[jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration of Allowed Paths

[Felix Meschberger (Commented) (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156588#comment-13156588
 ] 

Felix Meschberger commented on SLING-2136:
------------------------------------------

I don't think this is - conceptually - the correct solution to the problem. As 
such I am against applying this patch.

We every now and then encounter situations where the Sling POST Servlet too 
eagerly does the work it has originally developed to do (see also the 
workaround for SLING-2120 to prevent writing user names and passwords to the 
repository in case authentication handlers break).

I think the correct and probably ultimately most stable solution would be to 
have the Sling POST Servlet require the :operation request parameter indicating 
the request to really be handled by that servlet.

Another workaround in this current situation (preventing writes to /bin/*) is 
to apply ACLs.
                
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
>                 Key: SLING-2136
>                 URL: https://issues.apache.org/jira/browse/SLING-2136
>             Project: Sling
>          Issue Type: Improvement
>          Components: Servlets
>    Affects Versions: Servlets Post 2.1.2
>            Reporter: Andrew Khoury
>         Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for 
> paths the sling post servlet is allowed to work under.  This would be good 
> for both security reasons and for protecting against conflicts with other 
> servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST 
> requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been 
> enabled, a user tries to do a POST to /bin/replicate.  In this case, instead 
> of executing the ReplicationServlet, the POST servlet is executed and it 
> creates a node under /bin/replicate.  Now, as long as the node /bin/replicate 
> exists... the ReplicationServlet will not be executed for requests to 
> /bin/replicate.  This presents a problem and explains the necessity for this 
> feature.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira