Re: [VOTE] SLING-10147 Require WebConsoleSecurityProvider2 service to exist?

[Konrad Windszus]

I am fine with both solutions but I have a slight preference for A. 
I am not sure that every WebConsoleSecurity Provider2 implementation works if 
called inside Sling. Some filters or request dispatcher includes may lead to 
hiding the credentials, so that the authenticate method may return false 
although the user is in fact authenticated.
Thanks for trying to solve this,
Konrad


> On 24. Feb 2021, at 22:00, Eric Norman  wrote:
> 
> RE: SLING-10147  - 
> scripting
> variables implementation details are exposed to not authorized users
> 
> The comments from the issue have revealed different opinions on the best
> way to solve this.  You may review the comments in jira for the details.
> 
> I have prepared 2 pull requests with an attempt at a solution for the 2
> different approaches for your consideration:
> 
> A. PR #5
>  -
> works with or without WebConsoleSecurityProvider2 service existing, but is
> a more complex implementation with more code.
> 
> B. PR #7
> 
> - requires
> WebConsoleSecurityProvider2 service to exist but is a
> simpler implementation with less code.
> 
> 
> Please vote to express your preference:
> 
>  [ ] +1A Approve the solution from PR #5
>  [ ] +1B Approve the solution from PR #7
>  [ ]  0 Don't care
>  [ ] -1 Neither solution, because ...
> 
> This majority vote is open for at least 72 hours.
> 
> Regards,
> Eric Norman

[GitHub] [sling-org-apache-sling-jcr-resource] henrykuijpers commented on a change in pull request #7: Update to latest parent 38, implement healthcheck

[GitBox]

henrykuijpers commented on a change in pull request #7:
URL: 
https://github.com/apache/sling-org-apache-sling-jcr-resource/pull/7#discussion_r582621274



##
File path: 
src/main/java/org/apache/sling/jcr/resource/internal/JcrSystemUserValidator.java
##
@@ -52,11 +55,13 @@
  * @see org.apache.jackrabbit.api.security.user.User#isSystemUser()
  */
 @Designate(ocd = JcrSystemUserValidator.Config.class)
-@Component(service = {ServiceUserValidator.class, 
ServicePrincipalsValidator.class},
+@Component(service = {ServiceUserValidator.class, 
ServicePrincipalsValidator.class, HealthCheck.class},
property = {
-   Constants.SERVICE_VENDOR + "=The Apache Software Foundation"
+   Constants.SERVICE_VENDOR + "=The Apache Software 
Foundation",
+   "hc.name=JCR SystemUser Validator Healthcheck",
+   "hc.tags={system,jcr}"

Review comment:
   This should probably be
   ```
   "hc.tags=system",
   "hc.tags=jcr"
   ```
   instead





This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Issue Comment Deleted] (SLING-10159) Handle framework properties after the feature is processed

[Muzaffar Nurmukhammadov (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-10159?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Muzaffar Nurmukhammadov updated SLING-10159:

Comment: was deleted

(was: [~cziegeler] Unit test would not be sufficient here, but I am not aware 
of how one can run Integration Tests using *sling-feature-launcher.* We use 
*pax-container-native*, but this is not the case here. If there is a sample 
IntegrationTest that runs on *sling-feature-launcher* I would be appreciated if 
you can point me to. 

 

Our use case is really simple, we defined 
*org.osgi.framework.startlevel.beginning* in the *feature.json* and we want to 
control this property. But since it retrieves the empty map (before parsing the 
feature) and assigns the default property value, our value is ignored here. 

!Capture.PNG|width=1094,height=211!)

> Handle framework properties after the feature is processed
> --
>
> Key: SLING-10159
> URL: https://issues.apache.org/jira/browse/SLING-10159
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Reporter: Muzaffar Nurmukhammadov
>Priority: Major
> Fix For: Feature Model Launcher 1.1.18
>
> Attachments: 108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png, 
> Capture.PNG
>
>
> [https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15]
>  
> OSGi properties are being handled before 
> {{_Installation#getFrameworkProperties()_}} is populated by parsing the 
> Feature files using _{{FeatureProcessor#prepareLauncher()}}_.
> E.g. specifying framework properties such as 
> *org.osgi.framework.startlevel.beginning* and *org.osgi.framework.storage* in 
> *feature.json* file has no effect, the default values are used. These 
> properties should be read from the feature
>  
> In the *{{prepare()}}* method *{{installation.getFrameworkProperties()}}* is 
> empty.
> !108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png|width=424,height=274!
> The duplicate code exists in the *{{run()}}* method, which is correct.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (SLING-10162) Fix javadoc in sling.auth.core

[Angela Schreiber (Jira)]

Angela Schreiber created SLING-10162:


 Summary: Fix javadoc in sling.auth.core
 Key: SLING-10162
 URL: https://issues.apache.org/jira/browse/SLING-10162
 Project: Sling
  Issue Type: Improvement
  Components: Authentication
Reporter: Angela Schreiber


executing mvn javadoc:javadoc for sling.auth.core fails with java 11 and logs 
warnings with java 8.

i also noticed a bunch of broken javadoc links in 
{{org.apache.sling.auth.core.impl.SlingAuthenticator}}.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (SLING-10163) Improve test coverage with sling.auth.core

[Angela Schreiber (Jira)]

Angela Schreiber created SLING-10163:


 Summary: Improve test coverage with sling.auth.core
 Key: SLING-10163
 URL: https://issues.apache.org/jira/browse/SLING-10163
 Project: Sling
  Issue Type: Improvement
  Components: Authentication
Reporter: Angela Schreiber


according to 
https://sonarcloud.io/dashboard?id=apache_sling-org-apache-sling-auth-core the 
current code coverage is just 29%. for a bundle as crucial as the sling 
authentication code base, this should be heavily increased and should in 
particular provide full coverage for those parts that are critical for the 
overall stability and performance. afaik there pieces in the 
{{SlingAuthenticator}} that look wired but cannot be touched without 
introducing major regressions. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Cleanup of dist (https://dist.apache.org/repos/dist/release/sling/)

[Bertrand Delacretaz]

Hi,

On Wed, Feb 24, 2021 at 7:24 PM Konrad Windszus  wrote:
> currently we do have almost 6k files directly below 
> https://dist.apache.org/repos/dist/release/sling/
> which makes handling with SVN really hard in that directory

Using the "Quick update of artifacts in dist" instructions that I
suggested a while ago at [1], I don't find it hard to work with that
folder, and creating a script to do that in an even easier way
shouldn't be too hard.

What exact problems are you seeing?

BTW in case someone is wondering, we have about 300 modules and 20
files per release, so 6k files is expected.

-Bertrand

[1] 
https://sling.apache.org/documentation/development/release-management.html#quick-update-of-artifacts-in-dist-1

RE: No OSGi SCR metadata in Unit Tests

[Stefan Seifert]

it should work quote out-of-the-box with bnd-maven-plugin integrated into the 
maven build, with an execution for the bnd-process goal. [1] shows an rather 
full-featured example, but you do not need all this for simple use cases.

some IDEs may have problems generating the OSGi metadata during the build 
rightaway, test it first on the command line. IntelliJ IDEA and Eclipse should 
basically work fine.

stefan

[1] 
https://github.com/wcm-io/wcm-io-tooling/blob/23b28c1795a0dba9f5e51c429eecea102ae8e289/maven/aem-global-parent/pom.xml#L246-L306

>-Original Message-
>From: Cris Rockwell 
>Sent: Thursday, February 25, 2021 12:18 AM
>To: dev@sling.apache.org
>Subject: No OSGi SCR metadata in Unit Tests
>
>Hi, I have a problem getting a resource resolver factory working in my unit
>tests. The error looks like this
>
>org.apache.sling.testing.mock.osgi.NoScrMetadataException: No OSGi SCR
>metadata found for class
>org.apache.sling.api.resource.ResourceResolverFactory
>
>My code looks like this
>@Test
>public void test_authn_request(){
>BundleContext bundleContext = MockOsgi.newBundleContext();
>ResourceResolverFactory mockFactory =
>Mockito.mock(ResourceResolverFactory.class);
>MockOsgi.injectServices(mockFactory, bundleContext); //fails
>
>
>...
>}
>https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-
>coverage/saml-
>handler/src/test/java/org/apache/sling/auth/saml2/impl/OsgiSamlTest.java#L1
>13 test-coverage/saml-
>handler/src/test/java/org/apache/sling/auth/saml2/impl/OsgiSamlTest.java#L1
>13>
>
>
>It’s a similar issue mentioned in
>https://issues.apache.org/jira/browse/SLING-7182
>The comment in SLING-7182 suggests the maven-bundle-plugin configs
>
>http://felix.apache.org/documentation/faqs/apache-felix-bundle-plugin-
>faq.html#use-scr-metadata-generated-by-bnd-in-unit-tests
>
>My project uses bnd-maven-plugin (not maven-bundle-plugin), so I’m asking
>if anyone has examples of bnd.bnd or pom.xml examples that show how to
>configure that for bnd-maven-plugin. Or perhaps other suggestions that will
>help clear this error...
>
>Thank you!
>Cris

[GitHub] [sling-site] bdelacretaz commented on pull request #55: download binaries (incl. hashes and signatures) from ASF Maven

[GitBox]

bdelacretaz commented on pull request #55:
URL: https://github.com/apache/sling-site/pull/55#issuecomment-785728056


   Ok, I have commented on our dev list - I ask that you do not merge this PR 
for now, while we discuss there. I think it's good to use the ASF mirrors for 
all downloads and as mentioned there I don't really see the problem with svn.



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Created] (SLING-10164) Add basic metrics to SlingAuthenticator

[Angela Schreiber (Jira)]

Angela Schreiber created SLING-10164:


 Summary: Add basic metrics to SlingAuthenticator
 Key: SLING-10164
 URL: https://issues.apache.org/jira/browse/SLING-10164
 Project: Sling
  Issue Type: New Feature
  Components: Authentication
Reporter: Angela Schreiber


IMHO it would be good to capture some basic metrics in {{SlingAuthenticator}} 
that allow to monitor overall login performance and success/failures.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Cleanup of dist (https://dist.apache.org/repos/dist/release/sling/)

[Konrad Windszus]

> What exact problems are you seeing?

https://issues.apache.org/jira/browse/SLING-10153
https://issues.apache.org/jira/browse/SLING-10152
https://issues.apache.org/jira/browse/SLING-10151

In general I doubt that dist is very often used for downloading binaries and I 
want to reduce effort for doing releases.
It is close to impossible to detect issues like these with 6k files without 
tooling

Konrad

[jira] [Commented] (SLING-10147) scripting variables implementation details are exposed to not authorized users

[Julian Sedding (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290791#comment-17290791
 ] 

Julian Sedding commented on SLING-10147:


[~enorman] it seems I didn't explain my suggestion clearly. Of course it makes 
little sense to implement a {{WebConsoleSecurityProvider}} in 
{{scripting.core}}. What I tried to suggest was a modification to the 
web-console itself (i.e. in the Apache Felix project), whereby the its current 
default authentication mechanism is refactored into a default 
{{WebConsoleSecurityProvider}} and also exposed as a service. It could 
unregister the default {{WebConsoleSecurityProvider}} when another one is 
registered as a service. With such a change to the web-console, you could rely 
on the presence of a {{WebConsoleSecurityProvider}} in your changes to 
{{scripting.core}}.

> scripting variables implementation details are exposed to not authorized users
> --
>
> Key: SLING-10147
> URL: https://issues.apache.org/jira/browse/SLING-10147
> Project: Sling
>  Issue Type: Bug
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: Scripting Core 2.3.6
>
>  Time Spent: 4h 10m
>  Remaining Estimate: 0h
>
> The ".SLING_availablebindings.json" selector is registered at 
> /apps/sling/servlet/default and the usage on all resources is not protected 
> by any security checks.  The information returned contains implementation 
> details that a regular user should not need to know and could be considered 
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables" 
> webconsole plugin, I would expect that it should require the same security 
> checking that would be needed to access the webconsole.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[GitHub] [sling-site] kwin commented on a change in pull request #55: download binaries (incl. hashes and signatures) from ASF Maven

[GitBox]

kwin commented on a change in pull request #55:
URL: https://github.com/apache/sling-site/pull/55#discussion_r582653800



##
File path: src/main/jbake/templates/downloads.tpl
##
@@ -324,6 +324,19 @@ def downloadLink(label, artifact, version, suffix) {
newLine()
 }
 
+def mavenDownloadLink(label, artifact, version, suffix) {
+   def path = "${artifact}/${version}/${artifact}-${version}${suffix}"
+   def base = 
"https://repository.apache.org/content/repositories/releases/org/apache/sling/";

Review comment:
   We need to point to Maven Central instead
   
   > Projects must not point or refer to repository.apache.org directly in 
download pages, release announcements or emails. Instead, any public download 
links for those releases should point to Maven Central.
   
   (https://infra.apache.org/release-distribution.html#maven)





This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Created] (SLING-10165) Add nullable/notnull annotations to sling.auth.core

[Angela Schreiber (Jira)]

Angela Schreiber created SLING-10165:


 Summary: Add nullable/notnull annotations to sling.auth.core 
 Key: SLING-10165
 URL: https://issues.apache.org/jira/browse/SLING-10165
 Project: Sling
  Issue Type: Improvement
  Components: Authentication
Reporter: Angela Schreiber


the code in the {{sling.auth.core}} module would IMHO benefit from 
notnull/nullability annotations.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Assigned] (SLING-10160) Create source-release.zip for pom artifacts

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-10160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus reassigned SLING-10160:
---

Assignee: Konrad Windszus

> Create source-release.zip for pom artifacts
> ---
>
> Key: SLING-10160
> URL: https://issues.apache.org/jira/browse/SLING-10160
> Project: Sling
>  Issue Type: Improvement
>  Components: General
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Parent 41, Bundle Parent 41
>
>
> All our parent pom.xml releases should be accompanied by a source-release.zip 
> as well similar to what Maven is providing in 
> https://dist.apache.org/repos/dist/release/maven/pom/.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (SLING-10166) Fix vulnerabilities, bugs and code smells reported by Sonar

[Angela Schreiber (Jira)]

Angela Schreiber created SLING-10166:


 Summary: Fix vulnerabilities, bugs and code smells reported by 
Sonar
 Key: SLING-10166
 URL: https://issues.apache.org/jira/browse/SLING-10166
 Project: Sling
  Issue Type: Bug
  Components: Authentication
Reporter: Angela Schreiber


Sonar reports 8 security issues, 8 vulnerabilities and 111 Code smells for the 
{{sling.auth.core}} module including 1 blocker, 19 critical and 40 major 
issues. 
Since the sling authentication code base is IMO quite a crucial part of Sling, 
it is worth investing a bit of energy into maintenance.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: No OSGi SCR metadata in Unit Tests

[Roy Teeuwen]

Interesting that you mention Intellij Stefan? Because If i wouldn't do a mvn 
install first before executing the unit tests from the Intellij junit run 
configuration, it will fail with the exact reason stated. Is there an easy way 
in intellij to get those OSGi SCR xmls in a junit run configuration without 
having to triggering a maven install / bundle execution plugin first? 

