[GitHub] [sling-org-apache-sling-engine] akankshajain18 commented on pull request #11: SLING-9741|Invalid path decomposition in case of multiple dots
akankshajain18 commented on pull request #11: URL: https://github.com/apache/sling-org-apache-sling-engine/pull/11#issuecomment-781132285 > @akankshajain18 - formatting is still off... updated This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Updated] (SLING-10149) Move usermanager servlets from /apps to /libs
[ https://issues.apache.org/jira/browse/SLING-10149?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Norman updated SLING-10149: Description: The servlets provided by o.a.sling.jcr.jackrabbit.usermanager should be mounted under /libs instead of /apps The /apps area should be left for customization or experiments. h4. was: The servlets provided by o.a.sling.jcr.jackrabbit.usermanagermanager should be mounted under /libs instead of /apps The /apps area should be left for customization or experiments. h4. > Move usermanager servlets from /apps to /libs > - > > Key: SLING-10149 > URL: https://issues.apache.org/jira/browse/SLING-10149 > Project: Sling > Issue Type: Bug >Reporter: Eric Norman >Assignee: Eric Norman >Priority: Major > Fix For: JCR Jackrabbit User Manager 2.2.14 > > > The servlets provided by o.a.sling.jcr.jackrabbit.usermanager should be > mounted under /libs instead of /apps > The /apps area should be left for customization or experiments. > h4. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-10149) Move usermanager servlets from /apps to /libs
Eric Norman created SLING-10149: --- Summary: Move usermanager servlets from /apps to /libs Key: SLING-10149 URL: https://issues.apache.org/jira/browse/SLING-10149 Project: Sling Issue Type: Bug Reporter: Eric Norman Assignee: Eric Norman Fix For: JCR Jackrabbit User Manager 2.2.14 The servlets provided by o.a.sling.jcr.jackrabbit.usermanagermanager should be mounted under /libs instead of /apps The /apps area should be left for customization or experiments. h4. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-10148) Move accessmanager servlets from /apps to /libs
Eric Norman created SLING-10148: --- Summary: Move accessmanager servlets from /apps to /libs Key: SLING-10148 URL: https://issues.apache.org/jira/browse/SLING-10148 Project: Sling Issue Type: Bug Reporter: Eric Norman Assignee: Eric Norman Fix For: JCR Jackrabbit Access Manager 3.0.10 The servlets provided by o.a.sling.jcr.jackrabbit.accessmanager should be mounted under /libs instead of /apps The /apps area should be left for customization or experiments. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-10147) scripting variables implementation details are exposed to not authorized users
[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17286233#comment-17286233 ] Eric Norman commented on SLING-10147: - I couldn't figure out a convenient way to forward a request from the webconsole plugin to the sling main servlet, so I changed my approach from forwarding the request to redirecting. The new post handling generates a one-time-use token to pass along as a request parameter and then redirects to generate the response. Changes were also made to ensure that any request to the SlingBindingsVariablesListJsonServlet that arrives without a valid value in the "nonce" request parameter is not accepted via implementing OptingServlet. I have stashed the code in PR #5 for review and feedback: [https://github.com/apache/sling-org-apache-sling-scripting-core/pull/5] Let me know what you think. > scripting variables implementation details are exposed to not authorized users > -- > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug >Reporter: Eric Norman >Priority: Major > Fix For: Scripting Core 2.3.6 > > Time Spent: 10m > Remaining Estimate: 0h > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[GitHub] [sling-org-apache-sling-scripting-core] enapps-enorman opened a new pull request #5: SLING-10147 scripting variables implementation details are exposed to not authorized users
enapps-enorman opened a new pull request #5: URL: https://github.com/apache/sling-org-apache-sling-scripting-core/pull/5 Changes the request flow a bit, so the all the calls from the "Scripting Variables" form are POSTed to the ScriptingVariablesConsolePlugin servlet (which would flow though OsgiManagerHttpContext#handleSecurity). The new post handling generates a one-time-use token to pass along as a request parameter and then redirects to the main sling servlet to generate the response. Changes were also made to ensure that any request to the SlingBindingsVariablesListJsonServlet that arrives without the expected request parameter is not accepted via implementing OptingServlet. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: Jackrabbit oak lucene index
Thank you Robert! On Wed, Feb 17, 2021 at 11:57 AM Robert Munteanu wrote: > Hi Lisa, > > On Wed, 2021-02-17 at 09:13 -0500, Lisa Davidson wrote: > > Are lucene indexes all stored in the JCR? On the file system, I see > > an > > index directory under our deployment. > > sh-4.4$ pwd > > /opt/sling/repository/index > > sh-4.4$ ls -lh > > total 0 > > drwxr-xr-x. 2 100123 root 6 Feb 17 10:10 indexWriterDir > > drwxr-xr-x. 3 100123 root 43 Feb 17 10:11 lucene-1598447109480 > > sh-4.4$ > > > > Is what's on the local storage a copy of what's in the JCR? > > There are multiple types of indexes, see [1]. Lucene indexes are stored > as lucenes files in the filesystem, while (IIRC) reference, counter and > property indexes are stored in the repository. > > So this is expected. > > [2] might also provide some context. > > Thanks, > Robert > > [1]: https://jackrabbit.apache.org/oak/docs/query/indexing.html > [2]: https://jackrabbit.apache.org/oak/docs/query/lucene.html > > -- Lisa Davidson, RHCE Sr. Software Engineer Red Hat, Inc.
