Ok, so let's seprate the two things for the sake of th discussion - as soon
as someone wants to have a resource access gate applied to all resource
providers (for whatever reason), this really becomes tedious, especially as
you have to know and configure each and every resource provider and set the
1a and 1b would enable us to sandbox scripts and would be quite a good
feature to have. This would allows us to have a much better Multi
Tennant support story.
However the problem with sandboxing untrusted code in any form
requires quite a bit of an effort. Just to start with
a. Disable access to
Hi
Well, all is not lost since, event if the AuthenticationHandler is reading the
parameters the Sling Engine's ParameterSupport actually kicks in ! (We do this
to support mutipart/form-data submission of login forms).
Yet, I am a bit reluctant to replicate servlet container work here.
Yet, on
Hi,
Sling currently does not allow to read request parameters in their original
order. I need this for a migrated servlet code that used to run on other
servlet containers and was able to preserve the order (see below), thus has URL
schemes where paramter order is crucial.
Actually it is the j
[
https://issues.apache.org/jira/browse/SLING-604?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger updated SLING-604:
Fix Version/s: Scripting JavaScript 2.0.4
> Multi value properties not properly supported b
[
https://issues.apache.org/jira/browse/SLING-604?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger closed SLING-604.
---
Thus closing.
> Multi value properties not properly supported by ScriptableNode.get(String)
> me
[
https://issues.apache.org/jira/browse/SLING-604?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved SLING-604.
-
Resolution: Duplicate
I have the impression this issues actually duplicates SLING-534 whic
[
https://issues.apache.org/jira/browse/SLING-291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13870358#comment-13870358
]
Felix Meschberger commented on SLING-291:
-
It looks like multiple JavaScript interp
[
https://issues.apache.org/jira/browse/SLING-1158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger updated SLING-1158:
-
Component/s: (was: Scripting)
ResourceResolver
Yes your observation
[
https://issues.apache.org/jira/browse/SLING-3266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13870334#comment-13870334
]
Felix Meschberger commented on SLING-3266:
--
This looks like a duplicate of SLING-
[
https://issues.apache.org/jira/browse/SLING-3314?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved SLING-3314.
--
Resolution: Fixed
Removed the (property) methods and the tests in Rev. 1557911
> Remov
[
https://issues.apache.org/jira/browse/SLING-3308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved SLING-3308.
--
Resolution: Fixed
Fix Version/s: Scripting JavaScript 2.0.14
Thanks for the patc
Hi,
an alternative to a trusted credentials mechanism is
1. to use loginByService in the authentication handler itself
2. impersonate to the desired user (and have a service user mapping that allows
the necessary impersonations)
3. put the resulting jcr session as "user.jcr.session" [0] into the
-.5
Not exactly vetoing but: This creates and overlap in resource providers which
effectively do access control (such as JCR Resource Provider) and as I said
before: the feature flag is not a good candidate for the security system.
After all the feature flag does visibility but no access contro
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13870083#comment-13870083
]
Felix Meschberger commented on SLING-3315:
--
@Bertrand: I have to disagree, sorry.
Right, good analysis! I have further important additions to #1 and #2:
#1 of course is difficult. It should be split up:
-
1a. malicious JSP/script code
Injecting a script that gets executed by Sling can be a lot easier (incorrect
ACLs on prod
Hi guys,
>From past projects I've seen Sling used as more of a front controller (with
>lots of perks) and then the resource as the controller (optional) or just a
>simple view(script)/model(jcr) binding. Usually the controller being an
>invoked java class or service.
This is how a number of
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869988#comment-13869988
]
Bertrand Delacretaz commented on SLING-3315:
Yeah, it looks like more granular
+1
That would be more consistent.
