[CONF] Apache Sling Sling Feature Flags support
Felix Meschberger hat Seite einen Kommentar hinzugefgt Sling Feature Flags support Re. Show/Hide Resources: This is currently implemented. Yet the descendant Resources ... are hidden as well part is only true if enumerating down the tree usinglistChildren. Directly accessing a resource below a hidden resource is still possible. Re Alternate between resources: This is currently implemented: a resource can be tagged with a flag name is only visible if the flag is set. When prefixing the flag name with a dash (-), the resource is only visible if the flag is disabled. Re Alter Resource rendering: Since scripts are resources, they can be hidden with flags and thus this should be possible. Re Use variants of OSGi Services: I don't think we should do that at all, because it causes different behaviour depending on how you access the service. IMHO these methods should really just be wrappers around the service access methods in the OSGi BundleContext. Preliminary documentation is available in the documentation staging area on the Feature Flags page. Online anzeigen Gefllt mir Antworten berwachung des Bereichs beenden Benachrichtigungen verwalten Diese Nachricht wurde von Atlassian Confluence 5.0.3, der Kollaborationssoftware fr Teams, gesendet
[CONF] Apache Sling Proxy Server Resource Provider
Felix Meschberger hat Seite einen Kommentar hinzugefgt Proxy Server Resource Provider Right Security would have to be considered (not really eager to store credentials in the repository, though). And caching certainly is one optimization we have to do. Having factory configuration would certainly make it easier to update etc. Having it in the repository would indicate the root node in the repository where this hangs out. Yet, of course, we could as well generate such a marker node on demand when the configuration is created. Als Antwort auf einen Kommentar von Justin Edelson : Looks interesting. Some things to consider: Security - what if the target requires authentication? Caching - can we cache the target resources using some configurable TTL? I'm not sure about the ResourceProvider definitions being in the repository. Shouldn't these just be factory components? Online anzeigen Gefllt mir berwachung des Bereichs beenden Benachrichtigungen verwalten Diese Nachricht wurde von Atlassian Confluence 5.0.3, der Kollaborationssoftware fr Teams, gesendet
[CONF] Apache Sling FAQ
FAQ Page edited by Felix Meschberger Changes (2) ... {code} curl -Fgreetings=Hello, World! -Fmulti=first -Fmulti=second -Ftranslations/en=Hello -Ftranslations/zh=你好 http://admin:admin@localhost:8080/content/../../.. {code} ... Now you should be able to see an HTML version of the resource at [http://localhost.local:8080/content/greet]. This script matches the sling:resourceType we set and the HTTP method we used. Note that resourceType matches must be exact. h3. How tdo I create a multi-value property with a single value, in HTTP? Use this: ... Full Content Frequently Asked Questions This page lists a series of common questions and answers. It is of course work in progress ... This page is not meant for asking questionsUse the Sling users mailing lists for that, see http://sling.apache.org/project-information.html#mailing-lists - this page is about answers. Thanks! If you find anything wrong in the Sling site or in and on the Wiki, do not hesitate to also contact the user's mailing list. Thanks. Administration How do I change Jackrabbit's admin password? RESTful API How do I create a node by posting a json document to a URL? What so special about the 'content','apps' and '*' urls? I posted a resource, where did it go? How do I create a multi-value property with a single value, in HTTP? I cannot add a node under /content/config.author using a POST, the new node goes under /content/config Scripts and Servlets How do I generate links to previous versions of a node? How do I find out why a given script or servlet is preferred to another when processing a request? How do I render a script for a star "*" resource? How to replace the default json renderer (for example) with my own? How to execute scripts directly? How do I create a new script engine? Working with bundles Is there an easy way to update bundles in a running installation during development? Classloading issues Accessing Classes from the Environment How are the sling.bootdelegation properties used ? How does Sling support the org.osgi.framework.system.packages Property ? Should the org.osgi.framework.bootdelegation or the org.osgi.framework.system.packages Property be used ? How to share session between Sling and other web