.

* No other votes.

The vote is successful. I will make the artifacts available as soon as possible.

[jira] [Closed] (SLING-7078) Update Jackrabbit to 2.14.2

2017-11-20 Thread Karl Pauls (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7078?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls closed SLING-7078.
-

> Update Jackrabbit to 2.14.2
> ---
>
> Key: SLING-7078
> URL: https://issues.apache.org/jira/browse/SLING-7078
> Project: Sling
>  Issue Type: Task
>  Components: JCR, Karaf, Testing
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
> Fix For: Karaf Features 0.2.0, Karaf Integration Tests 0.2.0, 
> Commons Testing 2.1.2, JCR Davex 1.3.10, JCR Webdav 2.3.10, JCR Oak Server 
> 1.1.6
>
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Closed] (SLING-6404) Remove loginAdministrative() usage from jcr.davex

2017-11-20 Thread Karl Pauls (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-6404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls closed SLING-6404.
-

> Remove loginAdministrative() usage from jcr.davex
> -
>
> Key: SLING-6404
> URL: https://issues.apache.org/jira/browse/SLING-6404
> Project: Sling
>  Issue Type: Improvement
>  Components: JCR
>Reporter: Antonio Sanso
>Assignee: Karl Pauls
> Fix For: JCR Davex 1.3.10
>
> Attachments: SLING-6404.patch
>
>
> Remove loginAdministrative() usage from jcr.davex



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: [VOTE] Release Apache Sling Launchpad Base 5.6.10-2.6.26

2017-11-20 Thread Karl Pauls 
+1

regards,

Karl

On Thu, Nov 16, 2017 at 2:51 PM, Stefan Egli  wrote:
> +1
>
> Cheers,
> Stefan
>
> On 14.11.17, 23:21, "Karl Pauls"  wrote:
>
>>I would like to call a vote on the following release,
>>
>>Apache Sling Launchpad Base 5.6.10-2.6.26
>>
>>We solved 2 issue in this release:
>>https://issues.apache.org/jira/projects/SLING/versions/12341546
>>
>>Staging repository:
>>https://repository.apache.org/content/repositories/orgapachesling-1810/
>>
>>You can use this UNIX script to download the release and verify the
>>signatures:
>>http://svn.apache.org/repos/asf/sling/trunk/check_staged_release.sh
>>
>>Usage:
>>sh check_staged_release.sh 1810 /tmp/sling-staging
>>
>>Please vote to approve these releases:
>>
>>  [ ] +1 Approve the releases
>>  [ ]  0 Don't care
>>  [ ] -1 Don't release, because ...
>
>



-- 
Karl Pauls
karlpa...@gmail.com

[jira] [Closed] (SLING-6667) Convert to OSGi annotations

2017-11-20 Thread Karl Pauls (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-6667?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls closed SLING-6667.
-

> Convert to OSGi annotations
> ---
>
> Key: SLING-6667
> URL: https://issues.apache.org/jira/browse/SLING-6667
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons
>Affects Versions: File System ClassLoader 1.0.6
>Reporter: Carsten Ziegeler
>Assignee: Carsten Ziegeler
> Fix For: File System ClassLoader 1.0.8
>
>
> We should convert to the official OSGi annotations
> avoid the usage of PropertiesUtil
> Use annotations to specify exported package version/provider type



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: [RESULT][VOTE] Release Apache Sling Health Check API 1.0.2, Health Check Core 1.2.10, and Health Check Annotations 1.0.6

2017-11-20 Thread Karl Pauls 
Time to call the vote on the Apache Sling Health Check API 1.0.2,
Health Check Core 1.2.10, and Health Check Annotations 1.0.6 release.

* +1 votes from Stefan Egli, Carsten Ziegeler, Georg Henzler, Radu
Cotescu, and Karl Pauls.

* No other votes.

The vote is successful. I will make the artifacts available as soon as possible.

Re: [RESULT][VOTE] Release Apache Sling Launchpad Base 5.6.10-2.6.26

2017-11-20 Thread Karl Pauls 
Time to call the vote on the Apache Sling Launchpad Base 5.6.10-2.6.26 release.

* +1 votes from Robert Munteanu, Carsten Ziegeler, Stefan Egli, and Karl Pauls.

* No other votes.

The vote is successful. I will make the artifacts available as soon as possible.

[jira] [Closed] (SLING-7175) Improve concurrency in FSDynamicClassLoader

2017-11-20 Thread Karl Pauls (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7175?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls closed SLING-7175.
-

> Improve concurrency in FSDynamicClassLoader
> ---
>
> Key: SLING-7175
> URL: https://issues.apache.org/jira/browse/SLING-7175
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons
>Affects Versions: File System ClassLoader 1.0.6
>Reporter: Karl Pauls
>Assignee: Karl Pauls
> Fix For: File System ClassLoader 1.0.8
>
> Attachments: SLING-7175.patch
>
>
> FSDynamicClassLoader currently maintains two synchronized sets of class names 
> that have been loaded ( a "hit" and a "miss" set). That can be a source of 
> contention when a lot of classes are loaded concurrently. 
> I think we can optimize this somewhat by a) merging the two sets into one (as 
> they are never used independently from what I can tell) and b) using a 
> Collections.newSetFromMap(new ConcurrentHashMap) instead of a 
> Collections.synchronizedSet(new HashSet()). 
> Furthermore, the isDirty boolean flag should be volatile as it might be 
> accessed concurrently. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Closed] (SLING-6419) Remove loginAdministrative() usage from jcr.resource - JcrSystemUserValidator

2017-11-20 Thread Karl Pauls (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-6419?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls closed SLING-6419.
-

> Remove loginAdministrative() usage from jcr.resource - JcrSystemUserValidator
> -
>
> Key: SLING-6419
> URL: https://issues.apache.org/jira/browse/SLING-6419
> Project: Sling
>  Issue Type: Improvement
>  Components: JCR
>Reporter: Antonio Sanso
>Assignee: Karl Pauls
> Fix For: JCR Resource 3.0.8
>
>
> Remove getAdministrativeResourceResolver() and loginAdministrative() usage 
> from jcr.resource



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: [RESULT][VOTE] Release Apache Sling JCR Resource 3.0.8 and File System ClassLoader 1.0.8

2017-11-20 Thread Karl Pauls 
Ups, that should have been:

Time to call the vote on the Apache Sling JCR Resource 3.0.8 and File
System ClassLoader 1.0.8 releases.