> On 25 Feb 2021, at 09:48, Stefan Seifert  
> wrote:
> 
> it should work quote out-of-the-box with bnd-maven-plugin integrated into the 
> maven build, with an execution for the bnd-process goal. [1] shows an rather 
> full-featured example, but you do not need all this for simple use cases.
> 
> some IDEs may have problems generating the OSGi metadata during the build 
> rightaway, test it first on the command line. IntelliJ IDEA and Eclipse 
> should basically work fine.
> 
> stefan
> 
> [1] 
> https://github.com/wcm-io/wcm-io-tooling/blob/23b28c1795a0dba9f5e51c429eecea102ae8e289/maven/aem-global-parent/pom.xml#L246-L306
> 
>> -Original Message-
>> From: Cris Rockwell 
>> Sent: Thursday, February 25, 2021 12:18 AM
>> To: dev@sling.apache.org
>> Subject: No OSGi SCR metadata in Unit Tests
>> 
>> Hi, I have a problem getting a resource resolver factory working in my unit
>> tests. The error looks like this
>> 
>> org.apache.sling.testing.mock.osgi.NoScrMetadataException: No OSGi SCR
>> metadata found for class
>> org.apache.sling.api.resource.ResourceResolverFactory
>> 
>> My code looks like this
>>   @Test
>>   public void test_authn_request(){
>>   BundleContext bundleContext = MockOsgi.newBundleContext();
>>   ResourceResolverFactory mockFactory =
>> Mockito.mock(ResourceResolverFactory.class);
>>   MockOsgi.injectServices(mockFactory, bundleContext); //fails
>> 
>> 
>> ...
>>   }
>> https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-
>> coverage/saml-
>> handler/src/test/java/org/apache/sling/auth/saml2/impl/OsgiSamlTest.java#L1
>> 13 > test-coverage/saml-
>> handler/src/test/java/org/apache/sling/auth/saml2/impl/OsgiSamlTest.java#L1
>> 13>
>> 
>> 
>> It’s a similar issue mentioned in
>> https://issues.apache.org/jira/browse/SLING-7182
>> The comment in SLING-7182 suggests the maven-bundle-plugin configs
>> 
>> http://felix.apache.org/documentation/faqs/apache-felix-bundle-plugin-
>> faq.html#use-scr-metadata-generated-by-bnd-in-unit-tests
>> 
>> My project uses bnd-maven-plugin (not maven-bundle-plugin), so I’m asking
>> if anyone has examples of bnd.bnd or pom.xml examples that show how to
>> configure that for bnd-maven-plugin. Or perhaps other suggestions that will
>> help clear this error...
>> 
>> Thank you!
>> Cris
> 

[GitHub] [sling-parent] kwin opened a new pull request #15: SLING-10160 generate source-release.zip for both parent poms

[GitBox]

kwin opened a new pull request #15:
URL: https://github.com/apache/sling-parent/pull/15


   



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

RE: No OSGi SCR metadata in Unit Tests

[Stefan Seifert]

to be honest if have very little knowledge on the IntelliJ side as i'm mostly 
an eclipse user.
i tried it today in IntelliJ and it worked, probably because the generated 
metadata was already there.
perhaps a more experienced IntelliJ user can provide more information here.

stefan

>-Original Message-
>From: Roy Teeuwen 
>Sent: Thursday, February 25, 2021 10:38 AM
>To: Sling Developers 
>Subject: Re: No OSGi SCR metadata in Unit Tests
>
>Interesting that you mention Intellij Stefan? Because If i wouldn't do a
>mvn install first before executing the unit tests from the Intellij junit
>run configuration, it will fail with the exact reason stated. Is there an
>easy way in intellij to get those OSGi SCR xmls in a junit run
>configuration without having to triggering a maven install / bundle
>execution plugin first?
>
>> On 25 Feb 2021, at 09:48, Stefan Seifert e.com.INVALID> wrote:
>>
>> it should work quote out-of-the-box with bnd-maven-plugin integrated into
>the maven build, with an execution for the bnd-process goal. [1] shows an
>rather full-featured example, but you do not need all this for simple use
>cases.
>>
>> some IDEs may have problems generating the OSGi metadata during the build
>rightaway, test it first on the command line. IntelliJ IDEA and Eclipse
>should basically work fine.
>>
>> stefan
>>
>> [1] https://github.com/wcm-io/wcm-io-
>tooling/blob/23b28c1795a0dba9f5e51c429eecea102ae8e289/maven/aem-global-
>parent/pom.xml#L246-L306
>>
>>> -Original Message-
>>> From: Cris Rockwell 
>>> Sent: Thursday, February 25, 2021 12:18 AM
>>> To: dev@sling.apache.org
>>> Subject: No OSGi SCR metadata in Unit Tests
>>>
>>> Hi, I have a problem getting a resource resolver factory working in my
>unit
>>> tests. The error looks like this
>>>
>>> org.apache.sling.testing.mock.osgi.NoScrMetadataException: No OSGi SCR
>>> metadata found for class
>>> org.apache.sling.api.resource.ResourceResolverFactory
>>>
>>> My code looks like this
>>>   @Test
>>>   public void test_authn_request(){
>>>   BundleContext bundleContext = MockOsgi.newBundleContext();
>>>   ResourceResolverFactory mockFactory =
>>> Mockito.mock(ResourceResolverFactory.class);
>>>   MockOsgi.injectServices(mockFactory, bundleContext); //fails
>>>
>>>
>>> ...
>>>   }
>>> https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-
>>> coverage/saml-
>>>
>handler/src/test/java/org/apache/sling/auth/saml2/impl/OsgiSamlTest.java#L1
>>> 13 >> test-coverage/saml-
>>>
>handler/src/test/java/org/apache/sling/auth/saml2/impl/OsgiSamlTest.java#L1
>>> 13>
>>>
>>>
>>> It’s a similar issue mentioned in
>>> https://issues.apache.org/jira/browse/SLING-7182
>>> The comment in SLING-7182 suggests the maven-bundle-plugin configs
>>>
>>> http://felix.apache.org/documentation/faqs/apache-felix-bundle-plugin-
>>> faq.html#use-scr-metadata-generated-by-bnd-in-unit-tests
>>>
>>> My project uses bnd-maven-plugin (not maven-bundle-plugin), so I’m
>asking
>>> if anyone has examples of bnd.bnd or pom.xml examples that show how to
>>> configure that for bnd-maven-plugin. Or perhaps other suggestions that
>will
>>> help clear this error...
>>>
>>> Thank you!
>>> Cris
>>

Re: Cleanup of dist (https://dist.apache.org/repos/dist/release/sling/)

[Bertrand Delacretaz]

On Thu, Feb 25, 2021 at 9:54 AM Konrad Windszus  wrote:
>... It is close to impossible to detect issues like these with 6k files 
>without tooling.

Assuming we have 300 modules, the minimum number of files in there is
N*300 which IMHO doesn't work anyway for manual inspection. At least
not at my age ;-)

If we need sanity checks on that dist folder I think they must be done
in code, either scripts or a new Maven plugin, WDYT?

-Bertrand

Re: [VOTE] SLING-10147 Require WebConsoleSecurityProvider2 service to exist?

[Bertrand Delacretaz]

Hi Eric,

Thanks for presenting both options!

On Wed, Feb 24, 2021 at 10:00 PM Eric Norman  wrote:
...
> B. PR #7
> 
...

>   [X ] +1B Approve the solution from PR #7 ..

I'm in favor of that one as it's less code. The only downside is that
the corresponding webconsole page will not work if the
WebConsoleSecurity service is not present, but I don't think that
matters for this particular page.

-Bertrand

[GitHub] [sling-parent] sonarcloud[bot] commented on pull request #15: SLING-10160 generate source-release.zip for both parent poms

[GitBox]

sonarcloud[bot] commented on pull request #15:
URL: https://github.com/apache/sling-parent/pull/15#issuecomment-785801590


   Kudos, SonarCloud Quality Gate passed!
   
   [](https://sonarcloud.io/project/issues?id=apache_sling-parent&pullRequest=15&resolved=false&types=BUG)
 [](https://sonarcloud.io/project/issues?id=apache_sling-parent&pullRequest=15&resolved=false&types=BUG)
 [0 
Bugs](https://sonarcloud.io/project/issues?id=apache_sling-parent&pullRequest=15&resolved=false&types=BUG)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-parent&pullRequest=15&resolved=false&types=VULNERABILITY)
 [](https://sonarcloud.io/project/issues?id=apache_sling-parent&pullRequest=15&resolved=false&types=VULNERABILITY)
 [0 
Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-parent&pullRequest=15&resolved=false&types=VULNERABILITY)
  
   [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-parent&pullRequest=15&resolved=false&types=SECURITY_HOTSPOT)
 [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-parent&pullRequest=15&resolved=false&types=SECURITY_HOTSPOT)
 [0 Security 
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-parent&pullRequest=15&resolved=false&types=SECURITY_HOTSPOT)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-parent&pullRequest=15&resolved=false&types=CODE_SMELL)
 [](https://sonarcloud.io/project/issues?id=apache_sling-parent&pullRequest=15&resolved=false&types=CODE_SMELL)
 [0 Code 
Smells](https://sonarcloud.io/project/issues?id=apache_sling-parent&pullRequest=15&resolved=false&types=CODE_SMELL)
   
   [](https://sonarcloud.io/component_measures?id=apache_sling-parent&pullRequest=15)
 No Coverage information  
   [](https://sonarcloud.io/component_measures?id=apache_sling-parent&pullRequest=15&metric=new_duplicated_lines_density&view=list)
 [0.0% 
Duplication](https://sonarcloud.io/component_measures?id=apache_sling-parent&pullRequest=15&metric=new_duplicated_lines_density&view=list)
   
   



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Updated] (SLING-10164) Add basic metrics to SlingAuthenticator

[Angela Schreiber (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-10164?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Angela Schreiber updated SLING-10164:
-
Attachment: SLING-10164.patch

> Add basic metrics to SlingAuthenticator
> ---
>
> Key: SLING-10164
> URL: https://issues.apache.org/jira/browse/SLING-10164
> Project: Sling
>  Issue Type: New Feature
>  Components: Authentication
>Reporter: Angela Schreiber
>Priority: Major
> Attachments: SLING-10164.patch
>
>
> IMHO it would be good to capture some basic metrics in {{SlingAuthenticator}} 
> that allow to monitor overall login performance and success/failures.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-10159) Handle framework properties after the feature is processed

[Carsten Ziegeler (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290842#comment-17290842
 ] 

Carsten Ziegeler commented on SLING-10159:
--

Maybe we could reduce the change to just not set  
org.osgi.framework.startlevel.beginning and org.osgi.framework.storage ?

> Handle framework properties after the feature is processed
> --
>
> Key: SLING-10159
> URL: https://issues.apache.org/jira/browse/SLING-10159
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Reporter: Muzaffar Nurmukhammadov
>Priority: Major
> Fix For: Feature Model Launcher 1.1.18
>
> Attachments: 108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png, 
> Capture.PNG
>
>
> [https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15]
>  
> OSGi properties are being handled before 
> {{_Installation#getFrameworkProperties()_}} is populated by parsing the 
> Feature files using _{{FeatureProcessor#prepareLauncher()}}_.
> E.g. specifying framework properties such as 
> *org.osgi.framework.startlevel.beginning* and *org.osgi.framework.storage* in 
> *feature.json* file has no effect, the default values are used. These 
> properties should be read from the feature
>  
> In the *{{prepare()}}* method *{{installation.getFrameworkProperties()}}* is 
> empty.
> !108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png|width=424,height=274!
> The duplicate code exists in the *{{run()}}* method, which is correct.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-10164) Add basic metrics to SlingAuthenticator

[Angela Schreiber (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290843#comment-17290843
 ] 

Angela Schreiber commented on SLING-10164:
--

[~cziegeler], as discussed. very basic (and untested) draft patch attached 
introducing 3 metrics: time spent in doHandleSecurity, meter for failure and 
success. hope that helps illustrating what this feature request is about.

> Add basic metrics to SlingAuthenticator
> ---
>
> Key: SLING-10164
> URL: https://issues.apache.org/jira/browse/SLING-10164
> Project: Sling
>  Issue Type: New Feature
>  Components: Authentication
>Reporter: Angela Schreiber
>Priority: Major
> Attachments: SLING-10164.patch
>
>
> IMHO it would be good to capture some basic metrics in {{SlingAuthenticator}} 
> that allow to monitor overall login performance and success/failures.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-10164) Add basic metrics to SlingAuthenticator

[Carsten Ziegeler (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290851#comment-17290851
 ] 

Carsten Ziegeler commented on SLING-10164:
--

[~angela] The patch looks good to me, thanks - are you planning to improve it 
(add more metrics) or should we apply as-is?

> Add basic metrics to SlingAuthenticator
> ---
>
> Key: SLING-10164
> URL: https://issues.apache.org/jira/browse/SLING-10164
> Project: Sling
>  Issue Type: New Feature
>  Components: Authentication
>Reporter: Angela Schreiber
>Priority: Major
> Attachments: SLING-10164.patch
>
>
> IMHO it would be good to capture some basic metrics in {{SlingAuthenticator}} 
> that allow to monitor overall login performance and success/failures.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Cleanup of dist (https://dist.apache.org/repos/dist/release/sling/)

[Carsten Ziegeler]

You should have automation in place to detect issues - that used to be 
in place, not sure if it still is. As soon as its more than 10 files any 
manual process will fail.


If we start to exclude files from being put into dist, I think the 
release process is even harder than today - as I need to do the 
filtering and remember what to not put there. Today it's easy, get 
everything from nexus and put them up there


Regards
Carsten


Am 25.02.2021 um 09:54 schrieb Konrad Windszus:



What exact problems are you seeing?


https://issues.apache.org/jira/browse/SLING-10153
https://issues.apache.org/jira/browse/SLING-10152
https://issues.apache.org/jira/browse/SLING-10151

In general I doubt that dist is very often used for downloading binaries and I 
want to reduce effort for doing releases.
It is close to impossible to detect issues like these with 6k files without 
tooling

Konrad



--
--
Carsten Ziegeler
Adobe Research Switzerland
cziege...@apache.org

[jira] [Commented] (SLING-10164) Add basic metrics to SlingAuthenticator

[Angela Schreiber (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290856#comment-17290856
 ] 

Angela Schreiber commented on SLING-10164:
--

[~cziegeler], i wasn't planning to add more metrics (at least not in a first 
step). but it might need a careful review by someone familiar with sling-auth 
and sling-metrics. a few points:
- would it be better/sensible to capture everything in {{handleSecurity}} 
(instead of just covering the likely more expensive parts that call 
{{doHandleSecurity}}?
- tests: i was looking for an osgi-test covering the {{SlingAuthenticator}} to 
make sure the metrics are actually called as intended but as far as i could 
see there are only basic unit tests (see also SLING-10163)
- dependency to sling-commons-metrics: i would appreciate if someone could 
verify that this is the correct way of adding metrics and that the dependency 
is introduced properly not causing any regressions
- performance: i would definitely want to avoid introducing any kind of 
performance issues just for the sake of having a bunch of metrics. but i didn't 
perform any kind of test and didn't a particular performance-test section for 
the authenticator maybe just missed it).

> Add basic metrics to SlingAuthenticator
> ---
>
> Key: SLING-10164
> URL: https://issues.apache.org/jira/browse/SLING-10164
> Project: Sling
>  Issue Type: New Feature
>  Components: Authentication
>Reporter: Angela Schreiber
>Priority: Major
> Attachments: SLING-10164.patch
>
>
> IMHO it would be good to capture some basic metrics in {{SlingAuthenticator}} 
> that allow to monitor overall login performance and success/failures.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[GitHub] [sling-org-apache-sling-feature-launcher] sonarcloud[bot] removed a comment on pull request #15: SLING-10159: Remove handling of framework properties before the feature is processed

[GitBox]

sonarcloud[bot] removed a comment on pull request #15:
URL: 
https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15#issuecomment-785025362


   Kudos, SonarCloud Quality Gate passed!
   
