Hi It looks like this limiting of selectors has had some discussion recently. So, yes, I would think the Sling community would well be interested in a good solution.
I am not exactly sure, what you mean by "template based". Also, there is no such thing as a "component" in Sling. Something becomes a component if it is referred to by a resource type. Another consideration is resource type inheritance through Resource.getResourceSuperType(). Are selectors inherited ? Can they be reduced ? Finally: Sling is open-ended by intent and default. So limiting will always some side effects we have to carefully consider. For example: Consider you create a "component" with support for some selectors and extensions and declare it to cope with those. Then you extend it and add suppport for another selector (or another extension) and forget to update the definition: Now your requests may fail and you have to find out how ... Alas, your attachement didn't make it to the list (probably due to list filtering). You might want to create an issue and attach your code there. Regards Felix Am 01.07.2013 um 08:30 schrieb Ben Zahler: Hi all, I have done some work on selectors and security in CQ lately, and in the process I've had an idea how to handle some of the issues in Sling. >From my point of view, this could well be intergrated into Sling, but it can >also easily work as an addition, so I'd like to hear some feedback from you. The basic idea is to have the developer of a component/template define the selectors allowed on the component. I've used a property sling:allowedSelectors to do so. In a servlet filter, we can then check for all the allowed selectors in the application and verify if the request's selector are valid. Of course, there are a quite a few open questions/points: * should the allowed selectors be cached? * Servlets with sling.servlet.selectors property need to be included as well * Should the sling:allowedSelectors configuration be component or template based? Component based means the definition is where the selectors are actually implemented, template based provides more accurate means of checking whether request selectors are valid. * How can multisites be configured? Attached is a very basic implementation of the Servlet Filter. Be aware that installing this into a CQ author instance will break some things as the default CQ selectors are not supported. So basically, my question to you is if you think this is an interesting feature or if you consider this rather unnecessary. ;-) Mit besten GrĂ¼ssen Ben Zahler Inside Solutions AG | Felsenstrasse 11 | 4450 Sissach | Schweiz Telefon: +41 61 551 00 40 | Direkt: +41 61 551 00 43 http://www.inside-solutions.ch<http://www.inside-solutions.ch/>