* +1 votes from Carsten Ziegeler, Stefan Seifert, Radu Cotescu, and Karl Pauls.

* No other votes.

The vote is successful. I will make the artifacts available as soon as possible.

On Mon, Nov 20, 2017 at 11:35 PM, Karl Pauls  wrote:
> Time to call the vote on the Apache Sling Launchpad Base 5.6.10-2.6.26 
> release.
>
> * +1 votes from Carsten Ziegeler, Stefan Seifert, Radu Cotescu, and Karl 
> Pauls.
>
> * No other votes.
>
> The vote is successful. I will make the artifacts available as soon as 
> possible.



-- 
Karl Pauls
karlpa...@gmail.com

[jira] [Closed] (SLING-7069) CompositeHealthcheck combines subchecks with AND instead of OR

2017-11-20 Thread Karl Pauls (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls closed SLING-7069.
-

> CompositeHealthcheck combines subchecks with AND instead of OR
> --
>
> Key: SLING-7069
> URL: https://issues.apache.org/jira/browse/SLING-7069
> Project: Sling
>  Issue Type: Improvement
>  Components: Health Check
>Affects Versions: Health Check Core 1.2.8
>Reporter: Jörg Hoh
>Assignee: Justin Edelson
> Fix For: Health Check Core 1.2.10
>
>
> I have a CompositeHealthcheck like this
> {code}
> http://sling.apache.org/jcr/sling/1.0; 
> xmlns:cq="http://www.day.com/jcr/cq/1.0; 
> xmlns:jcr="http://www.jcp.org/jcr/1.0; 
> xmlns:nt="http://www.jcp.org/jcr/nt/1.0;
> jcr:primaryType="sling:OsgiConfig"
> hc.name="Health Checks (Runtime)"
> hc.mbean.name="runtime-monitoring"
> filter.tags="[tag1,tag2,tag3]"
> hc.tags="[runtime-monitoring]"
> hc.async.cronExpression="50 0/1 * 1/1 * ? *"/>
> {code}
> whenever I run a healthcheck on the tag "runtime-monitoring" the healthchecks 
> tagged with "tag1", "tag2" and "tage3" should be executed.
> But whenever I run the healthceck on "runtime-monitoring", noone is executed 
> at all.
> I tracked it down to the fact, that only these healthchecks are executed 
> which have all tags (tag1,tag2 and tag3) configured. Which of course none of 
> my tags are.
> {code}
> 21.08.2017 17:06:00.502 *DEBUG* [HealthCheck Health Checks (Runtime)] 
> org.apache.sling.hc.util.HealthCheckFilter OSGi service filter in 
> getTaggedHealthCheckServiceReferences(): 
> (&(objectClass=org.apache.sling.hc.api.HealthCheck)(hc.tags=tag1)(hc.tags=tag2)(hc.tags=tag3))
> {code}
> It seems to me that instead of the AND it should be an OR:
> {code}
> (&(objectClass=org.apache.sling.hc.api.HealthCheck)(|(hc.tags=tag1)(hc.tags=tag2)(hc.tags=tag3)))
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Closed] (SLING-7186) Update to Felix Framework 5.6.10 and limit system bundle exports to available packages on java9

2017-11-20 Thread Karl Pauls (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls closed SLING-7186.
-

> Update to Felix Framework 5.6.10 and limit system bundle exports to available 
> packages on java9
> ---
>
> Key: SLING-7186
> URL: https://issues.apache.org/jira/browse/SLING-7186
> Project: Sling
>  Issue Type: Improvement
>  Components: Launchpad
>Affects Versions: Launchpad Base 2.6.24
>Reporter: Karl Pauls
>Assignee: Karl Pauls
> Fix For: Launchpad Base 2.6.26
>
>
> We need to revisit the packages we export from the system bundle as well as 
> the extension bundles we add when running with java9. The issue is that by 
> default, starting with java9, we only have java.se modules on the module 
> path. Our current packages list + extension bundles assumes java.se.ee to be 
> present (which is not the case unless it is specifically requested via 
> --add-modules). 
> We have to investigate what we want to do to remedy this situation - I'll 
> create subtasks for the actual work (which probably has to include updating 
> to a Felix 5.6.10 when it is released).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: [VOTE] Release Apache Sling JCR Resource 3.0.8 and File System ClassLoader 1.0.8

2017-11-20 Thread Karl Pauls 
+1

regards,

Karl

On Mon, Nov 20, 2017 at 10:37 AM, Radu Cotescu  wrote:
> +1
>
> On Thu, 16 Nov 2017 at 15:44 Karl Pauls  wrote:
>
>> Please vote to approve these releases:
>>
>>   [ ] +1 Approve the releases
>>   [ ]  0 Don't care
>>   [ ] -1 Don't release, because ...
>>



-- 
Karl Pauls
karlpa...@gmail.com

[jira] [Closed] (SLING-7232) Remove http.bridge from launchpad base

2017-11-20 Thread Karl Pauls (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7232?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls closed SLING-7232.
-

> Remove http.bridge from launchpad base
> --
>
> Key: SLING-7232
> URL: https://issues.apache.org/jira/browse/SLING-7232
> Project: Sling
>  Issue Type: Improvement
>  Components: Launchpad
>Reporter: Carsten Ziegeler
>Assignee: Karl Pauls
> Fix For: Launchpad Base 2.6.26
>
>
> Currently launchpad base embedds the http.bridge bundle for the webapp setup. 
> So whenever the http bridge needs an update, we need to release a new 
> launchpad version. As this is just a bundle which needs to be available in 
> the webapp scenario we can move this to the provisioning model and bind it to 
> the webapp runmode.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: [RESULT][VOTE] Release Apache Sling JCR Resource 3.0.8 and File System ClassLoader 1.0.8

2017-11-20 Thread Karl Pauls 
Time to call the vote on the Apache Sling Launchpad Base 5.6.10-2.6.26 release.