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=BUG)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=BUG)
 [0 
Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=BUG)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=VULNERABILITY)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=VULNERABILITY)
 [0 
Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=VULNERABILITY)
  
   [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=SECURITY_HOTSPOT)
 [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=SECURITY_HOTSPOT)
 [0 Security 
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=SECURITY_HOTSPOT)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=CODE_SMELL)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=CODE_SMELL)
 [0 Code 
Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=CODE_SMELL)
   
   [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&metric=new_coverage&view=list)
 [0.0% 
Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&metric=new_coverage&view=list)
  
   [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&metric=new_duplicated_lines_density&view=list)
 [0.0% 
Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&metric=new_duplicated_lines_density&view=list)
   
   



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [sling-org-apache-sling-feature-launcher] sonarcloud[bot] commented on pull request #15: SLING-10159: Remove handling of framework properties before the feature is processed

[GitBox]

sonarcloud[bot] commented on pull request #15:
URL: 
https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15#issuecomment-785835699


   Kudos, SonarCloud Quality Gate passed!
   
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=BUG)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=BUG)
 [0 
Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=BUG)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=VULNERABILITY)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=VULNERABILITY)
 [0 
Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=VULNERABILITY)
  
   [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=SECURITY_HOTSPOT)
 [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=SECURITY_HOTSPOT)
 [0 Security 
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=SECURITY_HOTSPOT)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=CODE_SMELL)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=CODE_SMELL)
 [0 Code 
Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&resolved=false&types=CODE_SMELL)
   
   [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&metric=new_coverage&view=list)
 [0.0% 
Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&metric=new_coverage&view=list)
  
   [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&metric=new_duplicated_lines_density&view=list)
 [0.0% 
Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-feature-launcher&pullRequest=15&metric=new_duplicated_lines_density&view=list)
   
   



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Commented] (SLING-10159) Handle framework properties after the feature is processed

[Muzaffar Nurmukhammadov (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290872#comment-17290872
 ] 

Muzaffar Nurmukhammadov commented on SLING-10159:
-

[~cziegeler] Reverted back handling of Sling properties in the *prepare()* 
method, only OSGi properties are not set

> Handle framework properties after the feature is processed
> --
>
> Key: SLING-10159
> URL: https://issues.apache.org/jira/browse/SLING-10159
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Reporter: Muzaffar Nurmukhammadov
>Priority: Major
> Fix For: Feature Model Launcher 1.1.18
>
> Attachments: 108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png, 
> Capture.PNG
>
>
> [https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15]
>  
> OSGi properties are being handled before 
> {{_Installation#getFrameworkProperties()_}} is populated by parsing the 
> Feature files using _{{FeatureProcessor#prepareLauncher()}}_.
> E.g. specifying framework properties such as 
> *org.osgi.framework.startlevel.beginning* and *org.osgi.framework.storage* in 
> *feature.json* file has no effect, the default values are used. These 
> properties should be read from the feature
>  
> In the *{{prepare()}}* method *{{installation.getFrameworkProperties()}}* is 
> empty.
> !108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png|width=424,height=274!
> The duplicate code exists in the *{{run()}}* method, which is correct.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-10159) Handle framework properties after the feature is processed

[Muzaffar Nurmukhammadov (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290872#comment-17290872
 ] 

Muzaffar Nurmukhammadov edited comment on SLING-10159 at 2/25/21, 11:49 AM:


[~cziegeler] Applied the changes, only OSGi properties are not set


was (Author: nmuzaffar):
[~cziegeler] Reverted back handling of Sling properties in the *prepare()* 
method, only OSGi properties are not set

> Handle framework properties after the feature is processed
> --
>
> Key: SLING-10159
> URL: https://issues.apache.org/jira/browse/SLING-10159
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Reporter: Muzaffar Nurmukhammadov
>Priority: Major
> Fix For: Feature Model Launcher 1.1.18
>
> Attachments: 108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png, 
> Capture.PNG
>
>
> [https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15]
>  
> OSGi properties are being handled before 
> {{_Installation#getFrameworkProperties()_}} is populated by parsing the 
> Feature files using _{{FeatureProcessor#prepareLauncher()}}_.
> E.g. specifying framework properties such as 
> *org.osgi.framework.startlevel.beginning* and *org.osgi.framework.storage* in 
> *feature.json* file has no effect, the default values are used. These 
> properties should be read from the feature
>  
> In the *{{prepare()}}* method *{{installation.getFrameworkProperties()}}* is 
> empty.
> !108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png|width=424,height=274!
> The duplicate code exists in the *{{run()}}* method, which is correct.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Cleanup of dist (https://dist.apache.org/repos/dist/release/sling/)

[Konrad Windszus]

The biggest difference is that without binaries it becomes possible again to 
checkout dist again and clean it up without solely relying on svn import/export.
That is way more comfortable and allows to use other tools than CLI for that.

Regarding filtering what needs to be put to dist, that can be easily scripted 
(while the cleanup unfortunately can't be easily scripted).

Konrad

> On 25. Feb 2021, at 12:12, Carsten Ziegeler  wrote:
> 
> You should have automation in place to detect issues - that used to be in 
> place, not sure if it still is. As soon as its more than 10 files any manual 
> process will fail.
> 
> If we start to exclude files from being put into dist, I think the release 
> process is even harder than today - as I need to do the filtering and 
> remember what to not put there. Today it's easy, get everything from nexus 
> and put them up there
> 
> Regards
> Carsten
> 
> 
> Am 25.02.2021 um 09:54 schrieb Konrad Windszus:
>>> What exact problems are you seeing?
>> https://issues.apache.org/jira/browse/SLING-10153
>> https://issues.apache.org/jira/browse/SLING-10152
>> https://issues.apache.org/jira/browse/SLING-10151
>> In general I doubt that dist is very often used for downloading binaries and 
>> I want to reduce effort for doing releases.
>> It is close to impossible to detect issues like these with 6k files without 
>> tooling
>> Konrad
> 
> -- 
> --
> Carsten Ziegeler
> Adobe Research Switzerland
> cziege...@apache.org

[jira] [Comment Edited] (SLING-10164) Add basic metrics to SlingAuthenticator

[Angela Schreiber (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290856#comment-17290856
 ] 

Angela Schreiber edited comment on SLING-10164 at 2/25/21, 12:17 PM:
-

[~cziegeler], i wasn't planning to add more metrics (at least not in a first 
step). but it might need a careful review by someone familiar with sling-auth 
and sling-metrics. a few points:
- would it be better/sensible to capture everything in {{handleSecurity}} 
(instead of just covering the likely more expensive parts that call 
{{doHandleSecurity}}?
- tests: i was looking for an osgi-test covering the {{SlingAuthenticator}} to 
make sure the metrics are actually called as intended but as far as i could 
see there are only basic unit tests (see also SLING-10163)
- dependency to sling-commons-metrics: i would appreciate if someone could 
verify that this is the correct way of adding metrics and that the dependency 
is introduced properly not causing any regressions
- performance: i would definitely want to avoid introducing any kind of 
performance issues just for the sake of having a bunch of metrics. but i didn't 
perform any kind of test and didn't a particular performance-test section for 
the authenticator maybe just missed it).
- metrics names: not sure what the best practices are in sling. it might well 
be the the 'org.apache.sling' part is redundant/overkill and they should just 
be named 'auth.core.*'. as far as i could see in the osgi-console there is some 
prefix added (e.g. metrics defined in jackrabbit oak all start with 'oak:' and 
thus 'oak' can be omitted from the name itself).


was (Author: anchela):
[~cziegeler], i wasn't planning to add more metrics (at least not in a first 
step). but it might need a careful review by someone familiar with sling-auth 
and sling-metrics. a few points:
- would it be better/sensible to capture everything in {{handleSecurity}} 
(instead of just covering the likely more expensive parts that call 
{{doHandleSecurity}}?
- tests: i was looking for an osgi-test covering the {{SlingAuthenticator}} to 
make sure the metrics are actually called as intended but as far as i could 
see there are only basic unit tests (see also SLING-10163)
- dependency to sling-commons-metrics: i would appreciate if someone could 
verify that this is the correct way of adding metrics and that the dependency 
is introduced properly not causing any regressions
- performance: i would definitely want to avoid introducing any kind of 
performance issues just for the sake of having a bunch of metrics. but i didn't 
perform any kind of test and didn't a particular performance-test section for 
the authenticator maybe just missed it).

> Add basic metrics to SlingAuthenticator
> ---
>
> Key: SLING-10164
> URL: https://issues.apache.org/jira/browse/SLING-10164
> Project: Sling
>  Issue Type: New Feature
>  Components: Authentication
>Reporter: Angela Schreiber
>Priority: Major
> Attachments: SLING-10164.patch
>
>
> IMHO it would be good to capture some basic metrics in {{SlingAuthenticator}} 
> that allow to monitor overall login performance and success/failures.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: Cleanup of dist (https://dist.apache.org/repos/dist/release/sling/)

[Bertrand Delacretaz]

Hi,

On Thu, Feb 25, 2021 at 12:56 PM Konrad Windszus  wrote:
>
> The biggest difference is that without binaries it becomes possible again to 
> checkout
> dist again and clean it up without solely relying on svn import/export...

What kind of cleanup is needed?

If we write some sanity check tools (which seems to be needed anyway)
those could output a list of things to remove, if there are leftovers
to cleanup.

-Bertrand

[jira] [Commented] (SLING-10158) XSSFilter fails with a classloading error with the TreeWalker class

[Radu Cotescu (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290901#comment-17290901
 ] 

Radu Cotescu commented on SLING-10158:
--

Thanks for fixing this, [~enorman]. I didn't see the error in my normal manual 
smoke tests... :( I'll start a release now, since 2.2.10 cannot really be 
used...

> XSSFilter fails with a classloading error with the TreeWalker class
> ---
>
> Key: SLING-10158
> URL: https://issues.apache.org/jira/browse/SLING-10158
> Project: Sling
>  Issue Type: Bug
>Affects Versions: XSS Protection API 2.2.10
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: XSS Protection API 2.2.12
>
>
> After switching to xss v2.2.10 many pages fail with a classloading exception 
> regarding the org.apache.xml.serializer.TreeWalker class
> For example, the composium browser at 
> [http://localhost:8080/bin/browser.html] fails with this error:
> {noformat}
> org/apache/xml/serializer/TreeWalker (500)
> The requested URL /bin/browser.html resulted in an error in 
> /libs/composum/nodes/browser/browser.jsp.
> Exception:
> java.lang.NoClassDefFoundError: org/apache/xml/serializer/TreeWalker
> at 
> org.apache.xalan.processor.TransformerFactoryImpl.newTransformer(TransformerFactoryImpl.java:818)
> at 
> org.owasp.validator.html.scan.AntiSamySAXScanner.getNewTransformer(AntiSamySAXScanner.java:178)
> at 
> org.owasp.validator.html.scan.AntiSamySAXScanner.scan(AntiSamySAXScanner.java:133)
> at 
> org.owasp.validator.html.scan.AntiSamySAXScanner.scan(AntiSamySAXScanner.java:107)
> at 
> org.owasp.validator.html.scan.AntiSamySAXScanner.scan(AntiSamySAXScanner.java:89)
> at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:129)
> at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:75)
> at 
> org.apache.sling.xss.impl.HtmlToHtmlContentContext.getCleanResults(HtmlToHtmlContentContext.java:98)
> at 
> org.apache.sling.xss.impl.HtmlToHtmlContentContext.filter(HtmlToHtmlContentContext.java:68)
> at org.apache.sling.xss.impl.XSSFilterImpl.filter(XSSFilterImpl.java:200)
> at org.apache.sling.xss.impl.XSSFilterImpl.filter(XSSFilterImpl.java:194)
> at com.composum.sling.core.util.XSS.filter(XSS.java:282)
> at 
> com.composum.sling.core.util.ConsoleUtil.getConsoleResource(ConsoleUtil.java:31)
> at 
> com.composum.sling.core.AbstractServletBean.initialize(AbstractServletBean.java:33)
> at 
> com.composum.sling.core.BeanContext$AbstractContext.tryToInstantiateSlingBean(BeanContext.java:266)
> at 
> com.composum.sling.core.BeanContext$AbstractContext.adaptTo(BeanContext.java:246)
> at com.composum.sling.core.BeanContext$Page.adaptTo(BeanContext.java:571)
> at 
> com.composum.sling.cpnl.ComponentTag.createComponent(ComponentTag.java:220)
> at com.composum.sling.cpnl.ComponentTag.doStartTag(ComponentTag.java:73)
> at 
> org.apache.jsp.libs.composum.nodes.browser.browser__002e__jsp._jspService(browser__002e__jsp.java:112)
> at 
> org.apache.sling.scripting.jsp.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
> at 
> org.apache.sling.scripting.jsp.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:496)...
> {noformat}
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[VOTE] Release Apache Sling XSS Protection API 2.2.12

[Radu Cotescu]

Hi,

We solved 1 issue in this release:
https://issues.apache.org/jira/browse/SLING/fixforversion/12349722

Staging repository:
https://repository.apache.org/content/repositories/orgapachesling-2414/

You can use this UNIX script to download the release and verify the signatures:
https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD

Usage:
sh check_staged_release.sh 2414 /tmp/sling-staging

Please vote to approve this release:

  [ ] +1 Approve the release
  [ ]  0 Don't care
  [ ] -1 Don't release, because ...

This majority vote is open for at least 72 hours.

Regards,
Radu Cotescu

Re: Questions surfaced by SLING-9999

[Radu Cotescu]

Hi Olli,

> On 22 Feb 2021, at 14:18, Oliver Lietz  wrote:
> 
> On Thursday, 18 February 2021 10:21:05 CET Radu Cotescu wrote:
>> Hi,
> 
> Hi Karl, hi Radu,
> 
> Sorry for coming back late, I was again hit by severe bugs in Akonadi and 
> still trying to fully recover.
> 
>> If nobody opposes in the next 24 hours, I will ask INFRA to rename the
>> repository from [0] to sling-org-apache-sling-scripting-spi and the API
>> refactored to be in the org.apache.sling.scripting.spi.bundle package.
> 
> +1 This looks like b) from my list of possible options below with reusing 
> o.a.s.servlets.resolver.api repo.

Great!

> 
> How about ResourceType (#3)?

I would not move this class yet, as I don’t see another potential usage 
somewhere outside of the context of bundled scripts. Once we see that there’s a 
need for it outside of this API, we can add it to the already fat o.a.s.api. 
Does this work for you?

Thanks,
Radu

Re: No OSGi SCR metadata in Unit Tests

[Radu Cotescu]

Hi Roy,

> On 25 Feb 2021, at 10:37, Roy Teeuwen  wrote:
> 
> Is there an easy way in intellij to get those OSGi SCR xmls in a junit run 
> configuration without having to triggering a maven install / bundle execution 
> plugin first?

Not that I know of. I usually do a mvn clean package when I’m adding tests for 
new services and the I can run everything from inside Idea.

