Hi all, I have done some work on selectors and security in CQ lately, and in the process I've had an idea how to handle some of the issues in Sling. >From my point of view, this could well be intergrated into Sling, but it can >also easily work as an addition, so I'd like to hear some feedback from you.
The basic idea is to have the developer of a component/template define the selectors allowed on the component. I've used a property sling:allowedSelectors to do so. In a servlet filter, we can then check for all the allowed selectors in the application and verify if the request's selector are valid. Of course, there are a quite a few open questions/points: * should the allowed selectors be cached? * Servlets with sling.servlet.selectors property need to be included as well * Should the sling:allowedSelectors configuration be component or template based? Component based means the definition is where the selectors are actually implemented, template based provides more accurate means of checking whether request selectors are valid. * How can multisites be configured? Attached is a very basic implementation of the Servlet Filter. Be aware that installing this into a CQ author instance will break some things as the default CQ selectors are not supported. So basically, my question to you is if you think this is an interesting feature or if you consider this rather unnecessary. ;-) Mit besten GrĂ¼ssen Ben Zahler Inside Solutions AG | Felsenstrasse 11 | 4450 Sissach | Schweiz Telefon: +41 61 551 00 40 | Direkt: +41 61 551 00 43 http://www.inside-solutions.ch<http://www.inside-solutions.ch/>
