Another solution is to not rely on the Sling post servlet but write special post scripts for the resource types you want to support.
Btw, I still think that we need something in this area - along with better validation. I started a prototype long time ago, but never got it to a point to share it. But I plan to have something for the next adaptTo in September... Regards Carsten 2012/6/11 Justin Edelson <[email protected]>: > Hi, > > On Jun 11, 2012, at 1:04 PM, Felix Meschberger <[email protected]> wrote: > >> Hi, >> >> Am 11.06.2012 um 09:03 schrieb Davide: >> >>> (please note the quotes around securing). >>> >>> I really love the SlingPostServlet and the fact that I can create JCR >>> structure starting from a JSON stream. It really ease the process for >>> creating (and updating?) content. >>> >>> Now if I'd go for the usage of it, I'd like to prevent some malicious >>> teenager to use curl commands to POST fake/not-correct content to the >>> repository. >>> >>> I know that I can restrict it with user/password but what if he has the >>> right credentials? >> >> Access control is the way to go. >> >> If an attacker has knowledge of credentials to write to the repository, you >> have a problem to solve ;-) >> >>> >>> Are there any way to restrict the operations allowed by the PostServlet? >> >> None, other than access control on the content >> >>> >>> Enforcing some content structures? >> >> No. > > You could potentially do this with a PostProcessor. > > Justin > >> >>> >>> Prevent "flooding"? >> >> No, such mechanisms might make sense, but we don't have them >> >> Regards >> Fleix >> >>> >>> Cheers >>> Davide >>> >> -- Carsten Ziegeler [email protected]