[jira] [Comment Edited] (SLING-10147) scripting variables implementation details are exposed to not authorized users
[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17286185#comment-17286185 ] Eric Norman edited comment on SLING-10147 at 2/17/21, 11:04 PM: [~kwin] Yes, that was my conclusion as well. My first thought was the simple solution of using a reference to a WebConsoleSecurityProvider service that implements the WebConsoleSecurityProvider2 interface and call WebConsoleSecurityProvider2#authenticate to do the validate the security credentials. That works ok when that service exists, but if there is no such service then the security checks become more complex and rely on the some internal implementation details... How would you feel about changing the request flow a bit, so the all the calls from the "Scripting Variables" form are POSTed to the ScriptingVariablesConsolePlugin servlet (which would flow though OsgiManagerHttpContext#handleSecurity) that sets some value as a request attribute and then forwards as a GET request for processing the response? Then changes can be made to ensure that any request to the SlingBindingsVariablesListJsonServlet that arrives without the expected request attribute is rejected and 404 is returned (or use OptingServlet)? was (Author: enorman): [~kwin] Yes, that was my conclusion as well. My first thought was the simple solution of using a reference to a WebConsoleSecurityProvider service that implements the WebConsoleSecurityProvider2 interface and call WebConsoleSecurityProvider2#authenticate to do the validate the security credentials. That works ok when that service exists, but if there is no such service then the security checks become more complex and rely on the some internal implementation details... How would you feel about changing the request flow a bit, so the all the calls from the "Scripting Variables" form are POSTed to the ScriptEngineConsolePlugin servlet (which would flow though OsgiManagerHttpContext#handleSecurity) that sets some value as a request attribute and then forwards as a GET request for processing the response? Then changes can be made to ensure that any request to the SlingBindingsVariablesListJsonServlet that arrives without the expected request attribute is rejected and 404 is returned (or use OptingServlet)? > scripting variables implementation details are exposed to not authorized users > -- > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug >Reporter: Eric Norman >Priority: Major > Fix For: Scripting Core 2.3.6 > > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (SLING-10147) scripting variables implementation details are exposed to not authorized users
[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17286185#comment-17286185 ] Eric Norman edited comment on SLING-10147 at 2/17/21, 10:44 PM: [~kwin] Yes, that was my conclusion as well. My first thought was the simple solution of using a reference to a WebConsoleSecurityProvider service that implements the WebConsoleSecurityProvider2 interface and call WebConsoleSecurityProvider2#authenticate to do the validate the security credentials. That works ok when that service exists, but if there is no such service then the security checks become more complex and rely on the some internal implementation details... How would you feel about changing the request flow a bit, so the all the calls from the "Scripting Variables" form are POSTed to the ScriptEngineConsolePlugin servlet (which would flow though OsgiManagerHttpContext#handleSecurity) that sets some value as a request attribute and then forwards as a GET request for processing the response? Then changes can be made to ensure that any request to the SlingBindingsVariablesListJsonServlet that arrives without the expected request attribute is rejected and 404 is returned (or use OptingServlet)? was (Author: enorman): [~kwin] Yes, that was my conclusion as well. My first thought was the simple solution of using a reference to a WebConsoleSecurityProvider service that implements the WebConsoleSecurityProvider2 interface and call WebConsoleSecurityProvider2#authenticate to do the validate the security credentials. That works ok when that service exists, but if there is no such service then the security checks become more complex and rely on the some internal implementation details... How would you feel about changing the request flow a bit, so the all the calls from the "Scripting Variables" form are POSTed to the ScriptEngineConsolePlugin servlet (which would flow though OsgiManagerHttpContext#handleSecurity) that sets some value as a request attribute and then forwards as a GET request for processing the response? Then changes can be made to ensure that any request to the SlingBindingsVariablesListJsonServlet that arrives without the expected request attribute is rejected and 404 is returned? > scripting variables implementation details are exposed to not authorized users > -- > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug >Reporter: Eric Norman >Priority: Major > Fix For: Scripting Core 2.3.6 > > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-10147) scripting variables implementation details are exposed to not authorized users
[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17286185#comment-17286185 ] Eric Norman commented on SLING-10147: - [~kwin] Yes, that was my conclusion as well. My first thought was the simple solution of using a reference to a WebConsoleSecurityProvider service that implements the WebConsoleSecurityProvider2 interface and call WebConsoleSecurityProvider2#authenticate to do the validate the security credentials. That works ok when that service exists, but if there is no such service then the security checks become more complex and rely on the some internal implementation details... How would you feel about changing the request flow a bit, so the all the calls from the "Scripting Variables" form are POSTed to the ScriptEngineConsolePlugin servlet (which would flow though OsgiManagerHttpContext#handleSecurity) that sets some value as a request attribute and then forwards as a GET request for processing the response? Then changes can be made to ensure that any request to the SlingBindingsVariablesListJsonServlet that arrives without the expected request attribute is rejected and 404 is returned? > scripting variables implementation details are exposed to not authorized users > -- > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug >Reporter: Eric Norman >Priority: Major > Fix For: Scripting Core 2.3.6 > > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (SLING-10147) scripting variables implementation details are exposed to not authorized users