* +1 votes from Carsten Ziegeler, Stefan Seifert, Radu Cotescu, and Karl Pauls.

* No other votes.

The vote is successful. I will make the artifacts available as soon as possible.

[jira] [Updated] (SLING-7255) Donating Sling Resource Encryption Utils

2017-11-20 Thread Jason E Bailey (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jason E Bailey updated SLING-7255:
--
Attachment: (was: sling-encrypt-0.0.1-beta.zip)

> Donating Sling Resource Encryption Utils
> 
>
> Key: SLING-7255
> URL: https://issues.apache.org/jira/browse/SLING-7255
> Project: Sling
>  Issue Type: Task
>Reporter: Jason E Bailey
>
> Issue to track donation of Sling resource encryption
> Codebase
> https://github.com/JEBailey/sling-encrypt
> source code is attached with sha1 checksum of 
> 717e84c0ec45191d14d93cebbe8795961b393610



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (SLING-7255) Donating Sling Resource Encryption Utils

2017-11-20 Thread Jason E Bailey (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jason E Bailey updated SLING-7255:
--
Attachment: sling-encrypt-0.0.2-beta.zip

sha1 ea1448cab0b96864257783a76aadfab3ca419262 

> Donating Sling Resource Encryption Utils
> 
>
> Key: SLING-7255
> URL: https://issues.apache.org/jira/browse/SLING-7255
> Project: Sling
>  Issue Type: Task
>Reporter: Jason E Bailey
> Attachments: sling-encrypt-0.0.2-beta.zip
>
>
> Issue to track donation of Sling resource encryption
> Codebase
> https://github.com/JEBailey/sling-encrypt
> source code is attached with sha1 checksum of 
> 717e84c0ec45191d14d93cebbe8795961b393610



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: value level encryption - Donating?

2017-11-20 Thread Antonio Sanso 
hi Jason,

I get your point 
On Nov 20, 2017, at 4:57 PM, Jason Bailey  wrote:

> Thanks Antonio. I had considered doing GCM, but I hesitated since it's not 
> listed as a standard transformation that a Java platform must support. As I 
> couldn't know what platform it would be running on I tried to be as much OOTB 
> as possible. That desire to be OOTB is also why it's 128bit. My idea was to 
> provide a generic level of encryption with the assumption that a downstream 
> implementer would/should implement the EncryptionProvider service to the 
> level of security their company requires.
> 
> Saying that, if the desire is to have it GCM I will get that implemented.

Thanks a lot taking this consideration and speed the implementation. You are 
right about AES GCM. On top there is also another problem with it.
AES GCM uses a nonce of 96 bits. It is vital important to never reuse the same 
nonce with the same key otherwise the result is a real catastrophe 
(cryptographically wise).
This implies, given the birthday paradox, that we need to rotate the key after 
2^48 encryptions. This is a pretty big number but you know the life of the key 
can be also long.
Hence, without key rotation, it wouldn’t probably good to ship with this (now I 
am sorry you already jumped on it and implemented but I did not think you were 
so fast).

Another more conservative approach would be encrypt-than-mac (or we can simply 
keep AES/CBC as default).

An overall observation would be also that given the sensitive topic it would be 
good to have a more extensive test suite for this feature…

my 2 cents

regards

antonio

> 
> -Original Message-
> From: Antonio Sanso [mailto:asa...@adobe.com.INVALID] 
> Sent: Monday, November 20, 2017 10:29 AM
> To: dev@sling.apache.org
> Subject: Re: value level encryption - Donating?
> 
> EXTERNAL
> 
> hi Jason,
> 
> thanks a lot for the donation.
> I already commented on the issue, just pasting inline part of the comment 
> though
> 
> On Nov 20, 2017, at 2:50 PM, Jason Bailey  wrote:
> 
>> So I'm just about done implementing this.
>> 
>> https://github.com/JEBailey/sling-encrypt
>> 
>> Value level encryption. IV is stored inline so there's no repetition. 
>> Accessing encrypted data via the EncryptionValueMap will decode it 
>> automatically on access and will handle automatically encrypting values if 
>> an encrypted value is updated.
>> 
>> Only problem I had besides catching up on the last 15 years of 
>> cryptography
> 
> I have seen you have used AES/CBC that is not  (extremely) bad. Said that if 
> we really want to put this in Sling we'd better do things as the state of art 
> requires.
> As rule of thumbs you never (only) encrypt . You'd better add some integrity 
> check mechanism (eg AES GCM or encrypt-then-mac).
> 
> regards
> 
> antonio
> 
>> was that the downstream application I use has a non configurable whitelist 
>> filter for post processors that contain an '@' So I had to make the post 
>> processor configurable.
>> 
>> As mentioned earlier I wrote this with the intention of donating. I tried to 
>> make it as easy as possible for it to be pulled into where it needs to go.
>> 
>> However I don't know the process for Donating. Can someone point me the way 
>> or to some documentation?
>> 
>> Thanks.
>> -Jason
>> 
>> -Original Message-
>> From: Justin Edelson [mailto:jus...@justinedelson.com]
>> Sent: Friday, November 03, 2017 3:37 PM
>> To: dev@sling.apache.org
>> Subject: Re: value level encryption
>> 
>> EXTERNAL
>> 
>> In AEM, posting encrypted properties to /etc/cloudservices is historically 
>> the primary use case for @Encrypted, but the PostProcessor applies to all 
>> post requests.
>> 
>> I think this would be a useful addition to Sling. We may want to have some 
>> kind of SPI to support different encryption schemes, but that's an 
>> implementation detail.
>> 
>> Regards,
>> Justin
>> 
>> 
>> On Fri, Nov 3, 2017 at 2:48 PM Jason Bailey  wrote:
>> 
>>> They only docs I can find on that, assuming we're talking AEM, 
>>> mentions it only works for posting things into /etc/cloudservices. So 
>>> that's out.
>>> It's been a while, but I'm under the impression that all 
>>> implementations of the java platform now come with a certain level of 
>>> crypto
>>> 
>>> https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html
>>> 
>>> I'd probably add a configuration so you could define the level of 
>>> cryptography, and then that would allow people who needed a higher 
>>> level to install their own providers. Is this something that Sling 
>>> would be interested in? Since I'm going to be writing this, if you're 
>>> interested, I'd rather write it with the intent of directly donating it.
>>> 
>>> 
>>> 
>>> -Original Message-
>>> From: Justin Edelson [mailto:jus...@justinedelson.com]
>>> Sent: Friday, November 03, 2017 1:35 PM
>>> To: dev@sling.apache.org
>>> Subject: Re: value

RE: value level encryption - Donating?

