Ideally all security should be handled via JCR ACLs. Reverse proxy rules/dispatcher should be used to harden those ACLs. Be careful using ACLs - as they may impede script resolution - I believe getResourceSuperType() where the SuperType is not readable by the user will throw an error (unless this has already been fixed).
Sent from my iPad On Jun 8, 2012, at 10:19 AM, Davide <[email protected]> wrote: > On 08/06/2012 13:46, Robert Munteanu wrote: >> Hi, >> >> I've recently been made aware that all resources under /apps are readable by >> everyone. This includes JSP scripts and I presume bundles deployed under the >> install folder. >> >> What is the recommended way of securing access to such resources? > > hi Robert, > > normally I work with CQ and in that case there's the Dispatcher (apache > module) that takes care about it. > > Let's say that without knowing sling too much, if I'd have to do it I > would manage it a 2 levels. > > First one with ACL in jackrabbit. Giving the read access only behind > authentication. > > Second using the apache rewrite rules a would rewrite all /apps and > /libs to a 404. > > HTH > Davide >
