I agree that #1 is a lot of work and is most probably not worth the effort,
but I don't think it's impossible and it's not that Sling by itself makes
this impossible.
Carsten
2014/1/13 Chetan Mehrotra chetan.mehro...@gmail.com
Before we add more support to secure access to trusted
Marius Petria created SLING-3315:
Summary: Refactor replication HTTP API
Key: SLING-3315
URL: https://issues.apache.org/jira/browse/SLING-3315
Project: Sling
Issue Type: Improvement
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marius Petria updated SLING-3315:
-
Description:
Refactor HTTP API in order to access independently the configuration of an
agent
Hi,
I agree, #2 and #3 are achievable.
#1 although theoretically possible is not practical.
#1 not being practical underlines that the JVM is 1 security zone, and
once compromised, all bets are off.
About 4 years ago, I wrote a fiendishly complex mechanism (driven by
my own in JVM security
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marius Petria updated SLING-3315:
-
Attachment: SLING-3315.patch
Patch added for replication HTTP API.
Refactor replication HTTP
Yepp, let's target for #2 and #3 - all I tried to say is that #1 is not a
problem which only Sling has :)
Carsten
2014/1/13 Ian Boston i...@tfd.co.uk
Hi,
I agree, #2 and #3 are achievable.
#1 although theoretically possible is not practical.
#1 not being practical underlines that the JVM
On Fri, Jan 10, 2014 at 5:28 PM, Justin Edelson
jus...@justinedelson.com wrote:
I'd like to move YAMF from my whiteboard in to extensions and rename
it as Sling Models...
+1, and the Sling Models name is ok for me. I'm not a fan of factory
or provider in general, reminds me of J2EE too much ;-)
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13869415#comment-13869415
]
Bertrand Delacretaz commented on SLING-3315:
I haven't checked but this it
Hi,
after long discussions we have to the compromise to tag a resource provider
if a (optionally) available resource access security is used for this
provider.
I think this was a wrong compromise with no real value - and we should
remove this additional flag and simply always apply the checks.
Hi,
I am just exploring the possibilties to integrate my server side tests into
the maven build. I am already using the serverside JUnit tests mechanism
provided by Sling and I am quite happy with it. But the way how these tests
are currently integrated into the maven build process looks a bit
+1
On Mon, Jan 13, 2014 at 2:24 PM, Carsten Ziegeler cziege...@apache.orgwrote:
Hi,
after long discussions we have to the compromise to tag a resource provider
if a (optionally) available resource access security is used for this
provider.
I think this was a wrong compromise with no real
[
https://issues.apache.org/jira/browse/SLING-3252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13869574#comment-13869574
]
Bertrand Delacretaz commented on SLING-3252:
According to
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13869625#comment-13869625
]
Marius Petria commented on SLING-3315:
--
Hi Bertrand,
The proposed patch only
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13869625#comment-13869625
]
Marius Petria edited comment on SLING-3315 at 1/13/14 3:55 PM:
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13869668#comment-13869668
]
Bertrand Delacretaz commented on SLING-3315:
We could use the SlingPostServlet
On Mon, 2014-01-06 at 14:08 +0100, Bertrand Delacretaz wrote:
Hi,
On Mon, Jan 6, 2014 at 1:27 PM, Robert Munteanu rob...@lmn.ro wrote:
...So, are there any takers on coming up with more structured
documentation, something like 'Essential Apache Sling' or 'Apache
Sling in Action'? I would
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13869709#comment-13869709
]
Tommaso Teofili commented on SLING-3315:
If it is possible to create / read /
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13869828#comment-13869828
]
Marius Petria commented on SLING-3315:
--
It is possible do all CRUD operations and
Sling Models _could_ be slightly confusing if you look at Sling as MVC:
M = resources/jcr
V = scripts/servlets
C = sling engine
Just my 2 cents,
Alex
On 11.01.2014, at 04:47, Carsten Ziegeler cziege...@apache.org wrote:
I'm +1 on the move, I'm not sure if Sling Models is a good name - as a
+1
That would be more consistent.