applications? Miscellaneous Why can't I connect to Sling's WebDAV using Windows NetworkDriveMapping ? Why is my WebDAV connection so slow on Windows ? Why should I use the sling:Folder node type instead of nt:folder ? How to change the service.ranking of a service through configuration? Administration How do I change Jackrabbit's admin password? Using the userManager: curl \ -F"oldPwd=admin" \ -F"newPwd=Fritz" \ -F"newPwdConfirm=Fritz" \ http://admin:admin@localhost:8080/system/userManager/user/admin.changePassword.html You will also have to set that password in the Felix Web Management Console (/system/console/configMgr) under "Apache Sling Embedded JCR Repository." This is used by Sling to create an admin JCR session (using SlingRepository.loginAdministrative()) for components that need to have full access to the repository. Note: Only after restarting the framework the old password will become invalid (as of 09-11-10). Note: depending on the login module used in Jackrabbit, the password might not be checked at all (SimpleLoginModule, standard in Jackrabbit = 1.4). Since Jackrabbit 1.5, the DefaultLoginModule provides full user support. RESTful API How do I create a node by posting a json document to a URL? At the moment, you cannot do this. (Soon to change as per SLING-1172) Instead, each value must be a field in the request POST. For example, suppose you have the json document: { "greetings":"Hello, World!", "multi" : ["first","second"], "translations" : { "en": "Hello", "zh", "你好" } } You would do a post such as: curl -F"greetings=Hello, World!" -F"multi=first" -F"multi=second" -F"translations/en=Hello" -F"translations/zh=你好" http://admin:admin@localhost:8080/content/../../.. What so special about the 'content','apps' and '*' urls? 'apps' is reserved for matching scripts evaluated by sling. The "*" url is used for POSTing to a child node. By default, if a resource cannot be found from the root url, sling will try appending "content". For example, if you request the following non-existent resource: http://localhost:8080/blog/first_post Sling will look in: http://localhost:8080/content/blog/first_post Before returning a 404. I posted a resource, where did it go? Let's start by creating a
[CONF] Apache Sling FAQ
FAQ Page comment added by Felix Meschberger Thx. Fixed. In reply to a comment by Anonym: I second the remark on the missing "i" in -F"mult= And there is a typo error, replace "How to I .." by "How do I .." thx anyway Stop watching space | Change email notification preferences View Online | Reply To This
[CONF] Apache Sling FAQ
FAQ Page comment added by Felix Meschberger If you are using a file-system emulating WebDAV client such as the built-in WebDAV client in Mac OSX or Windows, you cannot because they only expose WebDAV as files and directories. If you are using a full-fletched WebDAV clients the properties should be accessible with the PROPFIND method. In reply to a comment by Anonym: Hi, I could able to create nodes and setup webDAV client. but if i want to view the property ( attribute ) of a node from webDav , how do i do this? Stop watching space | Change email notification preferences View Online | Reply To This
[CONF] Apache Sling FAQ
FAQ Page comment added by Felix Meschberger The first question might be interesting to discuss. The second question might point to a bug. I suggest you post your questions on the Sling users list: users(at)sling(dot)apache(dot)org In reply to a comment by Anonym: Hi, I'm new sling user. I would like to ask is: first: sling clustering solution has not been tested? I think how in the cluster, the use of the the job mechanism and jackrabbite. second: find the JobUtil acknowledgeJob method, reported such an exception: JobStatusNotifier context is not available in event properties. Context is null, what causes it? wangxin from China Stop watching space | Change email notification preferences View Online | Reply To This
[CONF] Apache Sling FAQ
FAQ Page comment added by Felix Meschberger Thx. Fixed. In reply to a comment by Anonym: Hi, I think there's a typo in the FAQ: url -F"greetings=Hello, World!" -F"mult=first" -F"multi=second" -F"translations/en=Hello" -F"translations/zh=你好" http://admin:admin@localhost:8080/content/../../.. Shouldn't the first parameter be "multi", not "mult"? Stop watching space | Change email notification preferences View Online | Reply To This
[CONF] Apache Sling Solving the Authentication Handler Credential Validation Problem
