[jira] [Commented] (SLING-12300) Provide a way to retrieve a JCR backed resource by its node identifier

Sun, 21 Apr 2024 20:16:05 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-12300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17839459#comment-17839459
 ] 

Joerg Hoh commented on SLING-12300:
-----------------------------------

{quote}I think I would prefer that the uuid not be addressable so easily.  That 
seems to be a security hole where someone could just do a brute force attack to 
try all the possible values and find paths that exist.
{quote}
I want to address the "security hole" by stating that also here the 
authorization setup of the underlying JCR repository applies. That means, also 
by this method user cannot access nodes for which they are not authorized. If 
you want to make nodes not available to the anonymous user, then don't provide 
the anonymous user read access to it.

If your application has path-based restrictions to prevent direct access to 
certain paths (on top of the existing JCR restrictions), this approach using 
the UUID lookup has the ability to circumvent it and expose nodes which would 
be otherwise not accessible due to the path restrictions. By then it should be 
trivial to add another path-based restriction to prevent access to /jcr:id/ as 
well.

 

 

 

 

> Provide a way to retrieve a JCR backed resource by its node identifier
> ----------------------------------------------------------------------
>
>                 Key: SLING-12300
>                 URL: https://issues.apache.org/jira/browse/SLING-12300
>             Project: Sling
>          Issue Type: New Feature
>          Components: JCR
>            Reporter: Radu Cotescu
>            Assignee: Radu Cotescu
>            Priority: Major
>             Fix For: JCR Resource 3.3.0
>
>
> Since all {{javax.jcr.Nodes}} have an identifier [0], a useful feature would 
> be {{Resource}} retrieval by node id, which could be its {{jcr:uuid}} 
> property for referenceable nodes or the path. In systems that would like to 
> use UUID addressing, this would reduce the need for executing JCR queries for 
> resource retrieval and would avoid double-reads via the JCR and then Sling 
> API to obtain the resource.
> In order to provide a unified behaviour, paths starting with the {{/jcr:id/}} 
> prefix should use the resource retrieval by node identifier.
> [0] - 
> https://javadoc.io/static/javax.jcr/jcr/2.0/javax/jcr/Node.html#getIdentifier()



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to