Hi, The whitelist configuration in this servlet is causing some problems where the contents of the whitelist is potentially large and changing, since it requires constant re-configuration.
Would it be possible to have a API service that is consulted if present to check if the request is allowed. For those that want to use the service they would configure the whitelist to reject everything while the service was not present so avoid startup issues. eg + @Reference(cardinality=ReferenceCardinality.OPTIONAL_UNARY) + private WhiteListProvider whiteListProvider; /** Checks if the provided request's remote server is whitelisted **/ private boolean isWhitelisted(final SlingHttpServletRequest request) { + if (whiteListProvider != null) { + whiteListProvider.isWhitelisted(request); + } if (whitelist.contains(request.getRemoteAddr())) { return true; } else if (whitelist.contains(request.getRemoteHost())) { return true; } logger.info("isWhitelisted: rejecting " + request.getRemoteAddr() + ", " + request.getRemoteHost()); return false; } and in the API, presumably discovery api. public interface WhiteListProvider { private boolean isWhitelisted(HttpServletRequest request); } Best Regards Ian