[
https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156808#comment-13156808
]
Alexander Klimetschek commented on SLING-2136:
----------------------------------------------
Forcing the :operation parameter is not very elegant IMHO and it is not
backwards compatible (all existing forms would have to be changed).
Also, the problem mostly exists for non-existing paths (such as virtual servlet
paths), because after they get created accidentally through the post servlet,
the virtual resolution is immediately eliminated. For cases where a node is
present, but only the actual servlet currently not available, you usually don't
overwrite the resource type. Hence the next call when the servlet is present
again will work. Only the properties have been written. And if such a servlet
acts as a "filter" for the sling post servlet (and will forward to it
afterwards, a quite common case), forcing the :operation parameter won't help,
as it will be there anyway.
I think the filtering is a simple solution at least for the virtual paths. One
doesn't have to use it.
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
> Key: SLING-2136
> URL: https://issues.apache.org/jira/browse/SLING-2136
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Post 2.1.2
> Reporter: Andrew Khoury
> Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for
> paths the sling post servlet is allowed to work under. This would be good
> for both security reasons and for protecting against conflicts with other
> servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST
> requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been
> enabled, a user tries to do a POST to /bin/replicate. In this case, instead
> of executing the ReplicationServlet, the POST servlet is executed and it
> creates a node under /bin/replicate. Now, as long as the node /bin/replicate
> exists... the ReplicationServlet will not be executed for requests to
> /bin/replicate. This presents a problem and explains the necessity for this
> feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
