Hello,
in the configuration of the "Apache Sling Authentication Service" I can
"disable anonymous access" which I understand as the user needs to log
in. Still, when I use "anonymous" as user and an empty password I can
log in and see the page for the path "/" and all child resources.
Changing the password for anonymous is not allowed by design. The source
code looks like:
if ("anonymous".equals(name)) {
throw new RepositoryException(
"Can not change the password of the anonymous user.");
}
Looking at the privileges for the root path with
http://localhost:8080/.eacl.json
got me this json response:
{
"everyone":{
"principal":"everyone",
"granted":["jcr:all"],
"order":0
}
}
So I tried to remove the jcr:all privilege with
curl -FprincipalId=everyone -Fprivilege@jcr:all=denied
http://admin:admin@localhost:8080/sling6/.modifyAce.html
to deny everything from the root on and grant it selectively on child nodes.
But the response is http 310 ("too many redirects") when accessing "/".
Granting jcr:all to the everyone group to signup.html,... didn't help.
But granting everyone the jcr:all privilege at "/" and denying jcr:all
at a subnode results in an http 404 response for
http://localhost:8080/mysubnode.json as I would expect it.
Is there a way to avoid, that every new node under the root node has
jcr:all by default?
Best,
Sandro
