If I recall correctly, if all your scripts are published to the JCR repository, then you can just configure the JCR ACL to deny read access to everyone. Sling uses a "script user" (admin by default) to read the scripts, so the end user doesn't have to have rights to read those script resources to use them. On the other hand, if your scripts are provided by some non JCR resource provider then you would have more work to do to block read access to those files.
Regards, Eric On Fri, Jun 8, 2012 at 11:16 AM, David Gonzalez <[email protected]>wrote: > Ideally all security should be handled via JCR ACLs. Reverse proxy > rules/dispatcher should be used to harden those ACLs. Be careful using > ACLs - as they may impede script resolution - I believe > getResourceSuperType() where the SuperType is not readable by the user > will throw an error (unless this has already been fixed). > > Sent from my iPad > > On Jun 8, 2012, at 10:19 AM, Davide <[email protected]> wrote: > > > On 08/06/2012 13:46, Robert Munteanu wrote: > >> Hi, > >> > >> I've recently been made aware that all resources under /apps are > readable by everyone. This includes JSP scripts and I presume bundles > deployed under the install folder. > >> > >> What is the recommended way of securing access to such resources? > > > > hi Robert, > > > > normally I work with CQ and in that case there's the Dispatcher (apache > > module) that takes care about it. > > > > Let's say that without knowing sling too much, if I'd have to do it I > > would manage it a 2 levels. > > > > First one with ACL in jackrabbit. Giving the read access only behind > > authentication. > > > > Second using the apache rewrite rules a would rewrite all /apps and > > /libs to a 404. > > > > HTH > > Davide > > >