Solving the Authentication Handler Credential Validation Problem Page edited by Felix Meschberger Comment: Add JIRA references Changes (2) ... Created: 27. September 2013 Author: fmeschbe JIRA: -- JIRA: [Implement solution to the Authentication Handler Credential Validation Problem|https://issues.apache.org/jira/browse/SLING-2762], [AbstractSlingRepository#login violates JCR spec|https://issues.apache.org/jira/browse/SLING-2762] References: -- Updated: -- ... Full Content Solving the Authentication Handler Credential Validation Problem Status: DRAFT Created: 27. September 2013 Author: fmeschbe JIRA: Implement solution to the Authentication Handler Credential Validation Problem, AbstractSlingRepository#login violates JCR spec References: Updated: Problem Proposal Implementations Authentication Handler JCR Resource Provider Abstract Sling Repository Problem There does not currently exist a good and transparent way for an Authentication Handler to signal to the ResourceResovlerFactory, that the identity of a user has been established and validated and that no further checks are required. For example an SSO authentication handler will get the identity of a user provided by the SSO handler or an OAuth 2 authentication handler proves the identity of the user by with the help of the OAuth 2 provider. Proposal A new predefined property of the AuthenticationInfo map is defined which can be set by the authentication handler to indicate that the user's identity has been verified and can be guaranteed: public interface ResourceResolverFactory { /** * Name of the authentication information property used to indicate that the * identity of the user indicated by the {@link #USER} property has already * been validated by other means such as OAuth2, OpenID or similar SSO * functionality. As a consequence password-less access to a * {@link ResourceResolver} should be granted. * p * The non-empty string value of this property identifies the party having * validated the user's identity. It may be used by implementations of this * and the {@link ResourceProviderFactory} interfaces in log messages. * p * The type of this property, if present, is codeString/code. * * @since 2.4 (bundle version 2.5.0) */ String IDENTIFIED = "user.identified"; } ResourceProviderFactory services creating ResourceProvider instances by establishing connections to the actual data store will leverage this flag to implement a pre-authentication style of access. Implementations Authentication Handler Implementations will just set the ResourceResolverFactory.IDENTIFIED property in the Authentication Info map to the name of the authentication handler indicating the identity has been validated. This replaces mechanisms used today such has implementing a LoginModule service validating a custom javax.jcr.Credentials instance. JCR Resource Provider The JCR Resource Provider will check for the property and create a Subject used for establishing the session's owner: if (authenticationInfo.get("user.identified") != null) { // pre-identified user access final String userName = (String) authenticationInfo.get(ResourceResolverFactory.USER); final String identifier = (String) authenticationInfo.get("user.identified"); log.info("getResourceProviderInternal: Logging in user {} identified by {}", userName, identifier); Session tmp = null; try { tmp = session = repository.loginAdministrative(workspace); Authorizable auth = ((JackrabbitSession) tmp).getUserManager().getAuthorizable(userName); Subject s = new Subject(); s.getPrincipals().add(auth.getPrincipal()); session = Subject.doAs(s, new PrivilegedExceptionActionSession() { public Session run() throws Exception { return repository.login(workspace); } }); } catch (PrivilegedActionException pae) { throw pae.getCause(); } finally { if (tmp != null) { tmp.logout(); } } } Considerations for creating the Subject: Should the full Subject be created ? That is a subject which contains the user's Principal as well as the full set of Principal instances representing the set of groups of which the user is a member. Should only a simple Subject be created as in the example above ? That is only the user's Principal is contained and the repository implementation must then complete the set of Principals by the principals for the groups. Should a dummy Subject be created which only contains a simple
[CONF] Apache Sling Solving the Authentication Handler Credential Validation Problem