Regards,
Radu

[jira] [Commented] (SLING-10123) Distribution agent queue processor should implement a backoff in case of retries for processing an item

[Mohit Arora (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290925#comment-17290925
 ] 

Mohit Arora commented on SLING-10123:
-

[~ashishc], [~marett], should we implement an ExponentialBackoff similar to [0] 
or would a simple Thread.sleep() for a specified time (linear backoff) be 
sufficient? If we want to use [0], would it make sense to extract it out into a 
common bundle which both distribution-journal and distribution-core are 
importing?

[0] 
https://github.com/apache/sling-org-apache-sling-distribution-journal/blob/master/src/main/java/org/apache/sling/distribution/journal/shared/ExponentialBackOff.java

> Distribution agent queue processor should implement a backoff in case of 
> retries for processing an item
> ---
>
> Key: SLING-10123
> URL: https://issues.apache.org/jira/browse/SLING-10123
> Project: Sling
>  Issue Type: Bug
>  Components: Content Distribution
>Affects Versions: Content Distribution Core 0.4.2
>Reporter: Mohit Arora
>Priority: Major
> Fix For: Content Distribution Core 0.4.6
>
>
> In case of recoverable exceptions, distribution agent queue processor does 
> not evict the queue item from the processing queue [0]. Rather, the item is 
> retried infinitely until either the distribution of the item is successful or 
> a non-recoverable exception is thrown for the item. However, since there is 
> "something wrong" because of which an exception is thrown in the first place, 
> we should add a cool off period before trying to reattempt to distribute the 
> same item. This can be achieved through a linear or exponential backoff.
> cc - [~ashishc]
> [0] 
> https://github.com/apache/sling-org-apache-sling-distribution-core/blob/master/src/main/java/org/apache/sling/distribution/agent/impl/SimpleDistributionAgentQueueProcessor.java#L147-L150



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[GitHub] [sling-org-apache-sling-feature-launcher] cziegeler merged pull request #15: SLING-10159: Remove handling of framework properties before the feature is processed

[GitBox]

cziegeler merged pull request #15:
URL: https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15


   



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Resolved] (SLING-10159) Handle framework properties after the feature is processed

[Carsten Ziegeler (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-10159?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Carsten Ziegeler resolved SLING-10159.
--
Resolution: Fixed

Thanks [~NMuzaffar] - i've applied your PR

> Handle framework properties after the feature is processed
> --
>
> Key: SLING-10159
> URL: https://issues.apache.org/jira/browse/SLING-10159
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Reporter: Muzaffar Nurmukhammadov
>Assignee: Carsten Ziegeler
>Priority: Major
> Fix For: Feature Model Launcher 1.1.18
>
> Attachments: 108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png, 
> Capture.PNG
>
>
> [https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15]
>  
> OSGi properties are being handled before 
> {{_Installation#getFrameworkProperties()_}} is populated by parsing the 
> Feature files using _{{FeatureProcessor#prepareLauncher()}}_.
> E.g. specifying framework properties such as 
> *org.osgi.framework.startlevel.beginning* and *org.osgi.framework.storage* in 
> *feature.json* file has no effect, the default values are used. These 
> properties should be read from the feature
>  
> In the *{{prepare()}}* method *{{installation.getFrameworkProperties()}}* is 
> empty.
> !108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png|width=424,height=274!
> The duplicate code exists in the *{{run()}}* method, which is correct.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Assigned] (SLING-10159) Handle framework properties after the feature is processed

[Carsten Ziegeler (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-10159?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Carsten Ziegeler reassigned SLING-10159:


Assignee: Carsten Ziegeler

> Handle framework properties after the feature is processed
> --
>
> Key: SLING-10159
> URL: https://issues.apache.org/jira/browse/SLING-10159
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Reporter: Muzaffar Nurmukhammadov
>Assignee: Carsten Ziegeler
>Priority: Major
> Fix For: Feature Model Launcher 1.1.18
>
> Attachments: 108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png, 
> Capture.PNG
>
>
> [https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15]
>  
> OSGi properties are being handled before 
> {{_Installation#getFrameworkProperties()_}} is populated by parsing the 
> Feature files using _{{FeatureProcessor#prepareLauncher()}}_.
> E.g. specifying framework properties such as 
> *org.osgi.framework.startlevel.beginning* and *org.osgi.framework.storage* in 
> *feature.json* file has no effect, the default values are used. These 
> properties should be read from the feature
>  
> In the *{{prepare()}}* method *{{installation.getFrameworkProperties()}}* is 
> empty.
> !108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png|width=424,height=274!
> The duplicate code exists in the *{{run()}}* method, which is correct.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Resolved] (SLING-10116) Add Maintenance Job to Starter and CMS

[Dan Klco (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-10116?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dan Klco resolved SLING-10116.
--
Resolution: Fixed

Done in 
https://github.com/apache/sling-org-apache-sling-starter/commit/c383c866e53b690b34d87d758e2c320ef1321d11
 and 
https://github.com/apache/sling-org-apache-sling-app-cms/commit/c1bd9c337e353845fa7a0cf6516b6a817113ecc0

> Add Maintenance Job to Starter and CMS
> --
>
> Key: SLING-10116
> URL: https://issues.apache.org/jira/browse/SLING-10116
> Project: Sling
>  Issue Type: Sub-task
>Reporter: Dan Klco
>Assignee: Dan Klco
>Priority: Major
> Fix For: Starter 12, App CMS 1.0.2
>
>
> Add the Maintenance Job bundle to the starter and CMS without the run 
> configuration (by default). 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-10158) XSSFilter fails with a classloading error with the TreeWalker class

[Eric Norman (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291129#comment-17291129
 ] 

Eric Norman commented on SLING-10158:
-

[~radu] Not a problem.  I noticed the troubles right away after switching.  
Perhaps it would be worth it to add some simple integration tests so things 
like this would be detected without manual testing.

> XSSFilter fails with a classloading error with the TreeWalker class
> ---
>
> Key: SLING-10158
> URL: https://issues.apache.org/jira/browse/SLING-10158
> Project: Sling
>  Issue Type: Bug
>Affects Versions: XSS Protection API 2.2.10
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: XSS Protection API 2.2.12
>
>
> After switching to xss v2.2.10 many pages fail with a classloading exception 
> regarding the org.apache.xml.serializer.TreeWalker class
> For example, the composium browser at 
> [http://localhost:8080/bin/browser.html] fails with this error:
> {noformat}
> org/apache/xml/serializer/TreeWalker (500)
> The requested URL /bin/browser.html resulted in an error in 
> /libs/composum/nodes/browser/browser.jsp.
> Exception:
> java.lang.NoClassDefFoundError: org/apache/xml/serializer/TreeWalker
> at 
> org.apache.xalan.processor.TransformerFactoryImpl.newTransformer(TransformerFactoryImpl.java:818)
> at 
> org.owasp.validator.html.scan.AntiSamySAXScanner.getNewTransformer(AntiSamySAXScanner.java:178)
> at 
> org.owasp.validator.html.scan.AntiSamySAXScanner.scan(AntiSamySAXScanner.java:133)
> at 
> org.owasp.validator.html.scan.AntiSamySAXScanner.scan(AntiSamySAXScanner.java:107)
> at 
> org.owasp.validator.html.scan.AntiSamySAXScanner.scan(AntiSamySAXScanner.java:89)
> at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:129)
> at org.owasp.validator.html.AntiSamy.scan(AntiSamy.java:75)
> at 
> org.apache.sling.xss.impl.HtmlToHtmlContentContext.getCleanResults(HtmlToHtmlContentContext.java:98)
> at 
> org.apache.sling.xss.impl.HtmlToHtmlContentContext.filter(HtmlToHtmlContentContext.java:68)
> at org.apache.sling.xss.impl.XSSFilterImpl.filter(XSSFilterImpl.java:200)
> at org.apache.sling.xss.impl.XSSFilterImpl.filter(XSSFilterImpl.java:194)
> at com.composum.sling.core.util.XSS.filter(XSS.java:282)
> at 
> com.composum.sling.core.util.ConsoleUtil.getConsoleResource(ConsoleUtil.java:31)
> at 
> com.composum.sling.core.AbstractServletBean.initialize(AbstractServletBean.java:33)
> at 
> com.composum.sling.core.BeanContext$AbstractContext.tryToInstantiateSlingBean(BeanContext.java:266)
> at 
> com.composum.sling.core.BeanContext$AbstractContext.adaptTo(BeanContext.java:246)
> at com.composum.sling.core.BeanContext$Page.adaptTo(BeanContext.java:571)
> at 
> com.composum.sling.cpnl.ComponentTag.createComponent(ComponentTag.java:220)
> at com.composum.sling.cpnl.ComponentTag.doStartTag(ComponentTag.java:73)
> at 
> org.apache.jsp.libs.composum.nodes.browser.browser__002e__jsp._jspService(browser__002e__jsp.java:112)
> at 
> org.apache.sling.scripting.jsp.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
> at 
> org.apache.sling.scripting.jsp.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:496)...
> {noformat}
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: [VOTE] Release Apache Sling XSS Protection API 2.2.12

[Daniel Klco]

+1

On Thu, Feb 25, 2021 at 8:04 AM Radu Cotescu  wrote:

> Hi,
>
> We solved 1 issue in this release:
> https://issues.apache.org/jira/browse/SLING/fixforversion/12349722
>
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-2414/
>
> You can use this UNIX script to download the release and verify the
> signatures:
>
> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
>
> Usage:
> sh check_staged_release.sh 2414 /tmp/sling-staging
>
> Please vote to approve this release:
>
>   [ ] +1 Approve the release
>   [ ]  0 Don't care
>   [ ] -1 Don't release, because ...
>
> This majority vote is open for at least 72 hours.
>
> Regards,
> Radu Cotescu
>

[jira] [Created] (SLING-10167) MapEntries.loadAliases generets JCR queries with illegal absolute paths

[Stefan Seifert (Jira)]

Stefan Seifert created SLING-10167:
--

 Summary: MapEntries.loadAliases generets JCR queries with illegal 
absolute paths
 Key: SLING-10167
 URL: https://issues.apache.org/jira/browse/SLING-10167
 Project: Sling
  Issue Type: Bug
  Components: ResourceResolver
Affects Versions: Resource Resolver 1.7.2
Reporter: Stefan Seifert
Assignee: Stefan Seifert
 Fix For: Resource Resolver 1.7.4


the code introduced with SLING-9535 generates JCR queries like this to load 
existing alias on startup:
{noformat}
SELECT sling:alias FROM nt:base AS page WHERE (NOT 
ISDESCENDANTNODE(page,"/jcr:system/")) AND sling:alias IS NOT NULL
SELECT sling:alias FROM nt:base AS page WHERE (NOT 
ISDESCENDANTNODE(page,"/parent1/")) AND sling:alias IS NOT NULL
{noformat}

this query are invalid, as "/jcr:system/" or "/parent1/" are not valid paths - 
valid paths must end not with "/".



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-10167) MapEntries.loadAliases generets JCR queries with illegal absolute paths

[Stefan Seifert (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10167?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291143#comment-17291143
 ] 

Stefan Seifert commented on SLING-10167:


for some reason these illegal paths in the JCR query do not lead to problems in 
a running instance - queries seem to be executed. however, the problem can be 
reproduced easily in unit tests e..g with sling-mock-oak - e.g. with this 
branch using Sling Resource Resolver 1.7.2:
https://github.com/apache/sling-org-apache-sling-testing-sling-mock-oak/tree/feature/SLING-10167-reproduce-sling-alias-query-problem

this leads to tons of exceptions in the unit tests like:
{noformat}
java.lang.RuntimeException: Unable to initialize JCR_OAK resource resolver 
factory: Unable to invoke method 'activate' for class 
org.apache.sling.resourceresolver.impl.ResourceResolverFactoryActivator
at 
org.apache.sling.testing.mock.sling.context.ContextResourceResolverFactory.get(ContextResourceResolverFactory.java:68)
at 
org.apache.sling.testing.mock.sling.context.SlingContextImpl.newResourceResolverFactory(SlingContextImpl.java:145)
at 
org.apache.sling.testing.mock.sling.context.SlingContextImpl.resourceResolverFactory(SlingContextImpl.java:150)
at 
org.apache.sling.testing.mock.sling.context.SlingContextImpl.setUp(SlingContextImpl.java:134)
at 
org.apache.sling.testing.mock.sling.junit.SlingContext.access$100(SlingContext.java:49)
at 
org.apache.sling.testing.mock.sling.junit.SlingContext$1.before(SlingContext.java:153)
at org.junit.rules.ExternalResource$1.evaluate(ExternalResource.java:46)
at org.junit.rules.RunRules.evaluate(RunRules.java:20)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
at 
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
at 
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at 
org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:365)
at 
org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:273)
at 
org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238)
at 
org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:159)
at 
org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:377)
at 
org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:138)
at 
org.apache.maven.surefire.booter.ForkedBooter.run(ForkedBooter.java:465)
at 
org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:451)
Caused by: java.lang.RuntimeException: Unable to invoke method 'activate' for 
class org.apache.sling.resourceresolver.impl.ResourceResolverFactoryActivator
at 
org.apache.sling.testing.mock.osgi.OsgiServiceUtil.invokeMethod(OsgiServiceUtil.java:325)
at 
org.apache.sling.testing.mock.osgi.OsgiServiceUtil.invokeLifecycleMethod(OsgiServiceUtil.java:218)
at 
org.apache.sling.testing.mock.osgi.OsgiServiceUtil.activateDeactivate(OsgiServiceUtil.java:89)
at 
org.apache.sling.testing.mock.osgi.MockOsgi.activate(MockOsgi.java:186)
at 
org.apache.sling.testing.mock.sling.ResourceResolverFactoryInitializer.initializeResourceResolverFactoryActivator(ResourceResolverFactoryInitializer.java:157)
at 
org.apache.sling.testing.mock.sling.ResourceResolverFactoryInitializer.setUp(ResourceResolverFactoryInitializer.java:79)
at 
org.apache.sling.testing.mock.sling.MockSling.newResourceResolverFactory(MockSling.java:76)
at 
org.apache.sling.testing.mock.sling.context.ContextResourceResolverFactory.get(ContextResourceResolverFactory.java:47)
... 24 more
Caused by: java.lang.AssertionError: Invalid path [/jcr:system/]
at 
org.apache.jackrabbit.oak.commons.PathUtils.isAbsolute(PathUtils.java:89)
at 
org.apache.jackrabbit.oak.query.SQL2Parser.readAbsolutePath(SQL2Parser.java:643)
at 
org.apache.jackrabbit.oak.query.SQL2Parser.parseConditionFunctionIf(SQL2Parser.java:575)
at 
org.apache.jackrabbit.oak.query.SQL2Parser.parseCondition(SQL2Parser.java:407)
at 
org.apache.jackrabbit.oak.query.SQL2Parser.parseCondition(SQL2Parser.java:400)
at 
org.apache.jackrabbit.oak.query.SQL2Parser.parseAnd(SQL2Parser.java:390)
at 
org.apache.jackrabbit.oak.que

[GitHub] [sling-org-apache-sling-resourceresolver] stefanseifert opened a new pull request #42: SLING-10167 Ensure only valid absolute paths (not ending with "/") are used in JCR queries for loading e

[GitBox]

stefanseifert opened a new pull request #42:
URL: https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/42


   see https://issues.apache.org/jira/browse/SLING-10167



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Commented] (SLING-10167) MapEntries.loadAliases generets JCR queries with illegal absolute paths

[Stefan Seifert (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10167?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291146#comment-17291146
 ] 

Stefan Seifert commented on SLING-10167:


i've provided a PR to fix the problem: 
https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/42

(i'm also wondering why all query in MapEntries.java use the deprecated SQL-1 
JCR query syntax and not SQL-2, but this is a topic for another issue)

[~rombert] can you have a look - you where involved in SLING-9535

/cc [~akanksha88]

> MapEntries.loadAliases generets JCR queries with illegal absolute paths
> ---
>
> Key: SLING-10167
> URL: https://issues.apache.org/jira/browse/SLING-10167
> Project: Sling
>  Issue Type: Bug
>  Components: ResourceResolver
>Affects Versions: Resource Resolver 1.7.2
>Reporter: Stefan Seifert
>Assignee: Stefan Seifert
>Priority: Major
> Fix For: Resource Resolver 1.7.4
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> the code introduced with SLING-9535 generates JCR queries like this to load 
> existing alias on startup:
> {noformat}
> SELECT sling:alias FROM nt:base AS page WHERE (NOT 
> ISDESCENDANTNODE(page,"/jcr:system/")) AND sling:alias IS NOT NULL
> SELECT sling:alias FROM nt:base AS page WHERE (NOT 
> ISDESCENDANTNODE(page,"/parent1/")) AND sling:alias IS NOT NULL
> {noformat}
> this query are invalid, as "/jcr:system/" or "/parent1/" are not valid paths 
> - valid paths must end not with "/".