2017-11-20 Thread Jason Bailey 
It's all good. I  have less meetings today then I normally would and the 
exercise was beneficial as it got me thinking about other potential vectors.

Since the key for this is configurable via the OSGi console I would have taken 
key rotation as being a business process exercise rather than a technical one. 
But I don't mind changing it, I'm having a lot of fun with this.

To make sure I'm on the same page. The direction right now is 
AES/CBC/PKCS5Padding but with encrypt and MAC?

-Original Message-
From: Antonio Sanso [mailto:asa...@adobe.com.INVALID] 
Sent: Monday, November 20, 2017 3:07 PM
To: dev@sling.apache.org
Subject: Re: value level encryption - Donating?

EXTERNAL

hi Jason,

I get your point
On Nov 20, 2017, at 4:57 PM, Jason Bailey  wrote:

> Thanks Antonio. I had considered doing GCM, but I hesitated since it's not 
> listed as a standard transformation that a Java platform must support. As I 
> couldn't know what platform it would be running on I tried to be as much OOTB 
> as possible. That desire to be OOTB is also why it's 128bit. My idea was to 
> provide a generic level of encryption with the assumption that a downstream 
> implementer would/should implement the EncryptionProvider service to the 
> level of security their company requires.
>
> Saying that, if the desire is to have it GCM I will get that implemented.

Thanks a lot taking this consideration and speed the implementation. You are 
right about AES GCM. On top there is also another problem with it.
AES GCM uses a nonce of 96 bits. It is vital important to never reuse the same 
nonce with the same key otherwise the result is a real catastrophe 
(cryptographically wise).
This implies, given the birthday paradox, that we need to rotate the key after 
2^48 encryptions. This is a pretty big number but you know the life of the key 
can be also long.
Hence, without key rotation, it wouldn't probably good to ship with this (now I 
am sorry you already jumped on it and implemented but I did not think you were 
so fast).

Another more conservative approach would be encrypt-than-mac (or we can simply 
keep AES/CBC as default).

An overall observation would be also that given the sensitive topic it would be 
good to have a more extensive test suite for this feature...

my 2 cents

regards

antonio

>
> -Original Message-
> From: Antonio Sanso [mailto:asa...@adobe.com.INVALID]
> Sent: Monday, November 20, 2017 10:29 AM
> To: dev@sling.apache.org
> Subject: Re: value level encryption - Donating?
>
> EXTERNAL
>
> hi Jason,
>
> thanks a lot for the donation.
> I already commented on the issue, just pasting inline part of the 
> comment though
>
> On Nov 20, 2017, at 2:50 PM, Jason Bailey  wrote:
>
>> So I'm just about done implementing this.
>>
>> https://github.com/JEBailey/sling-encrypt
>>
>> Value level encryption. IV is stored inline so there's no repetition. 
>> Accessing encrypted data via the EncryptionValueMap will decode it 
>> automatically on access and will handle automatically encrypting values if 
>> an encrypted value is updated.
>>
>> Only problem I had besides catching up on the last 15 years of 
>> cryptography
>
> I have seen you have used AES/CBC that is not  (extremely) bad. Said that if 
> we really want to put this in Sling we'd better do things as the state of art 
> requires.
> As rule of thumbs you never (only) encrypt . You'd better add some integrity 
> check mechanism (eg AES GCM or encrypt-then-mac).
>
> regards
>
> antonio
>
>> was that the downstream application I use has a non configurable whitelist 
>> filter for post processors that contain an '@' So I had to make the post 
>> processor configurable.
>>
>> As mentioned earlier I wrote this with the intention of donating. I tried to 
>> make it as easy as possible for it to be pulled into where it needs to go.
>>
>> However I don't know the process for Donating. Can someone point me the way 
>> or to some documentation?
>>
>> Thanks.
>> -Jason
>>
>> -Original Message-
>> From: Justin Edelson [mailto:jus...@justinedelson.com]
>> Sent: Friday, November 03, 2017 3:37 PM
>> To: dev@sling.apache.org
>> Subject: Re: value level encryption
>>
>> EXTERNAL
>>
>> In AEM, posting encrypted properties to /etc/cloudservices is historically 
>> the primary use case for @Encrypted, but the PostProcessor applies to all 
>> post requests.
>>
>> I think this would be a useful addition to Sling. We may want to have some 
>> kind of SPI to support different encryption schemes, but that's an 
>> implementation detail.
>>
>> Regards,
>> Justin
>>
>>
>> On Fri, Nov 3, 2017 at 2:48 PM Jason Bailey  wrote:
>>
>>> They only docs I can find on that, assuming we're talking AEM, 
>>> mentions it only works for posting things into /etc/cloudservices. So 
>>> that's out.
>>> It's been a while, but I'm under the impression that all 
>>> implementations of the java platform now come with a certain

[jira] [Commented] (SLING-7255) Donating Sling Resource Encryption Utils

2017-11-20 Thread Jason E Bailey (JIRA) 

[ 
https://issues.apache.org/jira/browse/SLING-7255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16259745#comment-16259745
 ] 

Jason E Bailey commented on SLING-7255:
---

Documentation has been updated in the README. Encryption has been updated to 
"AES/GCM/NoPadding" Additionally, I extended the API to accept an AAD. 
EncryptionValueMap uses the property name of the encrypted value as the AAD so 
that will prevent someone accidentally moving an encrypted value to a different 
property and exposing the content.

