Hi,
The whitelist configuration in this servlet is causing some problems
where the contents of the whitelist is potentially large and changing,
since it requires constant re-configuration.
Would it be possible to have a API service that is consulted if
present to check if the request is allowed. For those that want to use
the service they would configure the whitelist to reject everything
while the service was not present so avoid startup issues.
eg
+ @Reference(cardinality=ReferenceCardinality.OPTIONAL_UNARY)
+ private WhiteListProvider whiteListProvider;
/** Checks if the provided request's remote server is whitelisted **/
private boolean isWhitelisted(final SlingHttpServletRequest request) {
+ if (whiteListProvider != null) {
+ whiteListProvider.isWhitelisted(request);
+ }
if (whitelist.contains(request.getRemoteAddr())) {
return true;
} else if (whitelist.contains(request.getRemoteHost())) {
return true;
}
logger.info("isWhitelisted: rejecting " + request.getRemoteAddr()
+ ", " + request.getRemoteHost());
return false;
}
and in the API, presumably discovery api.
public interface WhiteListProvider {
private boolean isWhitelisted(HttpServletRequest request);
}
Best Regards
Ian