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[GitHub] [sling-org-apache-sling-resourceresolver] sonarcloud[bot] commented on pull request #42: SLING-10167 Ensure only valid absolute paths (not ending with "/") are used in JCR queries for loading

[GitBox]

sonarcloud[bot] commented on pull request #42:
URL: 
https://github.com/apache/sling-org-apache-sling-resourceresolver/pull/42#issuecomment-786129481


   Kudos, SonarCloud Quality Gate passed!
   
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&resolved=false&types=BUG)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&resolved=false&types=BUG)
 [0 
Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&resolved=false&types=BUG)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&resolved=false&types=VULNERABILITY)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&resolved=false&types=VULNERABILITY)
 [0 
Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&resolved=false&types=VULNERABILITY)
  
   [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&resolved=false&types=SECURITY_HOTSPOT)
 [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&resolved=false&types=SECURITY_HOTSPOT)
 [0 Security 
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&resolved=false&types=SECURITY_HOTSPOT)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&resolved=false&types=CODE_SMELL)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&resolved=false&types=CODE_SMELL)
 [0 Code 
Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&resolved=false&types=CODE_SMELL)
   
   [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&metric=new_coverage&view=list)
 [100.0% 
Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&metric=new_coverage&view=list)
  
   [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&metric=new_duplicated_lines_density&view=list)
 [0.0% 
Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-resourceresolver&pullRequest=42&metric=new_duplicated_lines_density&view=list)
   
   



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

RE: [VOTE] Release Apache Sling XSS Protection API 2.2.12

[Stefan Seifert]

+1

[GitHub] [sling-org-apache-sling-resourcemerger] kwin opened a new pull request #4: SLING-10150 improve handling of multivalue hides

[GitBox]

kwin opened a new pull request #4:
URL: https://github.com/apache/sling-org-apache-sling-resourcemerger/pull/4


   affects both hideChildren and hideProperties



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

RE: [VOTE] Release Apache Sling Engine 2.7.4

[Stefan Seifert]

+1

[jira] [Commented] (SLING-10150) Sling Resource Merger completely hides parent when whitelisting in combination with asterisk is used for sling:hideChildren

[Konrad Windszus (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291156#comment-17291156
 ] 

Konrad Windszus commented on SLING-10150:
-

[~jsedding][~Henry Kuijpers] Please have a look at the proposed fix in 
https://github.com/apache/sling-org-apache-sling-resourcemerger/pull/4

> Sling Resource Merger completely hides parent when whitelisting in 
> combination with asterisk is used for sling:hideChildren
> ---
>
> Key: SLING-10150
> URL: https://issues.apache.org/jira/browse/SLING-10150
> Project: Sling
>  Issue Type: Bug
>Affects Versions: Resource Merger 1.3.10
>Reporter: Henry Kuijpers
>Assignee: Konrad Windszus
>Priority: Major
>  Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Provided a failing test case here: 
> https://github.com/apache/sling-org-apache-sling-resourcemerger/pull/3/files
> TODO: Fix
> When trying to configure a whitelisting approach to inheriting nodes from a 
> parent (i.e. through resource super type, or through overlaying), the 
> following way:
> /apps/base/test/tabs/undesired-tab
> /apps/base/test/tabs/desired-tab
> /apps/base/test/tabs/desired-tab/items/field@title="title"
> &
> /apps/overlay/test/tabs@sling:hideChildren="[!desired-tab,*]"
> /apps/overlay/test/tabs/desired-tab/items/field@description="test"
> One would expect that requesting the children of /merged/test/tabs would 
> yield the "desired-tab" only, i.e. "undesired-tab" (and other nodes not 
> whitelisted) being hidden. This is working as expected.
> One would also expect the "desired-tab" to have the properties of the 
> base-structure as well as the properties of the overlay-structure. This is 
> also working as expected.
> One would expect that the underlying nodes of "desired-tab" from the base 
> would remain intact and would be merged with the underlying nodes of 
> "desired-tab" in the overlay. So, while listing the items of desired-tab, one 
> would expect:
> MergedResource containing properties [title=test, description=test] 
> consisting of original resources 
> [/apps/base/test/tabs/desired-tab/items/field, 
> /apps/overlay/test/tabs/desired-tab/items/field]
> However, instead, the following is returned:
> MergedResource containing properties [description=test] consisting of 
> original resources [/apps/overlay/test/tabs/desired-tab/items/field]
> So, the original "base" resource is not considered anymore!
> I believe the issue is in MergingResourceProvider.ParentHidingHandler, in the 
> constructor, actually. At some point, it decides that the parent resource 
> (which indeed has the sling:hideChildren property defined) defines an exclude 
> entry which is "*" and adds that entry to the list.
> Then, when the class starts checking the parent of the parent (marked with 
> "// also check on the parent's parent whether that was hiding the parent") - 
> There it will find that asterisk exclude that was defined on the parent, not 
> taking into account that it was preceded by a whitelisting "!desired-tab" - 
> Removing the parent of the parent's children entirely.
> I believe this should be changed into a more robust way of handling this 
> use-case. Probably the asterisk exclude can be global(?), even though it 
> should still be desired that any child of the parent still is able to remove 
> that exclude. But whenever those excludes are considered, also the includes 
> that were preceding it should be considered to figure out if it's a real 
> include in the case of that specific path.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (SLING-10168) Migrate to Bundle Parent 40 and OSGi annotations

[Konrad Windszus (Jira)]

Konrad Windszus created SLING-10168:
---

 Summary: Migrate to Bundle Parent 40 and OSGi annotations
 Key: SLING-10168
 URL: https://issues.apache.org/jira/browse/SLING-10168
 Project: Sling
  Issue Type: Improvement
  Components: Extensions
Affects Versions: Resource Merger 1.3.10
Reporter: Konrad Windszus
Assignee: Konrad Windszus
 Fix For: Resource Merger 1.4.0






--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (SLING-10150) Sling Resource Merger completely hides parent when whitelisting in combination with asterisk is used for sling:hideChildren

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-10150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated SLING-10150:

Fix Version/s: Resource Merger 1.4.0

> Sling Resource Merger completely hides parent when whitelisting in 
> combination with asterisk is used for sling:hideChildren
> ---
>
> Key: SLING-10150
> URL: https://issues.apache.org/jira/browse/SLING-10150
> Project: Sling
>  Issue Type: Bug
>Affects Versions: Resource Merger 1.3.10
>Reporter: Henry Kuijpers
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Resource Merger 1.4.0
>
>  Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Provided a failing test case here: 
> https://github.com/apache/sling-org-apache-sling-resourcemerger/pull/3/files
> TODO: Fix
> When trying to configure a whitelisting approach to inheriting nodes from a 
> parent (i.e. through resource super type, or through overlaying), the 
> following way:
> /apps/base/test/tabs/undesired-tab
> /apps/base/test/tabs/desired-tab
> /apps/base/test/tabs/desired-tab/items/field@title="title"
> &
> /apps/overlay/test/tabs@sling:hideChildren="[!desired-tab,*]"
> /apps/overlay/test/tabs/desired-tab/items/field@description="test"
> One would expect that requesting the children of /merged/test/tabs would 
> yield the "desired-tab" only, i.e. "undesired-tab" (and other nodes not 
> whitelisted) being hidden. This is working as expected.
> One would also expect the "desired-tab" to have the properties of the 
> base-structure as well as the properties of the overlay-structure. This is 
> also working as expected.
> One would expect that the underlying nodes of "desired-tab" from the base 
> would remain intact and would be merged with the underlying nodes of 
> "desired-tab" in the overlay. So, while listing the items of desired-tab, one 
> would expect:
> MergedResource containing properties [title=test, description=test] 
> consisting of original resources 
> [/apps/base/test/tabs/desired-tab/items/field, 
> /apps/overlay/test/tabs/desired-tab/items/field]
> However, instead, the following is returned:
> MergedResource containing properties [description=test] consisting of 
> original resources [/apps/overlay/test/tabs/desired-tab/items/field]
> So, the original "base" resource is not considered anymore!
> I believe the issue is in MergingResourceProvider.ParentHidingHandler, in the 
> constructor, actually. At some point, it decides that the parent resource 
> (which indeed has the sling:hideChildren property defined) defines an exclude 
> entry which is "*" and adds that entry to the list.
> Then, when the class starts checking the parent of the parent (marked with 
> "// also check on the parent's parent whether that was hiding the parent") - 
> There it will find that asterisk exclude that was defined on the parent, not 
> taking into account that it was preceded by a whitelisting "!desired-tab" - 
> Removing the parent of the parent's children entirely.
> I believe this should be changed into a more robust way of handling this 
> use-case. Probably the asterisk exclude can be global(?), even though it 
> should still be desired that any child of the parent still is able to remove 
> that exclude. But whenever those excludes are considered, also the includes 
> that were preceding it should be considered to figure out if it's a real 
> include in the case of that specific path.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[GitHub] [sling-org-apache-sling-scripting-core] enapps-enorman commented on a change in pull request #7: SLING-10147 block unauthorized access to SlingBindingsVariablesListJsonServlet

[GitBox]

enapps-enorman commented on a change in pull request #7:
URL: 
https://github.com/apache/sling-org-apache-sling-scripting-core/pull/7#discussion_r583100054



##
File path: 
src/main/java/org/apache/sling/scripting/core/impl/SlingBindingsVariablesListJsonServlet.java
##
@@ -91,6 +102,24 @@ protected void activate(ComponentContext context) {
 @Override
 protected void doGet(SlingHttpServletRequest request, 
SlingHttpServletResponse response)
 throws ServletException, IOException {
+if (webconsoleSecurity == null) {
+log("Acccess forbidden as the WebConsoleSecurity reference is not 
set");

Review comment:
   whoops.  I'll fix that now.





This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Resolved] (SLING-6968) Resource Merger: Add another resource picker which merges two arbitrary resources given by path

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-6968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus resolved SLING-6968.

Resolution: Won't Fix

> Resource Merger: Add another resource picker which merges two arbitrary 
> resources given by path
> ---
>
> Key: SLING-6968
> URL: https://issues.apache.org/jira/browse/SLING-6968
> Project: Sling
>  Issue Type: Improvement
>  Components: Extensions
>Affects Versions: Resource Merger 1.3.4
>Reporter: Konrad Windszus
>Priority: Major
>
> Currently both resource pickers "overlay" and "override" shipped with the 
> Sling Resource Merger determine only one resource from the given path url. 
> The underlying/overlying resources are determined either via 
> "sling:resourceSuperType" or via the resource resolver's search path.
> It would be useful to add a third resource picker which would allow to merge 
> two explicitly specified resources (because both paths are given in the 
> merged resource path).
> One concrete use case for that would be a composition pattern (in AEM: a 
> dialog definition being composed out of multiple dialog definition child 
> resources, being maintained somewhere in the repository but still allowing to 
> overwrite some of the properties of the referenced dialog definition child 
> resource).
> The only question is how to encode the two paths in the merged resource path 
> (what to use as separator). One idea is to separate via ";". So the merged 
> resource at {{/mnt/merge/;}} would merge the resource given at 
> {{}} with the resource given at {{}}.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (SLING-5469) Resource Merger: Add some name prefixing mechanism for properties which are used by the resource merger itself

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-5469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated SLING-5469:
---
Fix Version/s: Resource Merger 1.4.0

> Resource Merger: Add some name prefixing mechanism for properties which are 
> used by the resource merger itself
> --
>
> Key: SLING-5469
> URL: https://issues.apache.org/jira/browse/SLING-5469
> Project: Sling
>  Issue Type: Improvement
>  Components: Extensions
>Affects Versions: Resource Merger 1.2.10
>Reporter: Konrad Windszus
>Priority: Major
> Fix For: Resource Merger 1.4.0
>
>
> Currently within the resource merger it is not possible to
> # use the {{jcr:primaryType}} of the underlying resource, while the 
> overlaid/overridden resource has a different {{jcr:primaryType}}.
> That is a problem because for a JCR the primaryType is mandatory for each 
> node. Some node type definitions don't allow arbitrary property names like 
> {{sling:hideResource}}. To be able to use those properties (which are only 
> relevant up the point where the resource has been merged) you might need to 
> use a more relaxed node type. Still you don't want that relaxed node type to 
> appear as primaryType in the merged resource.
> # use the {{sling:resourceSuperType}} from the underlying resource, while the 
> overridden resource has a different {{sling:resourceSuperType}}. 
> This is kind of a edge case because sling:resourceSuperType would be used for 
> two different things here: 
> ** for getting the underlying resource path for the 
> {{OverridingResourcePicker}}
> ** for the request resolution of the merged resource
> Sometime the value for each of the cases would be different.
> Therefore I propose a general property name mangling mechanism which allows 
> someone to use a prefix like {{sling-resource-merging_}} for the properties, 
> which are during the resource merging exposed as properties without the 
> prefix. One example for case 1):
> {code}
> /apps/my/resource
> - jcr:primaryType=nt:folder
> - sling:resourceSuperType=apps/my/super/resource
> - sling:hideProperties=customNodeTypePrefix:property1
> - jcr:sling-resource-merging_primaryTypemyCustomNodeRestrictedNodeType
> /apps/my/super/resource
> - jcr:primaryType=myCustomNodeRestrictedNodeType
> - customNodeTypePrefix:property1=test
> - customNodeTypePrefix:property2=test
> /mnt/override/apps/my/resource
> - jcrPrimaryType=nt:unstructured (but should be 
> myCustomNodeRestrictedNodeType)
> - customNodeTypePrefix:property2=test
> {code}
> In this example it is impossible to let my merged resource have the nodeType  
> {{myCustomNodeRestrictedNodeType}} (because that simply does not allow the 
> property {{sling:hideProperties}} to be set in {{/apps/my/resource}}.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[GitHub] [sling-org-apache-sling-scripting-core] enapps-enorman commented on a change in pull request #7: SLING-10147 block unauthorized access to SlingBindingsVariablesListJsonServlet

[GitBox]

enapps-enorman commented on a change in pull request #7:
URL: 
https://github.com/apache/sling-org-apache-sling-scripting-core/pull/7#discussion_r583103189



##
File path: 
src/main/java/org/apache/sling/scripting/core/impl/SlingBindingsVariablesListJsonServlet.java
##
@@ -91,6 +102,24 @@ protected void activate(ComponentContext context) {
 @Override
 protected void doGet(SlingHttpServletRequest request, 
SlingHttpServletResponse response)
 throws ServletException, IOException {
+if (webconsoleSecurity == null) {
+log("Acccess forbidden as the WebConsoleSecurity reference is not 
set");
+response.sendError(HttpServletResponse.SC_FORBIDDEN);
+return;
+} else if (!(webconsoleSecurity instanceof 
WebConsoleSecurityProvider2)) {
+log("Acccess forbidden as the WebConsoleSecurity reference does 
not implement WebConsoleSecurityProvider2");
+response.sendError(HttpServletResponse.SC_FORBIDDEN);
+return;
+} else if 
(!((WebConsoleSecurityProvider2)webconsoleSecurity).authenticate(request, 
response)) {
+// the request is terminated without any more response sent back 
to the client.
+//The WebConsoleSecurityProvider2 implementation may have sent 
auth challenge to the client
+//in the case of anonymous access.
+if (!response.isCommitted()) {

Review comment:
   I guess I didn't think there was a code path where the response was 
touched before the servlet was called.  But I suppose it is possible that some 
filter has done something before calling the servlet, so I'll change it to do 
the same check for all the cases.