> Donating Sling Resource Encryption Utils
> 
>
> Key: SLING-7255
> URL: https://issues.apache.org/jira/browse/SLING-7255
> Project: Sling
>  Issue Type: Task
>Reporter: Jason E Bailey
> Attachments: sling-encrypt-0.0.2-beta.zip
>
>
> Issue to track donation of Sling resource encryption
> Codebase
> https://github.com/JEBailey/sling-encrypt
> source code is attached with sha1 checksum of 
> 717e84c0ec45191d14d93cebbe8795961b393610



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[RESULT][VOTE] Release Apache Sling Security 1.1.8

2017-11-20 Thread Antonio Sanso 
The vote passed with 4 binding +1s

regards

antonio

[jira] [Assigned] (SLING-7252) ResourceResolverImpl.map() does not invoke ResourceDecorator

2017-11-20 Thread Karl Pauls (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7252?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Karl Pauls reassigned SLING-7252:
-

Assignee: Karl Pauls

> ResourceResolverImpl.map() does not invoke ResourceDecorator
> 
>
> Key: SLING-7252
> URL: https://issues.apache.org/jira/browse/SLING-7252
> Project: Sling
>  Issue Type: Bug
>  Components: ResourceResolver
>Affects Versions: Resource Resolver 1.4.16, Resource Resolver 1.5.30
>Reporter: Francisco Chicharro
>Assignee: Karl Pauls
> Fix For: Resource Resolver 1.5.32
>
> Attachments: resourceresolverimpl.patch
>
>
> ResourceDecorators are invoked by ResourceResolverImpl for resource 
> resolution but not for mapping.
> I'm experiencing this issue with version 1.4.16, but the issue is also there 
> for latest version 1.5.30.
> I'm attaching a patch for 1.4.16 version.
> CC: [~cziegeler]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Closed] (SLING-7219) Add scope forward to ContentDispositionFilter

2017-11-20 Thread Antonio Sanso (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso closed SLING-7219.


> Add scope forward to ContentDispositionFilter
> -
>
> Key: SLING-7219
> URL: https://issues.apache.org/jira/browse/SLING-7219
> Project: Sling
>  Issue Type: Improvement
>  Components: Extensions
>Reporter: Antonio Sanso
>Assignee: Antonio Sanso
>Priority: Minor
> Fix For: Security 1.1.8
>
>
> The {{ContentDispositionFilter}} sets the  filter scope to request
> {code}
> @Component(property={"sling.filter.scope=request", 
> "service.ranking:Integer=25000"})
> {code}
> it would be good to add as well the scope forward



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (SLING-7244) Correct require capability for http whiteboard

2017-11-20 Thread Antonio Sanso (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-7244?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Antonio Sanso updated SLING-7244:
-
Fix Version/s: (was: Security 1.1.8)
   Security 1.1.10

> Correct require capability for http whiteboard
> --
>
> Key: SLING-7244
> URL: https://issues.apache.org/jira/browse/SLING-7244
> Project: Sling
>  Issue Type: Bug
>  Components: Engine, Extensions
>Affects Versions: i18n 2.5.8, Feature Flags 1.2.0, Engine 2.6.8, Security 
> 1.1.6
>Reporter: Carsten Ziegeler
>Assignee: Carsten Ziegeler
> Fix For: Feature Flags 1.2.2, Engine 2.6.10, Security 1.1.10, 
> i18n 2.5.10
>
>
> The require capability should not use a fixed version but a version range, 
> otherwise it will not resolve once we update the http implementation



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (SLING-7253) Upgrade Karaf to 4.2

2017-11-20 Thread Oliver Lietz (JIRA) 
Oliver Lietz created SLING-7253:
---

 Summary: Upgrade Karaf to 4.2
 Key: SLING-7253
 URL: https://issues.apache.org/jira/browse/SLING-7253
 Project: Sling
  Issue Type: Task
  Components: Karaf
Reporter: Oliver Lietz
Assignee: Oliver Lietz
 Fix For: Karaf Features 0.2.0, Karaf Integration Tests 0.2.0, 
Karaf Distribution 0.2.0, Karaf Launchpad Integration Tests (Oak Tar) 0.0.2


[\[ANN\] Apache Karaf "Container" 4.2.0.M1 has been released 
!|https://lists.apache.org/thread.html/cb12c5f5bc3c78422a523b44afc23195d9d353e4bd2fd5a62d1baa1c@%3Cdev.karaf.apache.org%3E]



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] chetanmeh closed pull request #1: SLING-3049 - Make Logback Stacktrace Packaging data support OSGi aware

2017-11-20 Thread GitBox 
chetanmeh closed pull request #1: SLING-3049 - Make Logback Stacktrace 
Packaging data support OSGi aware
URL: https://github.com/apache/sling-org-apache-sling-commons-log/pull/1
 
 
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[jira] [Commented] (SLING-3049) Make Logback Stacktrace Packaging data support OSGi aware

2017-11-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/SLING-3049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16259265#comment-16259265
 ] 

ASF GitHub Bot commented on SLING-3049:
---

chetanmeh commented on issue #1: SLING-3049 - Make Logback Stacktrace Packaging 
data support OSGi aware
URL: 
https://github.com/apache/sling-org-apache-sling-commons-log/pull/1#issuecomment-345706219
 
 
   Changes merged to master via rebase


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Make Logback Stacktrace Packaging data support OSGi aware
> -
>
> Key: SLING-3049
> URL: https://issues.apache.org/jira/browse/SLING-3049
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons
>Reporter: Chetan Mehrotra
>Assignee: Chetan Mehrotra
>  Labels: logback
> Fix For: Commons Log 5.0.4
>
> Attachments: SLING-3049.patch, 
> buildbot-exceptions-while-stopping-jetty.txt
>
>
> Logback provides a useful feature where it dumps the Class packaging Data 
> along with the stacktrace [1]. This provides a quick view of the location 
> from where classes in a given stacktrace are coming. Its default logic does 
> not work properly in OSGi env. Hence it would be useful to patch its logic to 
> become OSGi aware
> [1] http://logback.qos.ch/reasonsToSwitch.html#packagingData