Solving the Authentication Handler Credential Validation Problem Page edited by Felix Meschberger Comment: Elaborate on solving the privilege escalation issue Changes (2) ... * Should a new session be retrieved for each such access or should a long-running session be used which needs to be occasionally refreshed ? * Should mappings from user name to {{Subject}} be cached ? And how is that cache refreshed ? * We must guard the use of the {{user.identified}} property somehow to prevent use of this feature by code to get access to other users data (privilege escalation). h3. Preventing Privilege Escalation As noted above we must make sure that no casual user can retrieve a {{ResourceResolver}} adding just a {{user.identified}} property and thus escalate his own privileges. One approach to mitigate this problem would be to leverage the {{ServiceUserMapper}} service which is also used in the context of the service authentication mechanism: a sub service name {{user.identified}} is defined and each consumer of this mechanism must have a user mapping for this subservice to the mock user {{*}}. This way, the JCR Resource Provider sketched above would add this check: {code:java} if (authenticationInfo.get(user.identified) != null) { if (!*.equals(serviceUserMapper.getServiceUserID(callingBundle, user.identified))) { log.info(Missing privilege to use pre-authenticated login); throw new LoginException(); } ... } {code} h3. Abstract Sling Repository ... Full Content Solving the Authentication Handler Credential Validation Problem Status: DRAFT Created: 27. September 2013 Author: fmeschbe JIRA: Implement solution to the Authentication Handler Credential Validation Problem, AbstractSlingRepository#login violates JCR spec References: Updated: Problem Proposal Implementations Authentication Handler JCR Resource Provider Preventing Privilege Escalation Abstract Sling Repository Problem There does not currently exist a good and transparent way for an Authentication Handler to signal to the ResourceResovlerFactory, that the identity of a user has been established and validated and that no further checks are required. For example an SSO authentication handler will get the identity of a user provided by the SSO handler or an OAuth 2 authentication handler proves the identity of the user by with the help of the OAuth 2 provider. Proposal A new predefined property of the AuthenticationInfo map is defined which can be set by the authentication handler to indicate that the user's identity has been verified and can be guaranteed: public interface ResourceResolverFactory { /** * Name of the authentication information property used to indicate that the * identity of the user indicated by the {@link #USER} property has already * been validated by other means such as OAuth2, OpenID or similar SSO * functionality. As a consequence password-less access to a * {@link ResourceResolver} should be granted. * p * The non-empty string value of this property identifies the party having * validated the user's identity. It may be used by implementations of this * and the {@link ResourceProviderFactory} interfaces in log messages. * p * The type of this property, if present, is codeString/code. * * @since 2.4 (bundle version 2.5.0) */ String IDENTIFIED = "user.identified"; } ResourceProviderFactory services creating ResourceProvider instances by establishing connections to the actual data store will leverage this flag to implement a pre-authentication style of access. Implementations Authentication Handler Implementations will just set the ResourceResolverFactory.IDENTIFIED property in the Authentication Info map to the name of the authentication handler indicating the identity has been validated. This replaces mechanisms used today such has implementing a LoginModule service validating a custom javax.jcr.Credentials instance. JCR Resource Provider The JCR Resource Provider will check for the property and create a Subject used for establishing the session's owner: if (authenticationInfo.get("user.identified") != null) { // pre-identified user access final String userName = (String) authenticationInfo.get(ResourceResolverFactory.USER); final String identifier = (String) authenticationInfo.get("user.identified"); log.info("getResourceProviderInternal: Logging in user {} identified by {}", userName, identifier); Session tmp = null; try { tmp = session = repository.loginAdministrative(workspace);
[CONF] Apache Sling Solving the Authentication Handler Credential Validation Problem