This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Commented] (SLING-5469) Resource Merger: Add some name prefixing mechanism for properties which are used by the resource merger itself

[Konrad Windszus (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-5469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291163#comment-17291163
 ] 

Konrad Windszus commented on SLING-5469:


Let's go for a simple mixin approach here. The new mixin must allow the four 
properties

# sling:hideProperties (String{})
# sling:hideChildren (String[])
# sling:hideResource (Boolean)
# sling:orderBefore (String)

> Resource Merger: Add some name prefixing mechanism for properties which are 
> used by the resource merger itself
> --
>
> Key: SLING-5469
> URL: https://issues.apache.org/jira/browse/SLING-5469
> Project: Sling
>  Issue Type: Improvement
>  Components: Extensions
>Affects Versions: Resource Merger 1.2.10
>Reporter: Konrad Windszus
>Priority: Major
> Fix For: Resource Merger 1.4.0
>
>
> Currently within the resource merger it is not possible to
> # use the {{jcr:primaryType}} of the underlying resource, while the 
> overlaid/overridden resource has a different {{jcr:primaryType}}.
> That is a problem because for a JCR the primaryType is mandatory for each 
> node. Some node type definitions don't allow arbitrary property names like 
> {{sling:hideResource}}. To be able to use those properties (which are only 
> relevant up the point where the resource has been merged) you might need to 
> use a more relaxed node type. Still you don't want that relaxed node type to 
> appear as primaryType in the merged resource.
> # use the {{sling:resourceSuperType}} from the underlying resource, while the 
> overridden resource has a different {{sling:resourceSuperType}}. 
> This is kind of a edge case because sling:resourceSuperType would be used for 
> two different things here: 
> ** for getting the underlying resource path for the 
> {{OverridingResourcePicker}}
> ** for the request resolution of the merged resource
> Sometime the value for each of the cases would be different.
> Therefore I propose a general property name mangling mechanism which allows 
> someone to use a prefix like {{sling-resource-merging_}} for the properties, 
> which are during the resource merging exposed as properties without the 
> prefix. One example for case 1):
> {code}
> /apps/my/resource
> - jcr:primaryType=nt:folder
> - sling:resourceSuperType=apps/my/super/resource
> - sling:hideProperties=customNodeTypePrefix:property1
> - jcr:sling-resource-merging_primaryTypemyCustomNodeRestrictedNodeType
> /apps/my/super/resource
> - jcr:primaryType=myCustomNodeRestrictedNodeType
> - customNodeTypePrefix:property1=test
> - customNodeTypePrefix:property2=test
> /mnt/override/apps/my/resource
> - jcrPrimaryType=nt:unstructured (but should be 
> myCustomNodeRestrictedNodeType)
> - customNodeTypePrefix:property2=test
> {code}
> In this example it is impossible to let my merged resource have the nodeType  
> {{myCustomNodeRestrictedNodeType}} (because that simply does not allow the 
> property {{sling:hideProperties}} to be set in {{/apps/my/resource}}.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-5469) Resource Merger: Add some name prefixing mechanism for properties which are used by the resource merger itself

[Konrad Windszus (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-5469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291163#comment-17291163
 ] 

Konrad Windszus edited comment on SLING-5469 at 2/25/21, 7:23 PM:
--

Let's go for a simple mixin approach here. The new mixin must allow the four 
properties

# sling:hideProperties (String[])
# sling:hideChildren (String[])
# sling:hideResource (Boolean)
# sling:orderBefore (String)


was (Author: kwin):
Let's go for a simple mixin approach here. The new mixin must allow the four 
properties

# sling:hideProperties (String{})
# sling:hideChildren (String[])
# sling:hideResource (Boolean)
# sling:orderBefore (String)

> Resource Merger: Add some name prefixing mechanism for properties which are 
> used by the resource merger itself
> --
>
> Key: SLING-5469
> URL: https://issues.apache.org/jira/browse/SLING-5469
> Project: Sling
>  Issue Type: Improvement
>  Components: Extensions
>Affects Versions: Resource Merger 1.2.10
>Reporter: Konrad Windszus
>Priority: Major
> Fix For: Resource Merger 1.4.0
>
>
> Currently within the resource merger it is not possible to
> # use the {{jcr:primaryType}} of the underlying resource, while the 
> overlaid/overridden resource has a different {{jcr:primaryType}}.
> That is a problem because for a JCR the primaryType is mandatory for each 
> node. Some node type definitions don't allow arbitrary property names like 
> {{sling:hideResource}}. To be able to use those properties (which are only 
> relevant up the point where the resource has been merged) you might need to 
> use a more relaxed node type. Still you don't want that relaxed node type to 
> appear as primaryType in the merged resource.
> # use the {{sling:resourceSuperType}} from the underlying resource, while the 
> overridden resource has a different {{sling:resourceSuperType}}. 
> This is kind of a edge case because sling:resourceSuperType would be used for 
> two different things here: 
> ** for getting the underlying resource path for the 
> {{OverridingResourcePicker}}
> ** for the request resolution of the merged resource
> Sometime the value for each of the cases would be different.
> Therefore I propose a general property name mangling mechanism which allows 
> someone to use a prefix like {{sling-resource-merging_}} for the properties, 
> which are during the resource merging exposed as properties without the 
> prefix. One example for case 1):
> {code}
> /apps/my/resource
> - jcr:primaryType=nt:folder
> - sling:resourceSuperType=apps/my/super/resource
> - sling:hideProperties=customNodeTypePrefix:property1
> - jcr:sling-resource-merging_primaryTypemyCustomNodeRestrictedNodeType
> /apps/my/super/resource
> - jcr:primaryType=myCustomNodeRestrictedNodeType
> - customNodeTypePrefix:property1=test
> - customNodeTypePrefix:property2=test
> /mnt/override/apps/my/resource
> - jcrPrimaryType=nt:unstructured (but should be 
> myCustomNodeRestrictedNodeType)
> - customNodeTypePrefix:property2=test
> {code}
> In this example it is impossible to let my merged resource have the nodeType  
> {{myCustomNodeRestrictedNodeType}} (because that simply does not allow the 
> property {{sling:hideProperties}} to be set in {{/apps/my/resource}}.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Assigned] (SLING-5469) Resource Merger: Add some name prefixing mechanism for properties which are used by the resource merger itself

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-5469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus reassigned SLING-5469:
--

Assignee: Konrad Windszus

> Resource Merger: Add some name prefixing mechanism for properties which are 
> used by the resource merger itself
> --
>
> Key: SLING-5469
> URL: https://issues.apache.org/jira/browse/SLING-5469
> Project: Sling
>  Issue Type: Improvement
>  Components: Extensions
>Affects Versions: Resource Merger 1.2.10
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Resource Merger 1.4.0
>
>
> Currently within the resource merger it is not possible to
> # use the {{jcr:primaryType}} of the underlying resource, while the 
> overlaid/overridden resource has a different {{jcr:primaryType}}.
> That is a problem because for a JCR the primaryType is mandatory for each 
> node. Some node type definitions don't allow arbitrary property names like 
> {{sling:hideResource}}. To be able to use those properties (which are only 
> relevant up the point where the resource has been merged) you might need to 
> use a more relaxed node type. Still you don't want that relaxed node type to 
> appear as primaryType in the merged resource.
> # use the {{sling:resourceSuperType}} from the underlying resource, while the 
> overridden resource has a different {{sling:resourceSuperType}}. 
> This is kind of a edge case because sling:resourceSuperType would be used for 
> two different things here: 
> ** for getting the underlying resource path for the 
> {{OverridingResourcePicker}}
> ** for the request resolution of the merged resource
> Sometime the value for each of the cases would be different.
> Therefore I propose a general property name mangling mechanism which allows 
> someone to use a prefix like {{sling-resource-merging_}} for the properties, 
> which are during the resource merging exposed as properties without the 
> prefix. One example for case 1):
> {code}
> /apps/my/resource
> - jcr:primaryType=nt:folder
> - sling:resourceSuperType=apps/my/super/resource
> - sling:hideProperties=customNodeTypePrefix:property1
> - jcr:sling-resource-merging_primaryTypemyCustomNodeRestrictedNodeType
> /apps/my/super/resource
> - jcr:primaryType=myCustomNodeRestrictedNodeType
> - customNodeTypePrefix:property1=test
> - customNodeTypePrefix:property2=test
> /mnt/override/apps/my/resource
> - jcrPrimaryType=nt:unstructured (but should be 
> myCustomNodeRestrictedNodeType)
> - customNodeTypePrefix:property2=test
> {code}
> In this example it is impossible to let my merged resource have the nodeType  
> {{myCustomNodeRestrictedNodeType}} (because that simply does not allow the 
> property {{sling:hideProperties}} to be set in {{/apps/my/resource}}.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: [VOTE] Release Apache Sling XSS Protection API 2.2.12

[Eric Norman]

+1

On Thu, Feb 25, 2021 at 5:04 AM Radu Cotescu  wrote:

> Hi,
>
> We solved 1 issue in this release:
> https://issues.apache.org/jira/browse/SLING/fixforversion/12349722
>
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-2414/
>
> You can use this UNIX script to download the release and verify the
> signatures:
>
> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
>
> Usage:
> sh check_staged_release.sh 2414 /tmp/sling-staging
>
> Please vote to approve this release:
>
>   [ ] +1 Approve the release
>   [ ]  0 Don't care
>   [ ] -1 Don't release, because ...
>
> This majority vote is open for at least 72 hours.
>
> Regards,
> Radu Cotescu
>

[GitHub] [sling-org-apache-sling-resourcemerger] kwin opened a new pull request #5: SLING-5469 add mixin for resource merger properties

[GitBox]

kwin opened a new pull request #5:
URL: https://github.com/apache/sling-org-apache-sling-resourcemerger/pull/5


   



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Commented] (SLING-10155) add configuration to include or exclude specific ScriptEngineFactory

[Oliver Lietz (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291177#comment-17291177
 ] 

Oliver Lietz commented on SLING-10155:
--

[~enorman], This configuration makes sense only for platform factories (like 
Nashorn). You would install a scripting engine only when used, no?

How does the configuration distinguish between different versions, e.g. Groovy 
2.x and Groovy 3.x?

> add configuration to include or exclude specific ScriptEngineFactory
> 
>
> Key: SLING-10155
> URL: https://issues.apache.org/jira/browse/SLING-10155
> Project: Sling
>  Issue Type: Bug
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: Scripting Core 2.3.6
>
>  Time Spent: 3h
>  Remaining Estimate: 0h
>
> Sometimes it may be useful to exclude a ScriptEngineFactory from being used 
> by the SlingScriptEngineManager
> One such consideration is excluding the nashorn script engine so it can't be 
> used now that it is deprecated.
> You may see messages like this logged to the console when running sling with 
> java 11:
> {code:java}
> Warning: Nashorn engine is planned to be removed from a future JDK 
> release{code}
> Excluding nashorn via configuration would get rid of those log warnings and 
> prevent you from accidentally using it.
> There may be other use cases where a ScriptEngineFactory is available in the 
> runtime but not intended for usage with sling so the solution should not be 
> "nashorn" specific.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-10147) scripting variables implementation details are exposed to not authorized users

[Eric Norman (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291179#comment-17291179
 ] 

Eric Norman commented on SLING-10147:
-

[~jsedding] Oh, that makes more sense.  Sorry I misunderstood what you were 
suggesting.  Yes, if we could guarantee that there was at least one 
WebConsoleSecurityProvider provided somewhere than that should be sufficient.

> scripting variables implementation details are exposed to not authorized users
> --
>
> Key: SLING-10147
> URL: https://issues.apache.org/jira/browse/SLING-10147
> Project: Sling
>  Issue Type: Bug
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: Scripting Core 2.3.6
>
>  Time Spent: 4.5h
>  Remaining Estimate: 0h
>
> The ".SLING_availablebindings.json" selector is registered at 
> /apps/sling/servlet/default and the usage on all resources is not protected 
> by any security checks.  The information returned contains implementation 
> details that a regular user should not need to know and could be considered 
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables" 
> webconsole plugin, I would expect that it should require the same security 
> checking that would be needed to access the webconsole.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: [VOTE] Release Apache Sling Engine 2.7.4

[Daniel Klco]

+1

On Thu, Feb 25, 2021 at 2:12 PM Stefan Seifert
 wrote:

> +1
>

[jira] [Commented] (SLING-10155) add configuration to include or exclude specific ScriptEngineFactory

[Eric Norman (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291181#comment-17291181
 ] 

Eric Norman commented on SLING-10155:
-

[~olli] I couldn't say with any certainty why someone would install a script 
engine.  Perhaps they need a specific script engine for some other use case 
within the runtime and don't want that script engine exposed for sling 
scripting.  Or sometimes people do other strange stuff that I have no control 
over.

This solution is simply matching against the "short name" list provided by the 
ScriptEngineFactory so if Groovy 2.x and Groovy 3.x contain some unique "short 
name" in their list then a regex could select one or the other.  If they don't 
have something unique then this solution wound not work for that.

> add configuration to include or exclude specific ScriptEngineFactory
> 
>
> Key: SLING-10155
> URL: https://issues.apache.org/jira/browse/SLING-10155
> Project: Sling
>  Issue Type: Bug
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: Scripting Core 2.3.6
>
>  Time Spent: 3h
>  Remaining Estimate: 0h
>
> Sometimes it may be useful to exclude a ScriptEngineFactory from being used 
> by the SlingScriptEngineManager
> One such consideration is excluding the nashorn script engine so it can't be 
> used now that it is deprecated.
> You may see messages like this logged to the console when running sling with 
> java 11:
> {code:java}
> Warning: Nashorn engine is planned to be removed from a future JDK 
> release{code}
> Excluding nashorn via configuration would get rid of those log warnings and 
> prevent you from accidentally using it.
> There may be other use cases where a ScriptEngineFactory is available in the 
> runtime but not intended for usage with sling so the solution should not be 
> "nashorn" specific.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-10155) add configuration to include or exclude specific ScriptEngineFactory

[Eric Norman (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291181#comment-17291181
 ] 

Eric Norman edited comment on SLING-10155 at 2/25/21, 8:12 PM:
---

[~olli] I couldn't say with any certainty why someone would install a script 
engine.  Perhaps they need a specific script engine for some other use case 
within the runtime and don't want that script engine exposed for sling 
scripting.  Or sometimes people do other strange stuff that I have no control 
over.