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (SLING-3049) Make Logback Stacktrace Packaging data support OSGi aware

2017-11-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/SLING-3049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16259264#comment-16259264
 ] 

ASF GitHub Bot commented on SLING-3049:
---

chetanmeh closed pull request #1: SLING-3049 - Make Logback Stacktrace 
Packaging data support OSGi aware
URL: https://github.com/apache/sling-org-apache-sling-commons-log/pull/1
 
 
   


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Make Logback Stacktrace Packaging data support OSGi aware
> -
>
> Key: SLING-3049
> URL: https://issues.apache.org/jira/browse/SLING-3049
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons
>Reporter: Chetan Mehrotra
>Assignee: Chetan Mehrotra
>  Labels: logback
> Fix For: Commons Log 5.0.4
>
> Attachments: SLING-3049.patch, 
> buildbot-exceptions-while-stopping-jetty.txt
>
>
> Logback provides a useful feature where it dumps the Class packaging Data 
> along with the stacktrace [1]. This provides a quick view of the location 
> from where classes in a given stacktrace are coming. Its default logic does 
> not work properly in OSGi env. Hence it would be useful to patch its logic to 
> become OSGi aware
> [1] http://logback.qos.ch/reasonsToSwitch.html#packagingData



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[GitHub] chetanmeh commented on issue #1: SLING-3049 - Make Logback Stacktrace Packaging data support OSGi aware

2017-11-20 Thread GitBox 
chetanmeh commented on issue #1: SLING-3049 - Make Logback Stacktrace Packaging 
data support OSGi aware
URL: 
https://github.com/apache/sling-org-apache-sling-commons-log/pull/1#issuecomment-345706219
 
 
   Changes merged to master via rebase


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

[jira] [Commented] (SLING-7255) Donating Sling Resource Encryption Utils

2017-11-20 Thread Robert Munteanu (JIRA) 

[ 
https://issues.apache.org/jira/browse/SLING-7255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16259294#comment-16259294
 ] 

Robert Munteanu commented on SLING-7255:


Great to see this converging towards a donation. [~jebailey] - would you mind 
updating the documentation with at least

- scenarios where it's supposed to help
- how to use this bundle

And then it would be great if [~asanso] could do a cursory review of the 
contribution.

> Donating Sling Resource Encryption Utils
> 
>
> Key: SLING-7255
> URL: https://issues.apache.org/jira/browse/SLING-7255
> Project: Sling
>  Issue Type: Task
>Reporter: Jason E Bailey
> Attachments: sling-encrypt-0.0.1-beta.zip
>
>
> Issue to track donation of Sling resource encryption
> Codebase
> https://github.com/JEBailey/sling-encrypt
> source code is attached with sha1 checksum of 
> 717e84c0ec45191d14d93cebbe8795961b393610



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

RE: value level encryption - Donating?

2017-11-20 Thread Jason Bailey 
So I'm just about done implementing this.

https://github.com/JEBailey/sling-encrypt

Value level encryption. IV is stored inline so there's no repetition. Accessing 
encrypted data via the EncryptionValueMap will decode it automatically on 
access and will handle automatically encrypting values if an encrypted value is 
updated.

Only problem I had besides catching up on the last 15 years of cryptography was 
that the downstream application I use has a non configurable whitelist filter 
for post processors that contain an '@' So I had to make the post processor 
configurable.

As mentioned earlier I wrote this with the intention of donating. I tried to 
make it as easy as possible for it to be pulled into where it needs to go.

However I don't know the process for Donating. Can someone point me the way or 
to some documentation?

Thanks.
-Jason

-Original Message-
From: Justin Edelson [mailto:jus...@justinedelson.com] 
Sent: Friday, November 03, 2017 3:37 PM
To: dev@sling.apache.org
Subject: Re: value level encryption

EXTERNAL

In AEM, posting encrypted properties to /etc/cloudservices is historically the 
primary use case for @Encrypted, but the PostProcessor applies to all post 
requests.

I think this would be a useful addition to Sling. We may want to have some kind 
of SPI to support different encryption schemes, but that's an implementation 
detail.

Regards,
Justin


On Fri, Nov 3, 2017 at 2:48 PM Jason Bailey  wrote:

> They only docs I can find on that, assuming we're talking AEM, 
> mentions it only works for posting things into /etc/cloudservices. So that's 
> out.
> It's been a while, but I'm under the impression that all 
> implementations of the java platform now come with a certain level of 
> crypto
>
> https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html
>
> I'd probably add a configuration so you could define the level of 
> cryptography, and then that would allow people who needed a higher 
> level to install their own providers. Is this something that Sling 
> would be interested in? Since I'm going to be writing this, if you're 
> interested, I'd rather write it with the intent of directly donating it.
>
>
>
> -Original Message-
> From: Justin Edelson [mailto:jus...@justinedelson.com]
> Sent: Friday, November 03, 2017 1:35 PM
> To: dev@sling.apache.org
> Subject: Re: value level encryption
>
> EXTERNAL
>
> We have this in our commercial product. At a high level, the way it 
> works is that there is a PostProcessor which looks for an @Encrypted 
> postfixed property and, if that is present, the corresponding property 
> is stored in an encrypted fashion. Decryption is all done manually, 
> although personally the idea of an EncryptionValueMap seems really cool to me.
>
> I believe the challenge in bringing this into Sling relates to the 
> encryption libraries.
>
> On Fri, Nov 3, 2017 at 8:45 AM Jason Bailey  wrote:
>
> > Here's the use case
> >
> > My organization has decided that to conform to the GDPR, any 
> > sensitive data should be encrypted while at rest. From a Sling 
> > perspective that is a challenge since we've empowered the authors to 
> > create forms the way they want. So to be on the safe side, we're 
> > looking at encrypting all form fields as they are persisted, and 
> > then decrypting the values from the resource  when we need to processes 
> > them.
> >
> > Now I'm thinking of an EncryptionValueMap that will simplify this 
> > process and encapsulate the functionality. You guys are usually 
> > ahead of me when I come up with this stuff and I don't like 
> > replicating effort. So is there any functionality currently or 
> > planned to handle encryption of resource values?
> >
> > Thanks
> > Jason
> >
>

Re: value level encryption - Donating?