Solving the Authentication Handler Credential Validation Problem Page edited by Felix Meschberger Changes (2) ... return getRepository().login(null, workspace); } else { return getRepository().login(getAnonCredentials(this.anonUser), workspace); // TODO: getAnonCredentials(this.anonUser) should not be used for anonymous access return getRepository().login(new GuestCredentials(), workspace); } } else { ... Full Content Solving the Authentication Handler Credential Validation Problem Status: DRAFT Created: 27. September 2013 Author: fmeschbe JIRA: References: Updated: Problem Proposal Implementations Authentication Handler JCR Resource Provider Abstract Sling Repository Problem There does not currently exist a good and transparent way for an Authentication Handler to signal to the ResourceResovlerFactory, that the identity of a user has been established and validated and that no further checks are required. For example an SSO authentication handler will get the identity of a user provided by the SSO handler or an OAuth 2 authentication handler proves the identity of the user by with the help of the OAuth 2 provider. Proposal A new predefined property of the AuthenticationInfo map is defined which can be set by the authentication handler to indicate that the user's identity has been verified and can be guaranteed: public interface ResourceResolverFactory { /** * Name of the authentication information property used to indicate that the * identity of the user indicated by the {@link #USER} property has already * been validated by other means such as OAuth2, OpenID or similar SSO * functionality. As a consequence password-less access to a * {@link ResourceResolver} should be granted. * p * The non-empty string value of this property identifies the party having * validated the user's identity. It may be used by implementations of this * and the {@link ResourceProviderFactory} interfaces in log messages. * p * The type of this property, if present, is codeString/code. * * @since 2.4 (bundle version 2.5.0) */ String IDENTIFIED = "user.identified"; } ResourceProviderFactory services creating ResourceProvider instances by establishing connections to the actual data store will leverage this flag to implement a pre-authentication style of access. Implementations Authentication Handler Implementations will just set the ResourceResolverFactory.IDENTIFIED property in the Authentication Info map to the name of the authentication handler indicating the identity has been validated. This replaces mechanisms used today such has implementing a LoginModule service validating a custom javax.jcr.Credentials instance. JCR Resource Provider The JCR Resource Provider will check for the property and create a Subject used for establishing the session's owner: if (authenticationInfo.get("user.identified") != null) { // pre-identified user access final String userName = (String) authenticationInfo.get(ResourceResolverFactory.USER); final String identifier = (String) authenticationInfo.get("user.identified"); log.info("getResourceProviderInternal: Logging in user {} identified by {}", userName, identifier); Session tmp = null; try { tmp = session = repository.loginAdministrative(workspace); Authorizable auth = ((JackrabbitSession) tmp).getUserManager().getAuthorizable(userName); Subject s = new Subject(); s.getPrincipals().add(auth.getPrincipal()); session = Subject.doAs(s, new PrivilegedExceptionActionSession() { public Session run() throws Exception { return repository.login(workspace); } }); } catch (PrivilegedActionException pae) { throw pae.getCause(); } finally { if (tmp != null) { tmp.logout(); } } } Considerations for creating the Subject: Should the full Subject be created ? That is a subject which contains the user's Principal as well as the full set of Principal instances representing the set of groups of which the user is a member. Should only a simple Subject be created as in the example above ? That is only the user's Principal is contained and the repository implementation must then complete the set of Principals by the principals for the groups. Should a dummy Subject be created which only contains a simple Principal instance indicating the user's name (as opposed to the actual Principal instance representing the actual repository principal) ? Should a new session be retrieved for
[CONF] Apache Sling Solving the Authentication Handler Credential Validation Problem
Solving the Authentication Handler Credential Validation Problem Page edited by Felix Meschberger Changes (1) ... * Should a new session be retrieved for each such access or should a long-running session be used which needs to be occasionally refreshed ? * Should mappings from user name to {{Subject}} be cached ? And how is that cache refreshed ? * We must guard the use of the {{user.identified}} property somehow to prevent use of this feature by code to get access to other users data. h3. Abstract Sling Repository ... Full Content Solving the Authentication Handler Credential Validation Problem Status: DRAFT Created: 27. September 2013 Author: fmeschbe JIRA: References: Updated: Problem Proposal Implementations Authentication Handler JCR Resource Provider Abstract Sling Repository Problem There