Hi, Am 29.11.2011 um 17:30 schrieb Justin Edelson:
> Hi, > > On Tue, Nov 29, 2011 at 11:00 AM, Felix Meschberger <[email protected]> > wrote: >> Hi, >> >> Another option would be to have a special ResourceProvider which returns >> SyntheticResources in case of any access to below /bin which is not backed >> by a registered servlet. Such a SyntheticResource would not allow the POST >> Servlet to write anything back to anywhere ! > > Doesn't this suffer from the same problem as described in the original > JIRA description, i.e. if the component/bundle providing this > ResourceProvider isn't started/active, then the POST would go through > to the default POST Servlet. Basically, yes. > > I'm thinking maybe the real problem isn't that the POST goes through > to the default POST servlet but that the presence of a node at > /bin/replicate prevents the servlet registered at that path from being > executed. No, better matching resource providers overwrite more general ones. So if there is a servlet at /bin/replicate, the node should actually be ignored. Regards Felix > > WDYT? > > Justin > >> >> Regards >> Felix >> >> Am 29.11.2011 um 16:55 schrieb Carsten Ziegeler (Commented) (JIRA): >> >>> >>> [ >>> https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159324#comment-13159324 >>> ] >>> >>> Carsten Ziegeler commented on SLING-2136: >>> ----------------------------------------- >>> >>> I think the right way is to use ACLs. Adding a new configuration option >>> which basically is an ACL in a servlet is not the right approach. >>> >>> Another workaround is to add a servlet filter >>> >>>> Sling POST Servlet: Configuration of Allowed Paths >>>> -------------------------------------------------- >>>> >>>> Key: SLING-2136 >>>> URL: https://issues.apache.org/jira/browse/SLING-2136 >>>> Project: Sling >>>> Issue Type: Improvement >>>> Components: Servlets >>>> Affects Versions: Servlets Post 2.1.2 >>>> Reporter: Andrew Khoury >>>> Attachments: post_servlet_filter-1205238.patch >>>> >>>> >>>> It would be nice if you could configure rules or regular expressions for >>>> paths the sling post servlet is allowed to work under. This would be good >>>> for both security reasons and for protecting against conflicts with other >>>> servlets. >>>> For example: >>>> Let's say you have a servlet ReplicationServlet registered to receive POST >>>> requests under path /bin/replicate. >>>> However, during startup, before the ReplicationServlet component has been >>>> enabled, a user tries to do a POST to /bin/replicate. In this case, >>>> instead of executing the ReplicationServlet, the POST servlet is executed >>>> and it creates a node under /bin/replicate. Now, as long as the node >>>> /bin/replicate exists... the ReplicationServlet will not be executed for >>>> requests to /bin/replicate. This presents a problem and explains the >>>> necessity for this feature. >>> >>> -- >>> This message is automatically generated by JIRA. >>> If you think it was sent incorrectly, please contact your JIRA >>> administrators: >>> https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa >>> For more information on JIRA, see: http://www.atlassian.com/software/jira >>> >>> >>