2017-11-20 Thread Konrad Windszus 
Hi Jason,
please first create an according JIRA and link the PR there.
Thanks,
Konrad

> On 20. Nov 2017, at 14:50, Jason Bailey  wrote:
> 
> So I'm just about done implementing this.
> 
> https://github.com/JEBailey/sling-encrypt
> 
> Value level encryption. IV is stored inline so there's no repetition. 
> Accessing encrypted data via the EncryptionValueMap will decode it 
> automatically on access and will handle automatically encrypting values if an 
> encrypted value is updated.
> 
> Only problem I had besides catching up on the last 15 years of cryptography 
> was that the downstream application I use has a non configurable whitelist 
> filter for post processors that contain an '@' So I had to make the post 
> processor configurable.
> 
> As mentioned earlier I wrote this with the intention of donating. I tried to 
> make it as easy as possible for it to be pulled into where it needs to go.
> 
> However I don't know the process for Donating. Can someone point me the way 
> or to some documentation?
> 
> Thanks.
> -Jason
> 
> -Original Message-
> From: Justin Edelson [mailto:jus...@justinedelson.com] 
> Sent: Friday, November 03, 2017 3:37 PM
> To: dev@sling.apache.org
> Subject: Re: value level encryption
> 
> EXTERNAL
> 
> In AEM, posting encrypted properties to /etc/cloudservices is historically 
> the primary use case for @Encrypted, but the PostProcessor applies to all 
> post requests.
> 
> I think this would be a useful addition to Sling. We may want to have some 
> kind of SPI to support different encryption schemes, but that's an 
> implementation detail.
> 
> Regards,
> Justin
> 
> 
> On Fri, Nov 3, 2017 at 2:48 PM Jason Bailey  wrote:
> 
>> They only docs I can find on that, assuming we're talking AEM, 
>> mentions it only works for posting things into /etc/cloudservices. So that's 
>> out.
>> It's been a while, but I'm under the impression that all 
>> implementations of the java platform now come with a certain level of 
>> crypto
>> 
>> https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html
>> 
>> I'd probably add a configuration so you could define the level of 
>> cryptography, and then that would allow people who needed a higher 
>> level to install their own providers. Is this something that Sling 
>> would be interested in? Since I'm going to be writing this, if you're 
>> interested, I'd rather write it with the intent of directly donating it.
>> 
>> 
>> 
>> -Original Message-
>> From: Justin Edelson [mailto:jus...@justinedelson.com]
>> Sent: Friday, November 03, 2017 1:35 PM
>> To: dev@sling.apache.org
>> Subject: Re: value level encryption
>> 
>> EXTERNAL
>> 
>> We have this in our commercial product. At a high level, the way it 
>> works is that there is a PostProcessor which looks for an @Encrypted 
>> postfixed property and, if that is present, the corresponding property 
>> is stored in an encrypted fashion. Decryption is all done manually, 
>> although personally the idea of an EncryptionValueMap seems really cool to 
>> me.
>> 
>> I believe the challenge in bringing this into Sling relates to the 
>> encryption libraries.
>> 
>> On Fri, Nov 3, 2017 at 8:45 AM Jason Bailey  wrote:
>> 
>>> Here's the use case
>>> 
>>> My organization has decided that to conform to the GDPR, any 
>>> sensitive data should be encrypted while at rest. From a Sling 
>>> perspective that is a challenge since we've empowered the authors to 
>>> create forms the way they want. So to be on the safe side, we're 
>>> looking at encrypting all form fields as they are persisted, and 
>>> then decrypting the values from the resource  when we need to processes 
>>> them.
>>> 
>>> Now I'm thinking of an EncryptionValueMap that will simplify this 
>>> process and encapsulate the functionality. You guys are usually 
>>> ahead of me when I come up with this stuff and I don't like 
>>> replicating effort. So is there any functionality currently or 
>>> planned to handle encryption of resource values?
>>> 
>>> Thanks
>>> Jason
>>> 
>>

[jira] [Resolved] (SLING-3049) Make Logback Stacktrace Packaging data support OSGi aware

2017-11-20 Thread Chetan Mehrotra (JIRA) 

 [ 
https://issues.apache.org/jira/browse/SLING-3049?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chetan Mehrotra resolved SLING-3049.

   Resolution: Fixed
Fix Version/s: Commons Log 5.0.4

Merged the changes to master. Feature is disabled by default and can be enabled 
by setting config/framework property 
"org.apache.sling.commons.log.packagingDataEnabled" to true

> Make Logback Stacktrace Packaging data support OSGi aware
> -
>
> Key: SLING-3049
> URL: https://issues.apache.org/jira/browse/SLING-3049
> Project: Sling
>  Issue Type: Improvement
>  Components: Commons
>Reporter: Chetan Mehrotra
>Assignee: Chetan Mehrotra
>  Labels: logback
> Fix For: Commons Log 5.0.4
>
> Attachments: SLING-3049.patch, 
> buildbot-exceptions-while-stopping-jetty.txt
>
>
> Logback provides a useful feature where it dumps the Class packaging Data 
> along with the stacktrace [1]. This provides a quick view of the location 
> from where classes in a given stacktrace are coming. Its default logic does 
> not work properly in OSGi env. Hence it would be useful to patch its logic to 
> become OSGi aware
> [1] http://logback.qos.ch/reasonsToSwitch.html#packagingData



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (SLING-7255) Donating Sling Resource Encryption Utils

2017-11-20 Thread Jason E Bailey (JIRA) 
Jason E Bailey created SLING-7255:
-

 Summary: Donating Sling Resource Encryption Utils
 Key: SLING-7255
 URL: https://issues.apache.org/jira/browse/SLING-7255
 Project: Sling
  Issue Type: Task
Reporter: Jason E Bailey
 Attachments: sling-encrypt-0.0.1-beta.zip

Issue to track donation of Sling resource encryption

Codebase
https://github.com/JEBailey/sling-encrypt

source code is attached with sha1 checksum of 
717e84c0ec45191d14d93cebbe8795961b393610