does not currently exist a good and transparent way for an Authentication Handler to signal to the ResourceResovlerFactory, that the identity of a user has been established and validated and that no further checks are required. For example an SSO authentication handler will get the identity of a user provided by the SSO handler or an OAuth 2 authentication handler proves the identity of the user by with the help of the OAuth 2 provider. Proposal A new predefined property of the AuthenticationInfo map is defined which can be set by the authentication handler to indicate that the user's identity has been verified and can be guaranteed: public interface ResourceResolverFactory { /** * Name of the authentication information property used to indicate that the * identity of the user indicated by the {@link #USER} property has already * been validated by other means such as OAuth2, OpenID or similar SSO * functionality. As a consequence password-less access to a * {@link ResourceResolver} should be granted. * p * The non-empty string value of this property identifies the party having * validated the user's identity. It may be used by implementations of this * and the {@link ResourceProviderFactory} interfaces in log messages. * p * The type of this property, if present, is codeString/code. * * @since 2.4 (bundle version 2.5.0) */ String IDENTIFIED = "user.identified"; } ResourceProviderFactory services creating ResourceProvider instances by establishing connections to the actual data store will leverage this flag to implement a pre-authentication style of access. Implementations Authentication Handler Implementations will just set the ResourceResolverFactory.IDENTIFIED property in the Authentication Info map to the name of the authentication handler indicating the identity has been validated. This replaces mechanisms used today such has implementing a LoginModule service validating a custom javax.jcr.Credentials instance. JCR Resource Provider The JCR Resource Provider will check for the property and create a Subject used for establishing the session's owner: if (authenticationInfo.get("user.identified") != null) { // pre-identified user access final String userName = (String) authenticationInfo.get(ResourceResolverFactory.USER); final String identifier = (String) authenticationInfo.get("user.identified"); log.info("getResourceProviderInternal: Logging in user {} identified by {}", userName, identifier); Session tmp = null; try { tmp = session = repository.loginAdministrative(workspace); Authorizable auth = ((JackrabbitSession) tmp).getUserManager().getAuthorizable(userName); Subject s = new Subject(); s.getPrincipals().add(auth.getPrincipal()); session = Subject.doAs(s, new PrivilegedExceptionActionSession() { public Session run() throws Exception { return repository.login(workspace); } }); } catch (PrivilegedActionException pae) { throw pae.getCause(); } finally { if (tmp != null) { tmp.logout(); } } } Considerations for creating the Subject: Should the full Subject be created ? That is a subject which contains the user's Principal as well as the full set of Principal instances representing the set of groups of which the user is a member. Should only a simple Subject be created as in the example above ? That is only the user's Principal is contained and the repository implementation must then complete the set of Principals by the principals for the groups. Should a dummy Subject be created which only contains a simple Principal instance indicating the user's name (as opposed to the actual Principal instance representing the
[CONF] Apache Sling Status Report September 2013
Status Report September 2013 Page added by Felix Meschberger September Board Report (Not Submitted) Apache Sling is an OSGI-based scriptable web framework that uses a Java Content Repository, such as Apache Jackrabbit, to store and manage content. There are no issues which require board attention at the moment. Community Good activity level overall, contributions from different people continue. XXX new committers: XXX Releases Apache Sling JCR Jackrabbit Server 2.1.2 (August 8th, 2013) Apache Sling JCR DavEx 1.2.0, Apache Sling JCR Webdav 2.2.0 (July 31st, 2013) Apache Sling Servlets Post 2.3.2, Apache Sling I18n 2.2.6, Apache Sling Commons FileSystem ClassLoader 1.0.0, Apache Sling JCR ClassLoader 3.2.0, and Apache Sling Parent POM 17 (July 18th, 2013) Documentation Website has moved to Apache CMS Dist folder has moved to svn Project Branding is tracked in SLING-2696. Stop watching space | Change email notification preferences View Online | Add Comment
[CONF] Apache Sling FAQ