Best regards
mike
> -Original Message-
> From: Carsten Ziegeler [mailto:cziege...@apache.org]
> Sent: Monday, January 13, 2014 2:24 PM
> To: dev@sling.apache.org
> Subject: Reconsidering when to apply resource access security
>
> Hi,
>
> after long discu
Sling Models _could_ be slightly confusing if you look at Sling as MVC:
M = resources/jcr
V = scripts/servlets
C = sling engine
Just my 2 cents,
Alex
On 11.01.2014, at 04:47, Carsten Ziegeler wrote:
> I'm +1 on the move, I'm not sure if Sling Models is a good name - as a
> non-native speaker,
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869828#comment-13869828
]
Marius Petria commented on SLING-3315:
--
It is possible do all CRUD operations and lis
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869709#comment-13869709
]
Tommaso Teofili commented on SLING-3315:
If it is possible to create / read / upda
On Mon, 2014-01-06 at 14:08 +0100, Bertrand Delacretaz wrote:
Hi,
>
> On Mon, Jan 6, 2014 at 1:27 PM, Robert Munteanu wrote:
> > ...So, are there any takers on coming up with more structured
> > documentation, something like 'Essential Apache Sling' or 'Apache
> > Sling in Action'? I would be one,
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869668#comment-13869668
]
Bertrand Delacretaz commented on SLING-3315:
We could use the SlingPostServlet
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869625#comment-13869625
]
Marius Petria edited comment on SLING-3315 at 1/13/14 3:55 PM:
-
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869625#comment-13869625
]
Marius Petria commented on SLING-3315:
--
Hi Bertrand,
The proposed patch only refacto
[
https://issues.apache.org/jira/browse/SLING-3252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869574#comment-13869574
]
Bertrand Delacretaz commented on SLING-3252:
According to
https://github.com/
Hi Joerg,
On Mon, Jan 13, 2014 at 2:44 PM, Jörg Hoh wrote:
> ...Taking [0] as example I feel a bit strange about the getJunitServletUrl()
> method of the SlingRemoteTestParameters interface. It expects me to return
> a URL where the serverside tests reside..
> ...I would prefer if I could inject
+1
On Mon, Jan 13, 2014 at 2:24 PM, Carsten Ziegeler wrote:
> Hi,
>
> after long discussions we have to the compromise to tag a resource provider
> if a (optionally) available resource access security is used for this
> provider.
>
> I think this was a wrong compromise with no real value - and w
Hi,
I am just exploring the possibilties to integrate my server side tests into
the maven build. I am already using the serverside JUnit tests mechanism
provided by Sling and I am quite happy with it. But the way how these tests
are currently integrated into the maven build process looks a bit odd
Hi,
after long discussions we have to the compromise to tag a resource provider
if a (optionally) available resource access security is used for this
provider.
I think this was a wrong compromise with no real value - and we should
remove this additional flag and simply always apply the checks.
On
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13869415#comment-13869415
]
Bertrand Delacretaz commented on SLING-3315:
I haven't checked but this it mak
On Fri, Jan 10, 2014 at 5:28 PM, Justin Edelson
wrote:
> I'd like to move YAMF from my whiteboard in to extensions and rename
> it as Sling Models...
+1, and the Sling Models name is ok for me. I'm not a fan of "factory"
or "provider" in general, reminds me of J2EE too much ;-)
-Bertrand
Yepp, let's target for #2 and #3 - all I tried to say is that #1 is not a
problem which only Sling has :)
Carsten
2014/1/13 Ian Boston
> Hi,
> I agree, #2 and #3 are achievable.
> #1 although theoretically possible is not practical.
> #1 not being practical underlines that the JVM is 1 securi
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marius Petria updated SLING-3315:
-
Attachment: SLING-3315.patch
Patch added for replication HTTP API.
> Refactor replication HTTP A
Hi,
I agree, #2 and #3 are achievable.
#1 although theoretically possible is not practical.
#1 not being practical underlines that the JVM is 1 security zone, and
once compromised, all bets are off.
About 4 years ago, I wrote a fiendishly complex mechanism (driven by
my own in JVM security paranoi
Marius Petria created SLING-3315:
Summary: Refactor replication HTTP API
Key: SLING-3315
URL: https://issues.apache.org/jira/browse/SLING-3315
Project: Sling
Issue Type: Improvement
[
https://issues.apache.org/jira/browse/SLING-3315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marius Petria updated SLING-3315:
-
Description:
Refactor HTTP API in order to access independently the configuration of an
agent an
I agree that #1 is a lot of work and is most probably not worth the effort,
but I don't think it's impossible and it's not that Sling by itself makes
this impossible.
Carsten
2014/1/13 Chetan Mehrotra
> Before we add more support to secure access to trusted authentication
> we need to have a p
39 matches
Mail list logo