--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Created] (SLING-7254) Donating Sling Resource Encryption Utils

2017-11-20 Thread Jason E Bailey (JIRA) 
Jason E Bailey created SLING-7254:
-

 Summary: Donating Sling Resource Encryption Utils
 Key: SLING-7254
 URL: https://issues.apache.org/jira/browse/SLING-7254
 Project: Sling
  Issue Type: Task
Reporter: Jason E Bailey
 Attachments: sling-encrypt-0.0.1-beta.zip

Issue to track donation of Sling resource encryption

Codebase
https://github.com/JEBailey/sling-encrypt

source code is attached with sha1 checksum of 
717e84c0ec45191d14d93cebbe8795961b393610





--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (SLING-7255) Donating Sling Resource Encryption Utils

2017-11-20 Thread Antonio Sanso (JIRA) 

[ 
https://issues.apache.org/jira/browse/SLING-7255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16259339#comment-16259339
 ] 

Antonio Sanso commented on SLING-7255:
--

[~jebailey] thanks for your donation.

Without going to deep into the API layer (other people might comments on it), 
IMHO would be best to use some way of authenticated encryption rather than 
AES/CBC. 

As rule of thumbs you never (only) encrypt . You'd better add some integrity 
check mechanism (eg AES GCM or encrypt-then-mac)

> Donating Sling Resource Encryption Utils
> 
>
> Key: SLING-7255
> URL: https://issues.apache.org/jira/browse/SLING-7255
> Project: Sling
>  Issue Type: Task
>Reporter: Jason E Bailey
> Attachments: sling-encrypt-0.0.1-beta.zip
>
>
> Issue to track donation of Sling resource encryption
> Codebase
> https://github.com/JEBailey/sling-encrypt
> source code is attached with sha1 checksum of 
> 717e84c0ec45191d14d93cebbe8795961b393610



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: value level encryption - Donating?

2017-11-20 Thread Antonio Sanso 
hi Jason,

thanks a lot for the donation.
I already commented on the issue, just pasting inline part of the comment though

On Nov 20, 2017, at 2:50 PM, Jason Bailey  wrote:

> So I'm just about done implementing this.
> 
> https://github.com/JEBailey/sling-encrypt
> 
> Value level encryption. IV is stored inline so there's no repetition. 
> Accessing encrypted data via the EncryptionValueMap will decode it 
> automatically on access and will handle automatically encrypting values if an 
> encrypted value is updated.
> 
> Only problem I had besides catching up on the last 15 years of cryptography

I have seen you have used AES/CBC that is not  (extremely) bad. Said that if we 
really want to put this in Sling we’d better do things as the state of art 
requires.
As rule of thumbs you never (only) encrypt . You'd better add some integrity 
check mechanism (eg AES GCM or encrypt-then-mac).
 
regards

antonio

> was that the downstream application I use has a non configurable whitelist 
> filter for post processors that contain an '@' So I had to make the post 
> processor configurable.
> 
> As mentioned earlier I wrote this with the intention of donating. I tried to 
> make it as easy as possible for it to be pulled into where it needs to go.
> 
> However I don't know the process for Donating. Can someone point me the way 
> or to some documentation?
> 
> Thanks.
> -Jason
> 
> -Original Message-
> From: Justin Edelson [mailto:jus...@justinedelson.com] 
> Sent: Friday, November 03, 2017 3:37 PM
> To: dev@sling.apache.org
> Subject: Re: value level encryption
> 
> EXTERNAL
> 
> In AEM, posting encrypted properties to /etc/cloudservices is historically 
> the primary use case for @Encrypted, but the PostProcessor applies to all 
> post requests.
> 
> I think this would be a useful addition to Sling. We may want to have some 
> kind of SPI to support different encryption schemes, but that's an 
> implementation detail.
> 
> Regards,
> Justin
> 
> 
> On Fri, Nov 3, 2017 at 2:48 PM Jason Bailey  wrote:
> 
>> They only docs I can find on that, assuming we're talking AEM, 
>> mentions it only works for posting things into /etc/cloudservices. So that's 
>> out.
>> It's been a while, but I'm under the impression that all 
>> implementations of the java platform now come with a certain level of 
>> crypto
>> 
>> https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html
>> 
>> I'd probably add a configuration so you could define the level of 
>> cryptography, and then that would allow people who needed a higher 
>> level to install their own providers. Is this something that Sling 
>> would be interested in? Since I'm going to be writing this, if you're 
>> interested, I'd rather write it with the intent of directly donating it.
>> 
>> 
>> 
>> -Original Message-
>> From: Justin Edelson [mailto:jus...@justinedelson.com]
>> Sent: Friday, November 03, 2017 1:35 PM
>> To: dev@sling.apache.org
>> Subject: Re: value level encryption
>> 
>> EXTERNAL
>> 
>> We have this in our commercial product. At a high level, the way it 
>> works is that there is a PostProcessor which looks for an @Encrypted 
>> postfixed property and, if that is present, the corresponding property 
>> is stored in an encrypted fashion. Decryption is all done manually, 
>> although personally the idea of an EncryptionValueMap seems really cool to 
>> me.
>> 
>> I believe the challenge in bringing this into Sling relates to the 
>> encryption libraries.
>> 
>> On Fri, Nov 3, 2017 at 8:45 AM Jason Bailey  wrote:
>> 
>>> Here's the use case
>>> 
>>> My organization has decided that to conform to the GDPR, any 
>>> sensitive data should be encrypted while at rest. From a Sling 
>>> perspective that is a challenge since we've empowered the authors to 
>>> create forms the way they want. So to be on the safe side, we're 
>>> looking at encrypting all form fields as they are persisted, and 
>>> then decrypting the values from the resource  when we need to processes 
>>> them.
>>> 
>>> Now I'm thinking of an EncryptionValueMap that will simplify this 
>>> process and encapsulate the functionality. You guys are usually 
>>> ahead of me when I come up with this stuff and I don't like 
>>> replicating effort. So is there any functionality currently or 
>>> planned to handle encryption of resource values?
>>> 
>>> Thanks
>>> Jason
>>> 
>>