FAQ Comment removed by Felix Meschberger your link to http://cwiki.apache.org/SLING/who-is-using-sling-.html is down, and there is no contact form / email to report to. Stop watching space | Change email notification preferences
[CONF] Apache Sling FAQ
FAQ Page edited by Felix Meschberger Changes (2) ... {note:title=This page is *not* meant for asking questions} Use the Sling users mailing lists for that, see http://sling.apache.org/site/project-information.html#ProjectInformation-lists http://sling.apache.org/project-information.html#mailing-lists - this page is about _answers_. Thanks! If you find anything wrong in the [Sling site|http://sling.apache.org] or in and on the Wiki, do not hesitate to also contact the users mailing list. Thanks. {note} ... Full Content Frequently Asked Questions This page lists a series of common questions and answers. It is of course work in progress ... This page is not meant for asking questionsUse the Sling users mailing lists for that, see http://sling.apache.org/project-information.html#mailing-lists - this page is about answers. Thanks! If you find anything wrong in the Sling site or in and on the Wiki, do not hesitate to also contact the user's mailing list. Thanks. Administration How do I change Jackrabbit's admin password? RESTful API How do I create a node by posting a json document to a URL? What so special about the 'content','apps' and '*' urls? I posted a resource, where did it go? How to I create a multi-value property with a single value, in HTTP? I cannot add a node under /content/config.author using a POST, the new node goes under /content/config Scripts and Servlets How do I generate links to previous versions of a node? How do I find out why a given script or servlet is preferred to another when processing a request? How do I render a script for a star "*" resource? How to replace the default json renderer (for example) with my own? How to execute scripts directly? How do I create a new script engine? Working with bundles Is there an easy way to update bundles in a running installation during development? Classloading issues Accessing Classes from the Environment How are the sling.bootdelegation properties used ? How does Sling support the org.osgi.framework.system.packages Property ? Should the org.osgi.framework.bootdelegation or the org.osgi.framework.system.packages Property be used ? How to share session between Sling and other web applications? Miscellaneous Why can't I connect to Sling's WebDAV using Windows NetworkDriveMapping ? Why is my WebDAV connection so slow on Windows ? Why should I use the sling:Folder node type instead of nt:folder ? How to change the service.ranking of a service through configuration? Administration How do I change Jackrabbit's admin password? Using the userManager: curl \ -F"oldPwd=admin" \ -F"newPwd=Fritz" \ -F"newPwdConfirm=Fritz" \ http://admin:admin@localhost:8080/system/userManager/user/admin.changePassword.html You will also have to set that password in the Felix Web Management Console (/system/console/configMgr) under "Apache Sling Embedded JCR Repository." This is used by Sling to create an admin JCR session (using SlingRepository.loginAdministrative()) for components that need to have full access to the repository. Note: Only after restarting the framework the old password will become invalid (as of 09-11-10). Note: depending on the login module used in Jackrabbit, the password might not be checked at all (SimpleLoginModule, standard in Jackrabbit = 1.4). Since Jackrabbit 1.5, the DefaultLoginModule provides full user support. RESTful API How do I create a node by posting a json document to a URL? At the moment, you cannot do this. (Soon to change as per SLING-1172) Instead, each value must be a field in the request POST. For example, suppose you have the json document: { "greetings":"Hello, World!", "multi" : ["first","second"], "translations" : { "en": "Hello", "zh", "你好" } } You would do a post such as: curl -F"greetings=Hello, World!" -F"mult=first" -F"multi=second" -F"translations/en=Hello" -F"translations/zh=你好" http://admin:admin@localhost:8080/content/../../.. What so special about the 'content','apps' and '*' urls? 'apps' is reserved for matching scripts evaluated by sling. The "*" url is used for POSTing to a child node. By default, if a resource cannot be found from the root url, sling will try appending "content". For example, if you request the following non-existent resource: http://localhost:8080/blog/first_post Sling will look in: http://localhost:8080/content/blog/first_post Before returning a 404. I posted a resource, where did it go? Let's start by creating a resource: curl -F"greetings=Hello, World" -F"translations/en=Hello"