[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17286151#comment-17286151 ] Konrad Windszus edited comment on SLING-10147 at 2/17/21, 9:31 PM: --- See the discussion at SLING-3543. Exposing the bindings requires a real Sling Servlet Request, therefore this generic servlet binding. Doing the same kind of access check requires probably a dependency on the WebConsoleSecurityProvider service. But IMHO that service is optional (even with Sling) so it must also work without it. Maybe reusing the OsgiManagerHttpContext is an option (https://github.com/apache/felix-dev/blob/e8fbf5bae0b736e187f603ae05d5b2ebeafb7973/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L961) was (Author: kwin): See the discussion at SLING-3543. Exposing the bindings requires a real Sling Servlet Request, therefore this generic servlet binding. Doing the same kind of access check requires probably a dependency on the WebConsoleSecurityProvider service. But IMHO that service is optional (even with Sling) so it must also work without it. > scripting variables implementation details are exposed to not authorized users > -- > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug >Reporter: Eric Norman >Priority: Major > Fix For: Scripting Core 2.3.6 > > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-10147) scripting variables implementation details are exposed to not authorized users
[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17286151#comment-17286151 ] Konrad Windszus commented on SLING-10147: - See the discussion at SLING-3543. Exposing the bindings requires a real Sling Servlet Request, therefore this generic servlet binding. Doing the same kind of access check requires probably a dependency on the WebConsoleSecurityProvider service. But IMHO that service is optional (even with Sling) so it must also work without it. > scripting variables implementation details are exposed to not authorized users > -- > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug >Reporter: Eric Norman >Priority: Major > Fix For: Scripting Core 2.3.6 > > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[GitHub] [sling-org-apache-sling-testing-osgi-mock] sonarcloud[bot] commented on pull request #7: SLING-10138 Add proper throws declarations for the MockConfigurationA…
sonarcloud[bot] commented on pull request #7: URL: https://github.com/apache/sling-org-apache-sling-testing-osgi-mock/pull/7#issuecomment-780847121 Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-testing-osgi-mock=7=new_coverage=list) [100.0% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-testing-osgi-mock=7=new_coverage=list) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-testing-osgi-mock=7=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-testing-osgi-mock=7=new_duplicated_lines_density=list) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-testing-osgi-mock] sonarcloud[bot] removed a comment on pull request #7: SLING-10138 Add proper throws declarations for the MockConfigurationA…
sonarcloud[bot] removed a comment on pull request #7: URL: https://github.com/apache/sling-org-apache-sling-testing-osgi-mock/pull/7#issuecomment-12539 Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=CODE_SMELL) [1 Code Smell](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-testing-osgi-mock=7=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-testing-osgi-mock=7=new_coverage=list) [100.0% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-testing-osgi-mock=7=new_coverage=list) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-testing-osgi-mock=7=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-testing-osgi-mock=7=new_duplicated_lines_density=list) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Created] (SLING-10147) scripting variables implementation details are exposed to not authorized users
Eric Norman created SLING-10147: --- Summary: scripting variables implementation details are exposed to not authorized users Key: SLING-10147 URL: https://issues.apache.org/jira/browse/SLING-10147 Project: Sling Issue Type: Bug Reporter: Eric Norman The ".SLING_availablebindings.json" selector is registered at /apps/sling/servlet/default and the usage on all resources is not protected by any security checks. The information returned contains implementation details that a regular user should not need to know and could be considered an "information disclosure" vulnerability. Since this selector appears to only be used by the "Scripting Variables" webconsole plugin, I would expect that it should require the same security checking that would be needed to access the webconsole. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10147) scripting variables implementation details are exposed to not authorized users
[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eric Norman updated SLING-10147: Fix Version/s: Scripting Core 2.3.6 > scripting variables implementation details are exposed to not authorized users > -- > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug >Reporter: Eric Norman >Priority: Major > Fix For: Scripting Core 2.3.6 > > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-10143) bundles referenced in sling starter are out of date