This solution is simply matching against the "short name" list provided by the 
ScriptEngineFactory so if Groovy 2.x and Groovy 3.x contain some unique "short 
name" in their list then a regex could select one or the other.  If they don't 
have something unique then this solution would not work for that.


was (Author: enorman):
[~olli] I couldn't say with any certainty why someone would install a script 
engine.  Perhaps they need a specific script engine for some other use case 
within the runtime and don't want that script engine exposed for sling 
scripting.  Or sometimes people do other strange stuff that I have no control 
over.

This solution is simply matching against the "short name" list provided by the 
ScriptEngineFactory so if Groovy 2.x and Groovy 3.x contain some unique "short 
name" in their list then a regex could select one or the other.  If they don't 
have something unique then this solution wound not work for that.

> add configuration to include or exclude specific ScriptEngineFactory
> 
>
> Key: SLING-10155
> URL: https://issues.apache.org/jira/browse/SLING-10155
> Project: Sling
>  Issue Type: Bug
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: Scripting Core 2.3.6
>
>  Time Spent: 3h
>  Remaining Estimate: 0h
>
> Sometimes it may be useful to exclude a ScriptEngineFactory from being used 
> by the SlingScriptEngineManager
> One such consideration is excluding the nashorn script engine so it can't be 
> used now that it is deprecated.
> You may see messages like this logged to the console when running sling with 
> java 11:
> {code:java}
> Warning: Nashorn engine is planned to be removed from a future JDK 
> release{code}
> Excluding nashorn via configuration would get rid of those log warnings and 
> prevent you from accidentally using it.
> There may be other use cases where a ScriptEngineFactory is available in the 
> runtime but not intended for usage with sling so the solution should not be 
> "nashorn" specific.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-10155) add configuration to include or exclude specific ScriptEngineFactory

[Eric Norman (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291181#comment-17291181
 ] 

Eric Norman edited comment on SLING-10155 at 2/25/21, 8:24 PM:
---

[~olli] I couldn't say with any certainty why someone would install a script 
engine.  Perhaps they need a specific script engine for some other use case 
within the runtime and don't want that script engine exposed for sling 
scripting.  Or sometimes people do other strange stuff that I have no control 
over.

This solution is simply matching against the "short name" list provided by the 
ScriptEngineFactory so if Groovy 2.x and Groovy 3.x contain some unique "short 
name" in their list then a regex could select one or the other.  If they don't 
have something unique then this solution would not work for that.

 

If you think that there is some real world chance that matching on the short 
names are not sufficient, then I suppose the include/exclude patterns could be 
changed to be a CSV of patterns that matches other fields.  Is there consensus 
to do that extra work?


was (Author: enorman):
[~olli] I couldn't say with any certainty why someone would install a script 
engine.  Perhaps they need a specific script engine for some other use case 
within the runtime and don't want that script engine exposed for sling 
scripting.  Or sometimes people do other strange stuff that I have no control 
over.

This solution is simply matching against the "short name" list provided by the 
ScriptEngineFactory so if Groovy 2.x and Groovy 3.x contain some unique "short 
name" in their list then a regex could select one or the other.  If they don't 
have something unique then this solution would not work for that.

> add configuration to include or exclude specific ScriptEngineFactory
> 
>
> Key: SLING-10155
> URL: https://issues.apache.org/jira/browse/SLING-10155
> Project: Sling
>  Issue Type: Bug
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: Scripting Core 2.3.6
>
>  Time Spent: 3h
>  Remaining Estimate: 0h
>
> Sometimes it may be useful to exclude a ScriptEngineFactory from being used 
> by the SlingScriptEngineManager
> One such consideration is excluding the nashorn script engine so it can't be 
> used now that it is deprecated.
> You may see messages like this logged to the console when running sling with 
> java 11:
> {code:java}
> Warning: Nashorn engine is planned to be removed from a future JDK 
> release{code}
> Excluding nashorn via configuration would get rid of those log warnings and 
> prevent you from accidentally using it.
> There may be other use cases where a ScriptEngineFactory is available in the 
> runtime but not intended for usage with sling so the solution should not be 
> "nashorn" specific.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-10155) add configuration to include or exclude specific ScriptEngineFactory

[Eric Norman (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291181#comment-17291181
 ] 

Eric Norman edited comment on SLING-10155 at 2/25/21, 8:25 PM:
---

[~olli] I couldn't say with any certainty why someone would install a script 
engine.  Perhaps they need a specific script engine for some other use case 
within the runtime and don't want that script engine exposed for sling 
scripting.  Or sometimes people do other strange stuff that I have no control 
over.

This solution is simply matching against the "short name" list provided by the 
ScriptEngineFactory so if Groovy 2.x and Groovy 3.x contain some unique "short 
name" in their list then a regex could select one or the other.  If they don't 
have something unique then this solution would not work for that.

 

If you think that there is some real world chance that matching on the short 
names are not sufficient, then I suppose the include/exclude patterns could be 
changed to be a CSV of patterns that matches other fields.  Is there consensus 
to do that extra work or could that wait until someone asks for it?


was (Author: enorman):
[~olli] I couldn't say with any certainty why someone would install a script 
engine.  Perhaps they need a specific script engine for some other use case 
within the runtime and don't want that script engine exposed for sling 
scripting.  Or sometimes people do other strange stuff that I have no control 
over.

This solution is simply matching against the "short name" list provided by the 
ScriptEngineFactory so if Groovy 2.x and Groovy 3.x contain some unique "short 
name" in their list then a regex could select one or the other.  If they don't 
have something unique then this solution would not work for that.

 

If you think that there is some real world chance that matching on the short 
names are not sufficient, then I suppose the include/exclude patterns could be 
changed to be a CSV of patterns that matches other fields.  Is there consensus 
to do that extra work?

> add configuration to include or exclude specific ScriptEngineFactory
> 
>
> Key: SLING-10155
> URL: https://issues.apache.org/jira/browse/SLING-10155
> Project: Sling
>  Issue Type: Bug
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: Scripting Core 2.3.6
>
>  Time Spent: 3h
>  Remaining Estimate: 0h
>
> Sometimes it may be useful to exclude a ScriptEngineFactory from being used 
> by the SlingScriptEngineManager
> One such consideration is excluding the nashorn script engine so it can't be 
> used now that it is deprecated.
> You may see messages like this logged to the console when running sling with 
> java 11:
> {code:java}
> Warning: Nashorn engine is planned to be removed from a future JDK 
> release{code}
> Excluding nashorn via configuration would get rid of those log warnings and 
> prevent you from accidentally using it.
> There may be other use cases where a ScriptEngineFactory is available in the 
> runtime but not intended for usage with sling so the solution should not be 
> "nashorn" specific.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-10155) add configuration to include or exclude specific ScriptEngineFactory

[Eric Norman (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291181#comment-17291181
 ] 

Eric Norman edited comment on SLING-10155 at 2/25/21, 8:29 PM:
---

[~olli] I couldn't say with any certainty why someone would install a script 
engine.  Perhaps they need a specific script engine for some other use case 
within the runtime and don't want that script engine exposed for sling 
scripting.  Or sometimes people do other strange stuff that I have no control 
over.

This solution is simply matching against the "short name" list provided by the 
ScriptEngineFactory so if Groovy 2.x and Groovy 3.x contain some unique "short 
name" in their list then a regex could select one or the other.  If they don't 
have something unique then this solution would not work for that.

 

If you think that there is some real world chance that matching on the short 
names are not sufficient, then I suppose the include/exclude patterns could be 
changed to be a CSV of patterns that matches other fields.  Is there consensus 
to do that extra work now or could that wait until someone asks for it?


was (Author: enorman):
[~olli] I couldn't say with any certainty why someone would install a script 
engine.  Perhaps they need a specific script engine for some other use case 
within the runtime and don't want that script engine exposed for sling 
scripting.  Or sometimes people do other strange stuff that I have no control 
over.

This solution is simply matching against the "short name" list provided by the 
ScriptEngineFactory so if Groovy 2.x and Groovy 3.x contain some unique "short 
name" in their list then a regex could select one or the other.  If they don't 
have something unique then this solution would not work for that.

 

If you think that there is some real world chance that matching on the short 
names are not sufficient, then I suppose the include/exclude patterns could be 
changed to be a CSV of patterns that matches other fields.  Is there consensus 
to do that extra work or could that wait until someone asks for it?

> add configuration to include or exclude specific ScriptEngineFactory
> 
>
> Key: SLING-10155
> URL: https://issues.apache.org/jira/browse/SLING-10155
> Project: Sling
>  Issue Type: Bug
>Reporter: Eric Norman
>Assignee: Eric Norman
>Priority: Major
> Fix For: Scripting Core 2.3.6
>
>  Time Spent: 3h
>  Remaining Estimate: 0h
>
> Sometimes it may be useful to exclude a ScriptEngineFactory from being used 
> by the SlingScriptEngineManager
> One such consideration is excluding the nashorn script engine so it can't be 
> used now that it is deprecated.
> You may see messages like this logged to the console when running sling with 
> java 11:
> {code:java}
> Warning: Nashorn engine is planned to be removed from a future JDK 
> release{code}
> Excluding nashorn via configuration would get rid of those log warnings and 
> prevent you from accidentally using it.
> There may be other use cases where a ScriptEngineFactory is available in the 
> runtime but not intended for usage with sling so the solution should not be 
> "nashorn" specific.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-10159) Handle framework properties after the feature is processed

[Muzaffar Nurmukhammadov (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291252#comment-17291252
 ] 

Muzaffar Nurmukhammadov commented on SLING-10159:
-

[~cziegeler] Thanks for merging. A question if you do not mind - when can we 
expect the next release. Thank you

> Handle framework properties after the feature is processed
> --
>
> Key: SLING-10159
> URL: https://issues.apache.org/jira/browse/SLING-10159
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Reporter: Muzaffar Nurmukhammadov
>Assignee: Carsten Ziegeler
>Priority: Major
> Fix For: Feature Model Launcher 1.1.18
>
> Attachments: 108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png, 
> Capture.PNG
>
>
> [https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15]
>  
> OSGi properties are being handled before 
> {{_Installation#getFrameworkProperties()_}} is populated by parsing the 
> Feature files using _{{FeatureProcessor#prepareLauncher()}}_.
> E.g. specifying framework properties such as 
> *org.osgi.framework.startlevel.beginning* and *org.osgi.framework.storage* in 
> *feature.json* file has no effect, the default values are used. These 
> properties should be read from the feature
>  
> In the *{{prepare()}}* method *{{installation.getFrameworkProperties()}}* is 
> empty.
> !108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png|width=424,height=274!
> The duplicate code exists in the *{{run()}}* method, which is correct.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-10159) Handle framework properties after the feature is processed

[Muzaffar Nurmukhammadov (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291252#comment-17291252
 ] 

Muzaffar Nurmukhammadov edited comment on SLING-10159 at 2/25/21, 10:02 PM:


[~cziegeler] Thanks for merging. A question if you do not mind - when can we 
expect the next release?


was (Author: nmuzaffar):
[~cziegeler] Thanks for merging. A question if you do not mind - when can we 
expect the next release. Thank you

> Handle framework properties after the feature is processed
> --
>
> Key: SLING-10159
> URL: https://issues.apache.org/jira/browse/SLING-10159
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Reporter: Muzaffar Nurmukhammadov
>Assignee: Carsten Ziegeler
>Priority: Major
> Fix For: Feature Model Launcher 1.1.18
>
> Attachments: 108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png, 
> Capture.PNG
>
>
> [https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15]
>  
> OSGi properties are being handled before 
> {{_Installation#getFrameworkProperties()_}} is populated by parsing the 
> Feature files using _{{FeatureProcessor#prepareLauncher()}}_.
> E.g. specifying framework properties such as 
> *org.osgi.framework.startlevel.beginning* and *org.osgi.framework.storage* in 
> *feature.json* file has no effect, the default values are used. These 
> properties should be read from the feature
>  
> In the *{{prepare()}}* method *{{installation.getFrameworkProperties()}}* is 
> empty.
> !108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png|width=424,height=274!
> The duplicate code exists in the *{{run()}}* method, which is correct.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-10159) Handle framework properties after the feature is processed

[Muzaffar Nurmukhammadov (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291252#comment-17291252
 ] 

Muzaffar Nurmukhammadov edited comment on SLING-10159 at 2/25/21, 10:03 PM:


[~cziegeler] Thank you for merging. A question if you do not mind - when can we 
expect the next release?


was (Author: nmuzaffar):
[~cziegeler] Thanks for merging. A question if you do not mind - when can we 
expect the next release?

> Handle framework properties after the feature is processed
> --
>
> Key: SLING-10159
> URL: https://issues.apache.org/jira/browse/SLING-10159
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Reporter: Muzaffar Nurmukhammadov
>Assignee: Carsten Ziegeler
>Priority: Major
> Fix For: Feature Model Launcher 1.1.18
>
> Attachments: 108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png, 
> Capture.PNG
>
>
> [https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15]
>  
> OSGi properties are being handled before 
> {{_Installation#getFrameworkProperties()_}} is populated by parsing the 
> Feature files using _{{FeatureProcessor#prepareLauncher()}}_.
> E.g. specifying framework properties such as 
> *org.osgi.framework.startlevel.beginning* and *org.osgi.framework.storage* in 
> *feature.json* file has no effect, the default values are used. These 
> properties should be read from the feature
>  
> In the *{{prepare()}}* method *{{installation.getFrameworkProperties()}}* is 
> empty.
> !108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png|width=424,height=274!
> The duplicate code exists in the *{{run()}}* method, which is correct.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Re: [VOTE] Release Apache Sling XSS Protection API 2.2.12

[Karl Pauls]

+1

regards,

Karl

On Thursday, February 25, 2021, Eric Norman  wrote:

> +1
>
> On Thu, Feb 25, 2021 at 5:04 AM Radu Cotescu  wrote:
>
> > Hi,
> >
> > We solved 1 issue in this release:
> > https://issues.apache.org/jira/browse/SLING/fixforversion/12349722
> >
> > Staging repository:
> > https://repository.apache.org/content/repositories/orgapachesling-2414/
> >
> > You can use this UNIX script to download the release and verify the
> > signatures:
> >
> > https://gitbox.apache.org/repos/asf?p=sling-tooling-
> release.git;a=blob;f=check_staged_release.sh;hb=HEAD
> >
> > Usage:
> > sh check_staged_release.sh 2414 /tmp/sling-staging
> >
> > Please vote to approve this release:
> >
> >   [ ] +1 Approve the release
> >   [ ]  0 Don't care
> >   [ ] -1 Don't release, because ...
> >
> > This majority vote is open for at least 72 hours.
> >
> > Regards,
> > Radu Cotescu
> >
>


-- 
Karl Pauls
karlpa...@gmail.com

PAX Help

[Cris Rockwell]

Hello it’s me again

I was wondering if someone knowledgable about PAX testing in Sling could help 
me out with my Sling Whiteboard project (saml-handler) [1] on branch 
SLING-9397/improve-test-coverage

The project uses Java 11, but I think that’s supported and should be fine. The 
pom [2] should be straight according to this docs [3]

The IT test [4] doesn’t do much yet, because I’m trying to validate whether 
it’s working or not.


if I run "mvn clean install", then I expect there to be something under 
target/paxexam according this
https://github.com/apache/sling-org-apache-sling-testing-paxexam/blob/master/src/main/java/org/apache/sling/testing/paxexam/TestSupport.java
 

 


But its not there
➜  saml-handler git:(SLING-9397/improve-test-coverage) ls target/
classes/generated-test-sources/ 
maven-status/   
rat.txt
failsafe-reports/   maven-archiver/ 

org.apache.sling.auth.saml2-0.2.0-SNAPSHOT-sources.jar  surefire-reports/
generated-sources/  
maven-shared-archive-resources/ 
org.apache.sling.auth.saml2-0.2.0-SNAPSHOT.jar  test-classes/


So I don’t think I’m doing this right. But I’m spending several days and 
getting nowhere close to improving test coverage of this bundle. Any help 
getting this setup properly would be muy apreciado!

