>-----Original Message----- >From: Alexander Klimetschek [mailto:aklim...@adobe.com] >Sent: Tuesday, August 12, 2014 1:47 AM >To: dev@sling.apache.org >Subject: Re: [RT] Multi Tenancy ... >And here it becomes tricky. Because if you are allowed to write arbitrary >code (e.g. in JSPs), you can get an admin session, and thus do what you want >anyway. So enforcing to set the right resource types in the first place (e.g. >UIs not allowing you to choose templates / components from another tenant) >have the same level of security then a complex tenant script resolution >mechanism.
if the tenant-specific scripts are allowed to get an admin session, they cannot only access scripts of other tenants, but all their content as well, which is i suppose much more problematic than accessing the custom scripts. you can effectively steal all content of all other tenants of the same instance. so, it's difficult to use the current architecture for a tenant model where the deployed scripts have to be considered "unsafe" and the tenants cannot not trust each other. i think it would be possible to extend the sling API with ways to prevent getting an admin session via configuration, but is this still save when accessing JCR API directly, or other services running in the OSGi context which may expose administrative access to other parts as well. so this really depends on the usecases (i will start creating a wiki page for them today) that the tenant support has to fulfill. stefan