[ https://issues.apache.org/jira/browse/SLING-10143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17286033#comment-17286033 ] Eric Norman commented on SLING-10143: - [~reusr1], [~rombert] - I have stashed a variation of my version rules configuration in the whiteboard at [https://github.com/apache/sling-whiteboard/tree/master/org-apache-sling-build-version-rules] for your consideration. [~reusr1] If I recall correctly, that error from oak.discovery (and sometimes sling.events?) during shutdown is somehow related to upgrading to org.osgi:org.osgi.service.log:1.5.0. I didn't look into the details or reason, I just switched back to the 1.4.0 version for my project. Maybe that error has always been happening, but it just wasn't logged before due to something that was fixed in the 1.5.0 version? > bundles referenced in sling starter are out of date > --- > > Key: SLING-10143 > URL: https://issues.apache.org/jira/browse/SLING-10143 > Project: Sling > Issue Type: Improvement > Components: Starter >Reporter: Ruben Reusser >Priority: Major > Fix For: Starter 12 > > Attachments: > 0001-updated-3rd-party-dependencies-of-sling-starter.patch, > 0002-javax.activation-dependency-needed-to-be-increased.patch, > 0003-updated-to-latest-sling-bundles-added-missing-felix-.patch > > Time Spent: 20m > Remaining Estimate: 0h > > Would be nice to make sure the sling starter uses the latest bundles - > according to > {code:java} > mvn versions:display-dependency-updates{code} > the sling starter is a bit out of date with the dependencies > {code:java} > [INFO] The following dependencies in Dependencies have newer versions: > [INFO] com.composum.nodes:composum-nodes-commons . 2.1.1 -> > 2.3.0 > [INFO] com.composum.nodes:composum-nodes-console . 2.1.1 -> > 2.3.0 > [INFO] com.composum.nodes:composum-nodes-jslibs .. 2.1.1 -> > 2.3.0 > [INFO] com.composum.nodes:composum-nodes-pckgmgr . 2.1.1 -> > 2.3.0 > [INFO] com.composum.nodes:composum-nodes-usermgr . 2.1.1 -> > 2.3.0 > [INFO] com.fasterxml.jackson.core:jackson-annotations .. 2.11.1 -> > 2.12.1 > [INFO] com.fasterxml.jackson.core:jackson-core . 2.11.1 -> > 2.12.1 > [INFO] com.fasterxml.jackson.core:jackson-databind . 2.11.1 -> > 2.12.1 > [INFO] com.google.guava:guava .. 15.0 -> > 30.1-jre > [INFO] com.h2database:h2-mvstore . 1.4.194 -> > 1.4.200 > [INFO] commons-codec:commons-codec . 1.14 -> > 1.15 > [INFO] commons-collections:commons-collections 3.2.2 -> > 20040616 > [INFO] commons-io:commons-io ... 2.6 -> > 2.8.0 > [INFO] io.dropwizard.metrics:metrics-core . 3.2.6 -> > 4.2.0-beta.1 > [INFO] org.antlr:antlr4-runtime .. 4.7.2 -> > 4.9.1 > [INFO] org.apache.commons:commons-lang3 . 3.9 -> > 3.11 > [INFO] org.apache.felix:org.apache.felix.configadmin ... 1.9.16 -> > 1.9.20 > [INFO] org.apache.felix:org.apache.felix.eventadmin .. 1.5.0 -> > 1.6.2 > [INFO] org.apache.felix:org.apache.felix.http.jetty . 4.0.18 -> > 4.1.4 > [INFO] org.apache.felix:org.apache.felix.metatype 1.2.2 -> > 1.2.4 > [INFO] org.apache.felix:org.apache.felix.scr ... 2.1.20 -> > 2.1.24 > [INFO] org.apache.felix:org.apache.felix.utils . 1.11.2 -> > 1.11.6 > [INFO] org.apache.felix:org.apache.felix.webconsole .. 4.5.0 -> > 4.6.0 > [INFO] org.apache.geronimo.specs:geronimo-annotation_1.3_spec 1.1 -> > 1.3 > [INFO] org.apache.geronimo.specs:geronimo-atinject_1.0_spec .. 1.1 -> > 1.2 > [INFO] org.apache.httpcomponents:httpclient 4.5.10 -> > 4.5.13 > [INFO] org.apache.httpcomponents:httpclient-osgi ... 4.5.10 -> > 4.5.13 > [INFO] org.apache.httpcomponents:httpcore-osgi . 4.4.12 -> > 4.4.14 > [INFO] org.apache.jackrabbit:jackrabbit-data ... 2.20.0 -> > 2.21.5 > [INFO] org.apache.jackrabbit:jackrabbit-jcr-commons 2.20.0 -> > 2.21.5 > [INFO] org.apache.jackrabbit:jackrabbit-jcr-rmi 2.20.0 -> > 2.21.5 > [INFO] org.apache.jackrabbit:jackrabbit-spi 2.20.0 -> > 2.21.5 > [INFO] org.apache.jackrabbit:jackrabbit-spi-commons 2.20.0 -> > 2.21.5 > [INFO] org.apache.jackrabbit:jackrabbit-webdav . 2.20.0 -> > 2.21.5 > [INFO] org.apache.jackrabbit:oak-api ... 1.32.0 -> > 1.38.0 > [INFO] org.apache.jackrabbit:oak-authorization-principalbased ... > [INFO] 1.32.0
[GitHub] [sling-org-apache-sling-engine] rombert commented on pull request #11: SLING-9741|Invalid path decomposition in case of multiple dots
rombert commented on pull request #11: URL: https://github.com/apache/sling-org-apache-sling-engine/pull/11#issuecomment-780706416 @akankshajain18 - formatting is still off... This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Long startup times with MongoDB (was: Running Apache Sling on Apache Karaf on OpenShift)
Hi Lisa, (adjusting subject, perhaps it draws more attention) On Mon, 2021-02-15 at 18:26 -0500, Lisa Davidson wrote: > We run multiple application pods on OpenShift(AWS) that talk to an > external > mongo db cluster which spreads out in datacenters(not AWS). > > During a deployment, it normally takes about 10 mins for "Apache > Sling > Repository Startup Thread" to do its thing. What is it doing? Any > idea what > it takes so long? Why is every application pod doing repository > startup? > > Do you recommend attaching a persistent volume to the application > pods? Is > there a way for Sling to tell other pods there is no need to do > repository > startup if it was done already? > First off, do these pods connect to the same MongoDB database, or are they independent? 10 minutes is a long time, even for a remote MongoDB instance. The startup thread does all the initial work of creating the repository, which means starting up Oak (including initial content, indexes, etc ) and running any repository initialisers, such as repoinit statements. Do you have any specific log statements that draw attention? Can you profile the execution and see where the time is spent? Thanks, Robert
Re: Jackrabbit oak lucene index
Hi Lisa, On Wed, 2021-02-17 at 09:13 -0500, Lisa Davidson wrote: > Are lucene indexes all stored in the JCR? On the file system, I see > an > index directory under our deployment. > sh-4.4$ pwd > /opt/sling/repository/index > sh-4.4$ ls -lh > total 0 > drwxr-xr-x. 2 100123 root 6 Feb 17 10:10 indexWriterDir > drwxr-xr-x. 3 100123 root 43 Feb 17 10:11 lucene-1598447109480 > sh-4.4$ > > Is what's on the local storage a copy of what's in the JCR? There are multiple types of indexes, see [1]. Lucene indexes are stored as lucenes files in the filesystem, while (IIRC) reference, counter and property indexes are stored in the repository. So this is expected. [2] might also provide some context. Thanks, Robert [1]: https://jackrabbit.apache.org/oak/docs/query/indexing.html [2]: https://jackrabbit.apache.org/oak/docs/query/lucene.html
Jackrabbit oak lucene index
Are lucene indexes all stored in the JCR? On the file system, I see an index directory under our deployment. sh-4.4$ pwd /opt/sling/repository/index sh-4.4$ ls -lh total 0 drwxr-xr-x. 2 100123 root 6 Feb 17 10:10 indexWriterDir drwxr-xr-x. 3 100123 root 43 Feb 17 10:11 lucene-1598447109480 sh-4.4$ Is what's on the local storage a copy of what's in the JCR? -- Lisa Davidson, RHCE Sr. Software Engineer Red Hat, Inc.