Best regards
mike
-Original Message-
From: Carsten Ziegeler [mailto:cziege...@apache.org]
Sent: Monday, January 13, 2014 2:24 PM
To: dev@sling.apache.org
Subject: Reconsidering when to apply resource access security
Hi,
after long discussions
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13869988#comment-13869988
]
Bertrand Delacretaz commented on SLING-3315:
Yeah, it looks like more granular
Hi guys,
From past projects I've seen Sling used as more of a front controller (with
lots of perks) and then the resource as the controller (optional) or just a
simple view(script)/model(jcr) binding. Usually the controller being an
invoked java class or service.
This is how a number of
Right, good analysis! I have further important additions to #1 and #2:
#1 of course is difficult. It should be split up:
-
1a. malicious JSP/script code
Injecting a script that gets executed by Sling can be a lot easier (incorrect
ACLs on
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13870083#comment-13870083
]
Felix Meschberger commented on SLING-3315:
--
@Bertrand: I have to disagree, sorry.
-.5
Not exactly vetoing but: This creates and overlap in resource providers which
effectively do access control (such as JCR Resource Provider) and as I said
before: the feature flag is not a good candidate for the security system.
After all the feature flag does visibility but no access
Hi,
an alternative to a trusted credentials mechanism is
1. to use loginByService in the authentication handler itself
2. impersonate to the desired user (and have a service user mapping that allows
the necessary impersonations)
3. put the resulting jcr session as user.jcr.session [0] into the
[
https://issues.apache.org/jira/browse/SLING-3308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved SLING-3308.
--
Resolution: Fixed
Fix Version/s: Scripting JavaScript 2.0.14
Thanks for the
[
https://issues.apache.org/jira/browse/SLING-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved SLING-3314.
--
Resolution: Fixed
Removed the (property) methods and the tests in Rev. 1557911
[
https://issues.apache.org/jira/browse/SLING-3266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13870334#comment-13870334
]
Felix Meschberger commented on SLING-3266:
--
This looks like a duplicate of
[
https://issues.apache.org/jira/browse/SLING-1158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger updated SLING-1158:
-
Component/s: (was: Scripting)
ResourceResolver
Yes your observation
[
https://issues.apache.org/jira/browse/SLING-291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13870358#comment-13870358
]
Felix Meschberger commented on SLING-291:
-
It looks like multiple JavaScript
[
https://issues.apache.org/jira/browse/SLING-604?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved SLING-604.
-
Resolution: Duplicate
I have the impression this issues actually duplicates SLING-534
[
https://issues.apache.org/jira/browse/SLING-604?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger closed SLING-604.
---
Thus closing.
Multi value properties not properly supported by ScriptableNode.get(String)
[
https://issues.apache.org/jira/browse/SLING-604?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger updated SLING-604:
Fix Version/s: Scripting JavaScript 2.0.4
Multi value properties not properly supported
Hi,
Sling currently does not allow to read request parameters in their original
order. I need this for a migrated servlet code that used to run on other
servlet containers and was able to preserve the order (see below), thus has URL
schemes where paramter order is crucial.
Actually it is the
1a and 1b would enable us to sandbox scripts and would be quite a good
feature to have. This would allows us to have a much better Multi
Tennant support story.
However the problem with sandboxing untrusted code in any form
requires quite a bit of an effort. Just to start with
a. Disable access
Hi
Well, all is not lost since, event if the AuthenticationHandler is reading the
parameters the Sling Engine's ParameterSupport actually kicks in ! (We do this
to support mutipart/form-data submission of login forms).
Yet, I am a bit reluctant to replicate servlet container work here.
Yet,
Ok, so let's seprate the two things for the sake of th discussion - as soon
as someone wants to have a resource access gate applied to all resource
providers (for whatever reason), this really becomes tedious, especially as
you have to know and configure each and every resource provider and set
38 matches
Mail list logo