Hi, On Tue, Nov 29, 2011 at 11:00 AM, Felix Meschberger <[email protected]> wrote: > Hi, > > Another option would be to have a special ResourceProvider which returns > SyntheticResources in case of any access to below /bin which is not backed by > a registered servlet. Such a SyntheticResource would not allow the POST > Servlet to write anything back to anywhere !
Doesn't this suffer from the same problem as described in the original JIRA description, i.e. if the component/bundle providing this ResourceProvider isn't started/active, then the POST would go through to the default POST Servlet. I'm thinking maybe the real problem isn't that the POST goes through to the default POST servlet but that the presence of a node at /bin/replicate prevents the servlet registered at that path from being executed. WDYT? Justin > > Regards > Felix > > Am 29.11.2011 um 16:55 schrieb Carsten Ziegeler (Commented) (JIRA): > >> >> [ >> https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159324#comment-13159324 >> ] >> >> Carsten Ziegeler commented on SLING-2136: >> ----------------------------------------- >> >> I think the right way is to use ACLs. Adding a new configuration option >> which basically is an ACL in a servlet is not the right approach. >> >> Another workaround is to add a servlet filter >> >>> Sling POST Servlet: Configuration of Allowed Paths >>> -------------------------------------------------- >>> >>> Key: SLING-2136 >>> URL: https://issues.apache.org/jira/browse/SLING-2136 >>> Project: Sling >>> Issue Type: Improvement >>> Components: Servlets >>> Affects Versions: Servlets Post 2.1.2 >>> Reporter: Andrew Khoury >>> Attachments: post_servlet_filter-1205238.patch >>> >>> >>> It would be nice if you could configure rules or regular expressions for >>> paths the sling post servlet is allowed to work under. This would be good >>> for both security reasons and for protecting against conflicts with other >>> servlets. >>> For example: >>> Let's say you have a servlet ReplicationServlet registered to receive POST >>> requests under path /bin/replicate. >>> However, during startup, before the ReplicationServlet component has been >>> enabled, a user tries to do a POST to /bin/replicate. In this case, >>> instead of executing the ReplicationServlet, the POST servlet is executed >>> and it creates a node under /bin/replicate. Now, as long as the node >>> /bin/replicate exists... the ReplicationServlet will not be executed for >>> requests to /bin/replicate. This presents a problem and explains the >>> necessity for this feature. >> >> -- >> This message is automatically generated by JIRA. >> If you think it was sent incorrectly, please contact your JIRA >> administrators: >> https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa >> For more information on JIRA, see: http://www.atlassian.com/software/jira >> >> >