[GitHub] [sling-org-apache-sling-starter] sonarcloud[bot] commented on pull request #18: SLING-10143: update dependencies to latest release versions
sonarcloud[bot] commented on pull request #18: URL: https://github.com/apache/sling-org-apache-sling-starter/pull/18#issuecomment-780562539 Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=18=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=18=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=18=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=18=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=18=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=18=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-starter=18=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-starter=18=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-starter=18=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=18=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=18=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter=18=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-starter=18) No Coverage information [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-starter=18=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-starter=18=new_duplicated_lines_density=list) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (SLING-10143) bundles referenced in sling starter are out of date
[ https://issues.apache.org/jira/browse/SLING-10143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17285825#comment-17285825 ] Ruben Reusser commented on SLING-10143: --- PR created at [https://github.com/apache/sling-org-apache-sling-starter/pull/18] I did however notice a shutdown issue with the new starter in the org.apache.sling.discovery.oak module - not sure if that is an issue or not (start sling, hit ctrl-c to stop sling, get the error) - the issue is not present in master: {code:java} ERROR : bundle org.apache.sling.discovery.oak:1.2.30 (148)[org.apache.sling.discovery.oak.OakDiscoveryService(232)] : The updatedPropertyProvider method has thrown an exceptionERROR : bundle org.apache.sling.discovery.oak:1.2.30 (148)[org.apache.sling.discovery.oak.OakDiscoveryService(232)] : The updatedPropertyProvider method has thrown an exceptionjava.lang.IllegalArgumentException: Can't create child on a synthetic root at org.apache.sling.resourceresolver.impl.ResourceResolverImpl.create(ResourceResolverImpl.java:979) at org.apache.sling.api.resource.ResourceUtil.getOrCreateResourceInternal(ResourceUtil.java:666) at org.apache.sling.api.resource.ResourceUtil.getOrCreateResource(ResourceUtil.java:603) at org.apache.sling.api.resource.ResourceUtil.getOrCreateResource(ResourceUtil.java:571) at org.apache.sling.api.resource.ResourceUtil.getOrCreateResourceInternal(ResourceUtil.java:654) at org.apache.sling.api.resource.ResourceUtil.getOrCreateResource(ResourceUtil.java:603) at org.apache.sling.api.resource.ResourceUtil.getOrCreateResource(ResourceUtil.java:571) at org.apache.sling.api.resource.ResourceUtil.getOrCreateResourceInternal(ResourceUtil.java:654) at org.apache.sling.api.resource.ResourceUtil.getOrCreateResource(ResourceUtil.java:603) at org.apache.sling.api.resource.ResourceUtil.getOrCreateResource(ResourceUtil.java:571) at org.apache.sling.api.resource.ResourceUtil.getOrCreateResourceInternal(ResourceUtil.java:654) at org.apache.sling.api.resource.ResourceUtil.getOrCreateResource(ResourceUtil.java:603) at org.apache.sling.api.resource.ResourceUtil.getOrCreateResource(ResourceUtil.java:571){code} > bundles referenced in sling starter are out of date > --- > > Key: SLING-10143 > URL: https://issues.apache.org/jira/browse/SLING-10143 > Project: Sling > Issue Type: Improvement > Components: Starter >Reporter: Ruben Reusser >Priority: Major > Fix For: Starter 12 > > Attachments: > 0001-updated-3rd-party-dependencies-of-sling-starter.patch, > 0002-javax.activation-dependency-needed-to-be-increased.patch, > 0003-updated-to-latest-sling-bundles-added-missing-felix-.patch > > Time Spent: 10m > Remaining Estimate: 0h > > Would be nice to make sure the sling starter uses the latest bundles - > according to > {code:java} > mvn versions:display-dependency-updates{code} > the sling starter is a bit out of date with the dependencies > {code:java} > [INFO] The following dependencies in Dependencies have newer versions: > [INFO] com.composum.nodes:composum-nodes-commons . 2.1.1 -> > 2.3.0 > [INFO] com.composum.nodes:composum-nodes-console . 2.1.1 -> > 2.3.0 > [INFO] com.composum.nodes:composum-nodes-jslibs .. 2.1.1 -> > 2.3.0 > [INFO] com.composum.nodes:composum-nodes-pckgmgr . 2.1.1 -> > 2.3.0 > [INFO] com.composum.nodes:composum-nodes-usermgr . 2.1.1 -> > 2.3.0 > [INFO] com.fasterxml.jackson.core:jackson-annotations .. 2.11.1 -> > 2.12.1 > [INFO] com.fasterxml.jackson.core:jackson-core . 2.11.1 -> > 2.12.1 > [INFO] com.fasterxml.jackson.core:jackson-databind . 2.11.1 -> > 2.12.1 > [INFO] com.google.guava:guava .. 15.0 -> > 30.1-jre > [INFO] com.h2database:h2-mvstore . 1.4.194 -> > 1.4.200 > [INFO] commons-codec:commons-codec . 1.14 -> > 1.15 > [INFO] commons-collections:commons-collections 3.2.2 -> > 20040616 > [INFO] commons-io:commons-io ... 2.6 -> > 2.8.0 > [INFO] io.dropwizard.metrics:metrics-core . 3.2.6 -> > 4.2.0-beta.1 > [INFO] org.antlr:antlr4-runtime .. 4.7.2 -> > 4.9.1 > [INFO] org.apache.commons:commons-lang3 . 3.9 -> > 3.11 > [INFO] org.apache.felix:org.apache.felix.configadmin ... 1.9.16 -> > 1.9.20 > [INFO] org.apache.felix:org.apache.felix.eventadmin .. 1.5.0 -> > 1.6.2 > [INFO] org.apache.felix:org.apache.felix.http.jetty . 4.0.18 -> > 4.1.4 > [INFO] org.apache.felix:org.apache.felix.metatype 1.2.2 -> > 1.2.4 > [INFO] org.apache.felix:org.apache.felix.scr ...
