On Wednesday, March 11, 2020 8:34:12 PM CET Cris Rockwell wrote: > Hi Oliver > > Thanks for the fast reply. Can I ask the exact same set of questions about > default jcr:read access for everyone on /content? Is that required?
It depends on your application. If you do not want to serve content to anonymous users/clients you can remove the read permissions. You can even remove the whole JCR from Sling if you do not want to serve content from it. Does it help? Regards, O. > Cris Rockwell > Applications Architect Sr > College of Literature, Science, and the Arts | University of Michigan > LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann Arbor, > MI I 48109 Desk: 734.763.6818 | Email: cmroc...@umich.edu > > > On Mar 11, 2020, at 3:05 PM, Oliver Lietz <apa...@oliverlietz.de> wrote: > > > > On Wednesday, March 11, 2020 6:50:51 PM CET Cris Rockwell wrote: > >> Hello Sling Users > > > > Hi Cris, > > > >> When I launch Sling, there is an ACL for jrc:read for the everyone > >> ‘principle' on jcr:root, as described in the repoinit.txt > >> http://archive.apache.org/dist/sling/org.apache.sling.launchpad-9.jar > >> <http://archive.apache.org/dist/sling/org.apache.sling.launchpad-9.jar> > >> > >> I have found these resources: > >> > >> http://apache-sling.73963.n3.nabble.com/Principal-quot-everyone-quot-is-n > >> ot-> clear-td4078544.html > >> <http://apache-sling.73963.n3.nabble.com/Principal-quot-everyone-quot-is > >> -no t-clear-td4078544.html> > >> https://jackrabbit.apache.org/oak/docs/security/user/membership.html > >> <https://jackrabbit.apache.org/oak/docs/security/user/membership.html> > >> > >> But I still have questions: > >> * Why is everyone by default granted jcr:read access to the whole > >> repository? * If you wanted to control access, isn’t it better to > >> whitelist > >> (i.e. grant) instead of deny? * If the everyone ACL jcr:read rule was > >> deleted from root, what problems should be expected? > > > > That was changed several years ago already, see SLING-6130 and current > > setup: > > > > https://github.com/apache/sling-org-apache-sling-starter/blob/master/src/m > > ain/ provisioning/repoinit.txt > > > > Regards, > > O. > > > >> Many thanks! > >> Cris Rockwell > >> Applications Architect Sr > >> College of Literature, Science, and the Arts | University of Michigan > >> LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann > >> Arbor, MI I 48109 Desk: 734.763.6818 | Email: cmroc...@umich.edu
