Hi Julian, On Mon, Jun 25, 2018 at 3:38 PM Julian Sedding <[email protected]> wrote: > Regarding securing the servlet: > Registering a servlet in Sling creates resources. In the case of the > capabilities servlet, that should be the resource > "/libs/sling/capabilities.json.GET.servlet". Since the "Resource > Access Security" module allows restricting read access to resources, > this could be used to secure the servlet...
Yes, but that only works for servlet, I think if we agree on a (simple) mechanism to secure arbitrary operations, as Radu suggest, it's more flexible. And I'd like this to be backed by Oak so we can take advantage of its proven access control features, including management tools. I'll reply to Radu... -Bertrand