[GitHub] [sling-org-apache-sling-starter] reusr1 opened a new pull request #18: SLING-10143: update dependencies to latest release versions
reusr1 opened a new pull request #18: URL: https://github.com/apache/sling-org-apache-sling-starter/pull/18 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-engine] akankshajain18 commented on pull request #11: SLING-9741|Invalid path decomposition in case of multiple dots
akankshajain18 commented on pull request #11: URL: https://github.com/apache/sling-org-apache-sling-engine/pull/11#issuecomment-780555255 @rombert @bdelacretaz Updated PR, Please review This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-engine] sonarcloud[bot] removed a comment on pull request #11: SLING-9741|Invalid path decomposition in case of multiple dots
sonarcloud[bot] removed a comment on pull request #11: URL: https://github.com/apache/sling-org-apache-sling-engine/pull/11#issuecomment-777259396 Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-engine=11=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-engine=11=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-engine=11=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-engine=11=new_coverage=list) [86.4% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-engine=11=new_coverage=list) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-engine=11=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-engine=11=new_duplicated_lines_density=list) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-engine] sonarcloud[bot] commented on pull request #11: SLING-9741|Invalid path decomposition in case of multiple dots
sonarcloud[bot] commented on pull request #11: URL: https://github.com/apache/sling-org-apache-sling-engine/pull/11#issuecomment-780549785 Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-engine=11=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-engine=11=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-engine=11=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-engine=11=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-engine=11=new_coverage=list) [82.6% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-engine=11=new_coverage=list) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-engine=11=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-engine=11=new_duplicated_lines_density=list) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Resolved] (SLING-10072) Fix Rewriter Tests on Windows
[ https://issues.apache.org/jira/browse/SLING-10072?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dan Klco resolved SLING-10072. -- Resolution: Fixed Fixed in https://github.com/apache/sling-org-apache-sling-rewriter/commit/09c428d32164921e78d34ff9525d02bc57e74eb8 > Fix Rewriter Tests on Windows > - > > Key: SLING-10072 > URL: https://issues.apache.org/jira/browse/SLING-10072 > Project: Sling > Issue Type: Bug >Affects Versions: Rewriter 1.3.0 >Reporter: Dan Klco >Assignee: Dan Klco >Priority: Minor > Fix For: Version Rewriter 1.3.2 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Rewriter tests fail when run on windows, with the following message: > --- > Test set: org.apache.sling.rewriter.impl.components.Html5SerializerTest > --- > Tests run: 11, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.177 s <<< > FAILURE! - in org.apache.sling.rewriter.impl.components.Html5SerializerTest > org.apache.sling.rewriter.impl.components.Html5SerializerTest.testStartDocument > Time elapsed: 0.147 s <<< FAILURE! > org.junit.ComparisonFailure: > expected:<[] > > but was:<[ > ] > > > at > org.apache.sling.rewriter.impl.components.Html5SerializerTest.testStartDocument(Html5SerializerTest.java:113) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[GitHub] [sling-org-apache-sling-servlets-resolver] sonarcloud[bot] removed a comment on pull request #7: [SLING-9230] - Servlet should not be allowed to register with invalid…
sonarcloud[bot] removed a comment on pull request #7: URL: https://github.com/apache/sling-org-apache-sling-servlets-resolver/pull/7#issuecomment-778710666 SonarCloud Quality Gate failed. [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-resolver=7=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-resolver=7=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-resolver=7=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-resolver=7=new_coverage=list) [70.0% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-resolver=7=new_coverage=list) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-resolver=7=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-resolver=7=new_duplicated_lines_density=list) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-servlets-resolver] sonarcloud[bot] commented on pull request #7: [SLING-9230] - Servlet should not be allowed to register with invalid…
sonarcloud[bot] commented on pull request #7: URL: https://github.com/apache/sling-org-apache-sling-servlets-resolver/pull/7#issuecomment-780542140 SonarCloud Quality Gate failed. [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-resolver=7=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-resolver=7=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-resolver=7=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-resolver=7=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-resolver=7=new_coverage=list) [70.0% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-resolver=7=new_coverage=list) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-resolver=7=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-resolver=7=new_duplicated_lines_density=list) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-servlets-post] sonarcloud[bot] removed a comment on pull request #11: SLING-10087 convert more persistenceexceptions
sonarcloud[bot] removed a comment on pull request #11: URL: https://github.com/apache/sling-org-apache-sling-servlets-post/pull/11#issuecomment-776708992 SonarCloud Quality Gate failed. [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-post=11=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-post=11=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-post=11=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=CODE_SMELL) [5 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-post=11=new_coverage=list) [0.0% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-post=11=new_coverage=list) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-post=11=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-post=11=new_duplicated_lines_density=list) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [sling-org-apache-sling-servlets-post] sonarcloud[bot] commented on pull request #11: SLING-10087 convert more persistenceexceptions
