I think your response helps in a way. I am asking why this default exists. Is there is a rationale for the default or no? Based on your response, it should be deleted if the application needs to control ACL read permissions, and maybe there is no reason for the default other than to ensure everyone can read everything under /content.
Cris > On Mar 11, 2020, at 3:42 PM, Oliver Lietz <apa...@oliverlietz.de> wrote: > > On Wednesday, March 11, 2020 8:34:12 PM CET Cris Rockwell wrote: >> Hi Oliver >> >> Thanks for the fast reply. Can I ask the exact same set of questions about >> default jcr:read access for everyone on /content? Is that required? > > It depends on your application. If you do not want to serve content to > anonymous users/clients you can remove the read permissions. > You can even remove the whole JCR from Sling if you do not want to serve > content from it. > > Does it help? > > Regards, > O. > > >> Cris Rockwell >> >> >>> On Mar 11, 2020, at 3:05 PM, Oliver Lietz <apa...@oliverlietz.de> wrote: >>> >>> On Wednesday, March 11, 2020 6:50:51 PM CET Cris Rockwell wrote: >>>> Hello Sling Users >>> >>> Hi Cris, >>> >>>> When I launch Sling, there is an ACL for jrc:read for the everyone >>>> ‘principle' on jcr:root, as described in the repoinit.txt >>>> http://archive.apache.org/dist/sling/org.apache.sling.launchpad-9.jar >>>> <http://archive.apache.org/dist/sling/org.apache.sling.launchpad-9.jar> >>>> >>>> I have found these resources: >>>> >>>> http://apache-sling.73963.n3.nabble.com/Principal-quot-everyone-quot-is-n >>>> ot-> clear-td4078544.html >>>> <http://apache-sling.73963.n3.nabble.com/Principal-quot-everyone-quot-is >>>> -no t-clear-td4078544.html> >>>> https://jackrabbit.apache.org/oak/docs/security/user/membership.html >>>> <https://jackrabbit.apache.org/oak/docs/security/user/membership.html> >>>> >>>> But I still have questions: >>>> * Why is everyone by default granted jcr:read access to the whole >>>> repository? * If you wanted to control access, isn’t it better to >>>> whitelist >>>> (i.e. grant) instead of deny? * If the everyone ACL jcr:read rule was >>>> deleted from root, what problems should be expected? >>> >>> That was changed several years ago already, see SLING-6130 and current >>> setup: >>> >>> https://github.com/apache/sling-org-apache-sling-starter/blob/master/src/m >>> ain/ provisioning/repoinit.txt >>> >>> Regards, >>> O. >>> >>>> Many thanks! > > > >