[CONF] Apache Sling Service Authentication
Service Authentication Page edited by Felix Meschberger Changes (2) ... Created: 4. April 2013 Author: fmeschbe Issue: -- Issue: [SLING-2944|https://issues.apache.org/jira/browse/SLING-2944] {toc:minLevel=2} ... Full Content Service Authentication Status: PROTOTYPE Created: 4. April 2013 Author: fmeschbe Issue: SLING-2944 Problem Requirements Solution New loginService methods Communicating Service Information to ResourceProviderFactories New ServiceUserMapper Service Deprecate loginAdministrative Prototype Implementation Problem Since the early days of Sling we had methods to get an administrative JCR Session and later an administrative ResourceResolver. These methods were intended to provide services with access to the repository with less restrictions than regular users and to also allow those services to access the Resource tree (and JCR Repository) without hard-coding a password in the code or even having the password as some plain text in configuration. Over the years, it turned out that these loginAdministrative methods have been abused. The goal of this proposal is to come up with new API to replace the loginAdministrative methods. One example of a service, which currently uses administrative privileges but which would benefit from a carefully crafted service user is the Tenant Manager Requirements Don't use administrative JCR Sessions or ResourceResolvers all over Allow services access to JCR Sessions and ResourceResolvers without requiring to hard-code or configure passwords Allow services to use "users" which have been specially configured for service level access Allow administrators to configure the assignment of service users to services Solution New loginService methods Two new methods are introduced to replace loginAdministrative methods: ResourceResolver getServiceResourceResolver(MapString, Object authenticationInfo) throws LoginException; Session loginService(String serviceInfo, String workspace) throws LoginException, RepositoryException; The bundle identifying the actual service is not part of the new API. The bundle is taken from the call stack by leveraging the OSGi Service Factory mechanism: Each bundle using the ResourceResolverFactory or SlingRepository service actually gets an instance bound to the using bundle. That bundle is used to identify the service. The serviceInfo parameter or sling.service.info property of the authenticationInfo map may be used to provide additional information on the service. See the New ServiceUserMapper Service section below for information on additional service information. Communicating Service Information to ResourceProviderFactories The ResourceProviderFactory interface is not extended for the new service login. Rather the required information using bundle and additional service information is passed to the getResourceProvider method as part of the authenticationInfo map: ResourceResolverFactory.USER name of the service user (never null) ResourceProviderFactory.SERVICE_BUNDLE the service Bundle object (never null) ResourceResolverFactory.SERVICE_INFO additional service information (optional; may be null) In case the ResourceProviderFactory makes use of another service to provide the ResourceProvider the provided service bundle should be used to acquire the service to allow the service to support service logins using the ServiceUserMapper service. An example of such an implementation would be the JCR based ResourceProviderFactory which gets the SlingRepository service using the service bundle. New ServiceUserMapper Service A service is introduced which allows to map a service to a user name. A service is identified by a service name related to the OSGi Bundle implementing the service and an additional service information string. For example a bundle implementing mail support may represent the MailServer service while the actual mail sender may identify itself with the sender information and some mail queue handler may identify itself with the queue information. This allows separate users to be used for sending messages and handling the message queue or using the same user for both services, depending on the requirements and needs of the system administrator. The ServiceUserMapper service has two methods: String getServiceName(Bundle bundle, String serviceInfo); Returns the value of the service identification string to use for the bundle providing the service. In the above example of the message sender service, when call with the mail server bundle and serviceInfo="sender" the returned value might be MailServer:sender. String getUserForService(Bundle bundle, String