sonarcloud[bot] commented on pull request #11: URL: https://github.com/apache/sling-org-apache-sling-servlets-post/pull/11#issuecomment-780541061 SonarCloud Quality Gate failed. [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-post=11=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-post=11=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-post=11=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=CODE_SMELL) [5 Code Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post=11=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-post=11=new_coverage=list) [0.0% Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-post=11=new_coverage=list) [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-post=11=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-post=11=new_duplicated_lines_density=list) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (SLING-10143) bundles referenced in sling starter are out of date
[ https://issues.apache.org/jira/browse/SLING-10143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17285802#comment-17285802 ] Robert Munteanu commented on SLING-10143: - [~enorman] [~reusr1] - +1 on submitting as a PR, it would make it simpler to review - +1 on adding the custom rules.xml to the starter project, even if not enabled by default if you prefer Exceptions are welcome, as: - for Guava we need to be in lockstep with Oak - the commons-collection upgrade is bogus - we have not checked whether newer DropWizard releases work with our metrics bundle > bundles referenced in sling starter are out of date > --- > > Key: SLING-10143 > URL: https://issues.apache.org/jira/browse/SLING-10143 > Project: Sling > Issue Type: Improvement > Components: Starter >Reporter: Ruben Reusser >Priority: Major > Fix For: Starter 12 > > Attachments: > 0001-updated-3rd-party-dependencies-of-sling-starter.patch, > 0002-javax.activation-dependency-needed-to-be-increased.patch, > 0003-updated-to-latest-sling-bundles-added-missing-felix-.patch > > > Would be nice to make sure the sling starter uses the latest bundles - > according to > {code:java} > mvn versions:display-dependency-updates{code} > the sling starter is a bit out of date with the dependencies > {code:java} > [INFO] The following dependencies in Dependencies have newer versions: > [INFO] com.composum.nodes:composum-nodes-commons . 2.1.1 -> > 2.3.0 > [INFO] com.composum.nodes:composum-nodes-console . 2.1.1 -> > 2.3.0 > [INFO] com.composum.nodes:composum-nodes-jslibs .. 2.1.1 -> > 2.3.0 > [INFO] com.composum.nodes:composum-nodes-pckgmgr . 2.1.1 -> > 2.3.0 > [INFO] com.composum.nodes:composum-nodes-usermgr . 2.1.1 -> > 2.3.0 > [INFO] com.fasterxml.jackson.core:jackson-annotations .. 2.11.1 -> > 2.12.1 > [INFO] com.fasterxml.jackson.core:jackson-core . 2.11.1 -> > 2.12.1 > [INFO] com.fasterxml.jackson.core:jackson-databind . 2.11.1 -> > 2.12.1 > [INFO] com.google.guava:guava .. 15.0 -> > 30.1-jre > [INFO] com.h2database:h2-mvstore . 1.4.194 -> > 1.4.200 > [INFO] commons-codec:commons-codec . 1.14 -> > 1.15 > [INFO] commons-collections:commons-collections 3.2.2 -> > 20040616 > [INFO] commons-io:commons-io ... 2.6 -> > 2.8.0 > [INFO] io.dropwizard.metrics:metrics-core . 3.2.6 -> > 4.2.0-beta.1 > [INFO] org.antlr:antlr4-runtime .. 4.7.2 -> > 4.9.1 > [INFO] org.apache.commons:commons-lang3 . 3.9 -> > 3.11 > [INFO] org.apache.felix:org.apache.felix.configadmin ... 1.9.16 -> > 1.9.20 > [INFO] org.apache.felix:org.apache.felix.eventadmin .. 1.5.0 -> > 1.6.2 > [INFO] org.apache.felix:org.apache.felix.http.jetty . 4.0.18 -> > 4.1.4 > [INFO] org.apache.felix:org.apache.felix.metatype 1.2.2 -> > 1.2.4 > [INFO] org.apache.felix:org.apache.felix.scr ... 2.1.20 -> > 2.1.24 > [INFO] org.apache.felix:org.apache.felix.utils . 1.11.2 -> > 1.11.6 > [INFO] org.apache.felix:org.apache.felix.webconsole .. 4.5.0 -> > 4.6.0 > [INFO] org.apache.geronimo.specs:geronimo-annotation_1.3_spec 1.1 -> > 1.3 > [INFO] org.apache.geronimo.specs:geronimo-atinject_1.0_spec .. 1.1 -> > 1.2 > [INFO] org.apache.httpcomponents:httpclient 4.5.10 -> > 4.5.13 > [INFO] org.apache.httpcomponents:httpclient-osgi ... 4.5.10 -> > 4.5.13 > [INFO] org.apache.httpcomponents:httpcore-osgi . 4.4.12 -> > 4.4.14 > [INFO] org.apache.jackrabbit:jackrabbit-data ... 2.20.0 -> > 2.21.5 > [INFO] org.apache.jackrabbit:jackrabbit-jcr-commons 2.20.0 -> > 2.21.5 > [INFO] org.apache.jackrabbit:jackrabbit-jcr-rmi 2.20.0 -> > 2.21.5 > [INFO] org.apache.jackrabbit:jackrabbit-spi 2.20.0 -> > 2.21.5 > [INFO] org.apache.jackrabbit:jackrabbit-spi-commons 2.20.0 -> > 2.21.5 > [INFO] org.apache.jackrabbit:jackrabbit-webdav . 2.20.0 -> > 2.21.5 > [INFO] org.apache.jackrabbit:oak-api ... 1.32.0 -> > 1.38.0 > [INFO] org.apache.jackrabbit:oak-authorization-principalbased ... > [INFO] 1.32.0 -> > 1.38.0 > [INFO] org.apache.jackrabbit:oak-blob .. 1.32.0 -> > 1.38.0 > [INFO] org.apache.jackrabbit:oak-blob-plugins .. 1.32.0 -> > 1.38.0 > [INFO] org.apache.jackrabbit:oak-commons ... 1.32.0 -> > 1.38.0 > [INFO]
[jira] [Updated] (SLING-10146) Document package handling modes
[ https://issues.apache.org/jira/browse/SLING-10146?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Timothee Maret updated SLING-10146: --- Description: Journal based distribution supports different package handling modes, see [https://github.com/apache/sling-org-apache-sling-distribution-journal/blob/master/src/main/java/org/apache/sling/distribution/journal/bookkeeper/PackageHandling.java] We should document those modes in [https://sling.apache.org/documentation/bundles/content-distribution.html] and provide examples on how the modes can be used. The typical example is distributing a large tree with a single content package. The package is built using FileVault APIs and distributed as a payload which gets auto-installed at the destination. was:Journal based distribution supports different > Document package handling modes > > > Key: SLING-10146 > URL: https://issues.apache.org/jira/browse/SLING-10146 > Project: Sling > Issue Type: Improvement > Components: Content Distribution >Affects Versions: Content Distribution Core 0.4.2 >Reporter: Timothee Maret >Priority: Major > > Journal based distribution supports different package handling modes, see > [https://github.com/apache/sling-org-apache-sling-distribution-journal/blob/master/src/main/java/org/apache/sling/distribution/journal/bookkeeper/PackageHandling.java] > > We should document those modes in > [https://sling.apache.org/documentation/bundles/content-distribution.html] > and provide examples on how the modes can be used. > The typical example is distributing a large tree with a single content > package. The package is built using FileVault APIs and distributed as a > payload which gets auto-installed at the destination. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10146) Document package handling modes
[ https://issues.apache.org/jira/browse/SLING-10146?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Timothee Maret updated SLING-10146: --- Description: Journal based distribution supports different (was: The existing documentation https://sling.apache.org/documentation/bundles/content-distribution.html#events is not complete. We should add the properties contained in the events and an example showing how to use events to distribute content and be notified about the status.) > Document package handling modes > > > Key: SLING-10146 > URL: https://issues.apache.org/jira/browse/SLING-10146 > Project: Sling > Issue Type: Improvement > Components: Content Distribution >Affects Versions: Content Distribution Core 0.4.2 >Reporter: Timothee Maret >Priority: Major > > Journal based distribution supports different -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-10146) Document package handling modes
Timothee Maret created SLING-10146: -- Summary: Document package handling modes Key: SLING-10146 URL: https://issues.apache.org/jira/browse/SLING-10146 Project: Sling Issue Type: Improvement Components: Content Distribution Affects Versions: Content Distribution Core 0.4.2 Reporter: Timothee Maret The existing documentation https://sling.apache.org/documentation/bundles/content-distribution.html#events is not complete. We should add the properties contained in the events and an example showing how to use events to distribute content and be notified about the status. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[GitHub] [sling-org-apache-sling-engine] rombert commented on a change in pull request #11: SLING-9741|Invalid path decomposition in case of multiple dots
rombert commented on a change in pull request #11: URL: https://github.com/apache/sling-org-apache-sling-engine/pull/11#discussion_r577481888 ## File path: src/main/java/org/apache/sling/engine/impl/request/RequestData.java ## @@ -520,6 +522,11 @@ public static void service(SlingHttpServletRequest request, SlingHttpServletResponse response) throws IOException, ServletException { +if(!isValidRequest(request.getPathInfo())){ +response.sendError(HttpServletResponse.SC_BAD_REQUEST, +"Malformed request syntax"); Review comment: Don't you need a return here as well? ## File path: src/main/java/org/apache/sling/engine/impl/request/RequestData.java ## @@ -563,6 +570,24 @@ public static void service(SlingHttpServletRequest request, } } +protected static boolean isValidRequest(String path){ +boolean isValidRequest = true; +if(path.contains("...")){ //any occurrence "..." will mark request invalid Review comment: nit: formatting is off compared to the rest of the file, e.g. - single white space after `if` - whitespace before opening brace - `{` ## File path: src/main/java/org/apache/sling/engine/impl/request/RequestData.java ## @@ -563,6 +570,24 @@ public static void service(SlingHttpServletRequest request, } } +protected static boolean isValidRequest(String path){ +boolean isValidRequest = true; +if(path.contains("...")){ //any occurrence "..." will mark request invalid +isValidRequest = false; +}else { +//consecutive dots will be treated as Invalid request except "/.." Review comment: This would be better as a method javadoc ## File path: src/main/java/org/apache/sling/engine/impl/request/RequestData.java ## @@ -563,6 +570,24 @@ public static void service(SlingHttpServletRequest request, } } +protected static boolean isValidRequest(String path){ Review comment: This is only protected for testing purposes, right? Then I suggest we make this package-private since it's narrower in scope. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [VOTE] Release Apache Sling Repoinit JCR V1.1.34
+1 regards, Karl On Wed, Feb 17, 2021 at 9:51 AM Robert Munteanu wrote: > > On Tue, 2021-02-16 at 15:43 +0100, Bertrand Delacretaz wrote: > > Please vote to approve this release: > > +1 > Robert -- Karl Pauls karlpa...@gmail.com
[GitHub] [sling-org-apache-sling-engine] bdelacretaz commented on pull request #11: SLING-9741|Invalid path decomposition in case of multiple dots
bdelacretaz commented on pull request #11: URL: https://github.com/apache/sling-org-apache-sling-engine/pull/11#issuecomment-780412434 Sorry to bring in yet another opinion but I think the tests can be written in a more concise way, with better failure messages, instead of: boolean isValid = RequestData.isValidRequest("/path/content../test"); assertFalse(isValid); something like: private static void assertValidRequest(boolean expected, String path) { assertEquals( "Expected " + expected + " for " + path, expected, RequestData.isValidRequest(path) ); } And then use assertValidRequest(false, "/path/content../test"); assertValidRequest(true, "/path/which.is.valid"); for the repeated tests. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [VOTE] Release Apache Sling Repoinit JCR V1.1.34
On Tue, 2021-02-16 at 15:43 +0100, Bertrand Delacretaz wrote: > Please vote to approve this release: +1 Robert signature.asc Description: This is a digitally signed message part
Re: [VOTE] Release Apache Sling Repoinit JCR V1.1.34
+1 Carsten Am 16.02.2021 um 15:43 schrieb Bertrand Delacretaz: Hi, We solved 1 issue in this release: https://issues.apache.org/jira/projects/SLING/versions/12349702 Sorry about the back-to-back release, I overlooked that one in last week's release. Staging repository: https://repository.apache.org/content/repositories/orgapachesling-2412/ You can use this UNIX script to download the release and verify the signatures: https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD Usage: sh check_staged_release.sh 2412 /tmp/sling-staging Please vote to approve this release: [ ] +1 Approve the release [ ] 0 Don't care [ ] -1 Don't release, because ... This majority vote is open for at least 72 hours. Here's my +1 -Bertrand -- -- Carsten Ziegeler Adobe Research Switzerland cziege...@apache.org
[GitHub] [sling-org-apache-sling-engine] cziegeler commented on pull request #11: SLING-9741|Invalid path decomposition in case of multiple dots
cziegeler commented on pull request #11: URL: https://github.com/apache/sling-org-apache-sling-engine/pull/11#issuecomment-780397694 Lgtm, thanks This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org