Regards
Cris 


[1] 
https://github.com/apache/sling-whiteboard/tree/SLING-9397/improve-test-coverage/saml-handler
 

[2] 
https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-coverage/saml-handler/pom.xml
 

[3] https://sling.apache.org/documentation/development/testing-paxexam.html 

[4] 
https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-coverage/saml-handler/src/test/java/org/apache/sling/auth/saml2/impl/SamlHandlerIT.java
 

Re: PAX Help

[Eric Norman]

Hi,
I think you might be missing the annotation declaring that you want to use
the PaxExam test runner for the test class.

For example, something like this may get you further:

import org.ops4j.pax.exam.junit.PaxExam;
import org.junit.runner.RunWith;

@RunWith(PaxExam.class)


On Thu, Feb 25, 2021 at 3:09 PM Cris Rockwell  wrote:

> Hello it’s me again
>
> I was wondering if someone knowledgable about PAX testing in Sling could
> help me out with my Sling Whiteboard project (saml-handler) [1] on branch
> SLING-9397/improve-test-coverage
>
> The project uses Java 11, but I think that’s supported and should be fine.
> The pom [2] should be straight according to this docs [3]
>
> The IT test [4] doesn’t do much yet, because I’m trying to validate
> whether it’s working or not.
>
>
> if I run "mvn clean install", then I expect there to be something under
> target/paxexam according this
>
> https://github.com/apache/sling-org-apache-sling-testing-paxexam/blob/master/src/main/java/org/apache/sling/testing/paxexam/TestSupport.java
> <
> https://github.com/apache/sling-org-apache-sling-testing-paxexam/blob/master/src/main/java/org/apache/sling/testing/paxexam/TestSupport.java>
>
>
>
> But its not there
> ➜  saml-handler git:(SLING-9397/improve-test-coverage) ls target/
> classes/
> generated-test-sources/ maven-status/
>  rat.txt
> failsafe-reports/   maven-archiver/
>
>  org.apache.sling.auth.saml2-0.2.0-SNAPSHOT-sources.jar  surefire-reports/
> generated-sources/
> maven-shared-archive-resources/
>  org.apache.sling.auth.saml2-0.2.0-SNAPSHOT.jar  test-classes/
>
>
> So I don’t think I’m doing this right. But I’m spending several days and
> getting nowhere close to improving test coverage of this bundle. Any help
> getting this setup properly would be muy apreciado!
>
> Regards
> Cris
>
>
> [1]
> https://github.com/apache/sling-whiteboard/tree/SLING-9397/improve-test-coverage/saml-handler
> <
> https://github.com/apache/sling-whiteboard/tree/SLING-9397/improve-test-coverage/saml-handler
> >
> [2]
> https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-coverage/saml-handler/pom.xml
> <
> https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-coverage/saml-handler/pom.xml
> >
> [3]
> https://sling.apache.org/documentation/development/testing-paxexam.html <
> https://sling.apache.org/documentation/development/testing-paxexam.html>
> [4]
> https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-coverage/saml-handler/src/test/java/org/apache/sling/auth/saml2/impl/SamlHandlerIT.java
> <
> https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-coverage/saml-handler/src/test/java/org/apache/sling/auth/saml2/impl/SamlHandlerIT.java
> >

[GitHub] [sling-org-apache-sling-starter] sonarcloud[bot] commented on pull request #18: SLING-10143 - update dependencies to latest release versions

[GitBox]

sonarcloud[bot] commented on pull request #18:
URL: 
https://github.com/apache/sling-org-apache-sling-starter/pull/18#issuecomment-786297691


   Kudos, SonarCloud Quality Gate passed!
   
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=BUG)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=BUG)
 [0 
Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=BUG)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=VULNERABILITY)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=VULNERABILITY)
 [0 
Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=VULNERABILITY)
  
   [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=SECURITY_HOTSPOT)
 [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=SECURITY_HOTSPOT)
 [0 Security 
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=SECURITY_HOTSPOT)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=CODE_SMELL)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=CODE_SMELL)
 [0 Code 
Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=CODE_SMELL)
   
   [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-starter&pullRequest=18)
 No Coverage information  
   [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-starter&pullRequest=18&metric=new_duplicated_lines_density&view=list)
 [0.0% 
Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-starter&pullRequest=18&metric=new_duplicated_lines_density&view=list)
   
   



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [sling-org-apache-sling-starter] sonarcloud[bot] removed a comment on pull request #18: SLING-10143 - update dependencies to latest release versions

[GitBox]

sonarcloud[bot] removed a comment on pull request #18:
URL: 
https://github.com/apache/sling-org-apache-sling-starter/pull/18#issuecomment-780562539


   Kudos, SonarCloud Quality Gate passed!
   
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=BUG)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=BUG)
 [0 
Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=BUG)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=VULNERABILITY)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=VULNERABILITY)
 [0 
Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=VULNERABILITY)
  
   [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=SECURITY_HOTSPOT)
 [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=SECURITY_HOTSPOT)
 [0 Security 
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=SECURITY_HOTSPOT)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=CODE_SMELL)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=CODE_SMELL)
 [0 Code 
Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-starter&pullRequest=18&resolved=false&types=CODE_SMELL)
   
   [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-starter&pullRequest=18)
 No Coverage information  
   [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-starter&pullRequest=18&metric=new_duplicated_lines_density&view=list)
 [0.0% 
Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-starter&pullRequest=18&metric=new_duplicated_lines_density&view=list)
   
   



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: PAX Help

[Eric Norman]

Also, you'll need to add a version of the felix framework as a dependency
with something like this:

  
  
org.apache.felix
org.apache.felix.framework
6.0.3
test
  

On Thu, Feb 25, 2021 at 3:18 PM Eric Norman  wrote:

> Hi,
> I think you might be missing the annotation declaring that you want to use
> the PaxExam test runner for the test class.
>
> For example, something like this may get you further:
>
> import org.ops4j.pax.exam.junit.PaxExam;
> import org.junit.runner.RunWith;
>
> @RunWith(PaxExam.class)
>
>
> On Thu, Feb 25, 2021 at 3:09 PM Cris Rockwell  wrote:
>
>> Hello it’s me again
>>
>> I was wondering if someone knowledgable about PAX testing in Sling could
>> help me out with my Sling Whiteboard project (saml-handler) [1] on branch
>> SLING-9397/improve-test-coverage
>>
>> The project uses Java 11, but I think that’s supported and should be
>> fine. The pom [2] should be straight according to this docs [3]
>>
>> The IT test [4] doesn’t do much yet, because I’m trying to validate
>> whether it’s working or not.
>>
>>
>> if I run "mvn clean install", then I expect there to be something under
>> target/paxexam according this
>>
>> https://github.com/apache/sling-org-apache-sling-testing-paxexam/blob/master/src/main/java/org/apache/sling/testing/paxexam/TestSupport.java
>> <
>> https://github.com/apache/sling-org-apache-sling-testing-paxexam/blob/master/src/main/java/org/apache/sling/testing/paxexam/TestSupport.java>
>>
>>
>>
>> But its not there
>> ➜  saml-handler git:(SLING-9397/improve-test-coverage) ls target/
>> classes/
>> generated-test-sources/ maven-status/
>>  rat.txt
>> failsafe-reports/   maven-archiver/
>>
>>  org.apache.sling.auth.saml2-0.2.0-SNAPSHOT-sources.jar  surefire-reports/
>> generated-sources/
>> maven-shared-archive-resources/
>>  org.apache.sling.auth.saml2-0.2.0-SNAPSHOT.jar  test-classes/
>>
>>
>> So I don’t think I’m doing this right. But I’m spending several days and
>> getting nowhere close to improving test coverage of this bundle. Any help
>> getting this setup properly would be muy apreciado!
>>
>> Regards
>> Cris
>>
>>
>> [1]
>> https://github.com/apache/sling-whiteboard/tree/SLING-9397/improve-test-coverage/saml-handler
>> <
>> https://github.com/apache/sling-whiteboard/tree/SLING-9397/improve-test-coverage/saml-handler
>> >
>> [2]
>> https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-coverage/saml-handler/pom.xml
>> <
>> https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-coverage/saml-handler/pom.xml
>> >
>> [3]
>> https://sling.apache.org/documentation/development/testing-paxexam.html <
>> https://sling.apache.org/documentation/development/testing-paxexam.html>
>> [4]
>> https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-coverage/saml-handler/src/test/java/org/apache/sling/auth/saml2/impl/SamlHandlerIT.java
>> <
>> https://github.com/apache/sling-whiteboard/blob/SLING-9397/improve-test-coverage/saml-handler/src/test/java/org/apache/sling/auth/saml2/impl/SamlHandlerIT.java
>> >
>
>

[jira] [Created] (SLING-10169) Enabling servlet.post.autoCheckout breaks POST requests when one of the ancestor nodes is not accessible

[Sergiu Dumitriu (Jira)]

Sergiu Dumitriu created SLING-10169:
---

 Summary: Enabling servlet.post.autoCheckout breaks POST requests 
when one of the ancestor nodes is not accessible
 Key: SLING-10169
 URL: https://issues.apache.org/jira/browse/SLING-10169
 Project: Sling
  Issue Type: Bug
  Components: Servlets
Affects Versions: Servlets Post 2.3.36
Reporter: Sergiu Dumitriu


Example:
- enable servlet.post.autoCheckout
- create a non-admin user
- deny access to / (the root node)
- allow access to /content
- try to post new content
- request fails with 500 Server Error because findVersionableAncestor fails to 
handle the AccessDeniedException thrown when trying to access the parent of 
/content



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[GitHub] [sling-org-apache-sling-servlets-post] sdumitriu opened a new pull request #12: SLING-10169: Enabling servlet.post.autoCheckout breaks POST requests when one of the ancestor nodes is not acce

[GitBox]

sdumitriu opened a new pull request #12:
URL: https://github.com/apache/sling-org-apache-sling-servlets-post/pull/12


   Fixed.



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [sling-org-apache-sling-servlets-post] sonarcloud[bot] commented on pull request #12: SLING-10169: Enabling servlet.post.autoCheckout breaks POST requests when one of the ancestor nodes is no

[GitBox]

sonarcloud[bot] commented on pull request #12:
URL: 
https://github.com/apache/sling-org-apache-sling-servlets-post/pull/12#issuecomment-786364570


   Kudos, SonarCloud Quality Gate passed!
   
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&resolved=false&types=BUG)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&resolved=false&types=BUG)
 [0 
Bugs](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&resolved=false&types=BUG)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&resolved=false&types=VULNERABILITY)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&resolved=false&types=VULNERABILITY)
 [0 
Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&resolved=false&types=VULNERABILITY)
  
   [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&resolved=false&types=SECURITY_HOTSPOT)
 [](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&resolved=false&types=SECURITY_HOTSPOT)
 [0 Security 
Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&resolved=false&types=SECURITY_HOTSPOT)
  
   [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&resolved=false&types=CODE_SMELL)
 [](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&resolved=false&types=CODE_SMELL)
 [0 Code 
Smells](https://sonarcloud.io/project/issues?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&resolved=false&types=CODE_SMELL)
   
   [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&metric=new_coverage&view=list)
 [0.0% 
Coverage](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&metric=new_coverage&view=list)
  
   [](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&metric=new_duplicated_lines_density&view=list)
 [0.0% 
Duplication](https://sonarcloud.io/component_measures?id=apache_sling-org-apache-sling-servlets-post&pullRequest=12&metric=new_duplicated_lines_density&view=list)
   
   



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[jira] [Commented] (SLING-10159) Handle framework properties after the feature is processed

[Carsten Ziegeler (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291415#comment-17291415
 ] 

Carsten Ziegeler commented on SLING-10159:
--

There is no fixed timeline, I suggest to ask on the dev list for a release

> Handle framework properties after the feature is processed
> --
>
> Key: SLING-10159
> URL: https://issues.apache.org/jira/browse/SLING-10159
> Project: Sling
>  Issue Type: Bug
>  Components: Feature Model
>Reporter: Muzaffar Nurmukhammadov
>Assignee: Carsten Ziegeler
>Priority: Major
> Fix For: Feature Model Launcher 1.1.18
>
> Attachments: 108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png, 
> Capture.PNG
>
>
> [https://github.com/apache/sling-org-apache-sling-feature-launcher/pull/15]
>  
> OSGi properties are being handled before 
> {{_Installation#getFrameworkProperties()_}} is populated by parsing the 
> Feature files using _{{FeatureProcessor#prepareLauncher()}}_.
> E.g. specifying framework properties such as 
> *org.osgi.framework.startlevel.beginning* and *org.osgi.framework.storage* in 
> *feature.json* file has no effect, the default values are used. These 
> properties should be read from the feature
>  
> In the *{{prepare()}}* method *{{installation.getFrameworkProperties()}}* is 
> empty.
> !108997486-f0659980-769f-11eb-8cd4-db3f84f1b797.png|width=424,height=274!
> The duplicate code exists in the *{{run()}}* method, which is correct.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (SLING-8738) Trigger an error during build if an API uses a private reference in its public methods' signatures

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-8738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated SLING-8738:
---
Fix Version/s: (was: Bundle Parent 41)
   Bundle Parent 42

> Trigger an error during build if an API uses a private reference in its 
> public methods' signatures
> --
>
> Key: SLING-8738
> URL: https://issues.apache.org/jira/browse/SLING-8738
> Project: Sling
>  Issue Type: Improvement
>  Components: General
>Reporter: Radu Cotescu
>Assignee: Radu Cotescu
>Priority: Major
> Fix For: Bundle Parent 42
>
>
> Following the discussion from https://github.com/bndtools/bnd/issues/3444, we 
> should add the provided {{-fixupmessages}} instruction to our bundle parent 
> pom, in order to make sure that APIs that we export cannot reference private 
> references in their public method signatures.
> This is more of a precaution, rather than a fix for a Sling issue.
> Projects using the bundle parent pom can override the bnd instruction 
> locally, if needed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (SLING-9729) Bundle-Parent: Check if resolvable against latest Sling Starter

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-9729?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated SLING-9729:
---
Fix Version/s: (was: Bundle Parent 41)
   Bundle Parent 42
   Bundle Parent 42

> Bundle-Parent: Check if resolvable against latest Sling Starter
> ---
>
> Key: SLING-9729
> URL: https://issues.apache.org/jira/browse/SLING-9729
> Project: Sling
>  Issue Type: Improvement
>  Components: General
>Affects Versions: Bundle Parent 39
>Reporter: Konrad Windszus
>Priority: Major
> Fix For: Bundle Parent 42
>
>
> With SLING-9491 an OSGi repository index is being generated for Sling 
> Starter. Every bundle should be resolvable against that repository index (to 
> ensure compatibility with the latest Sling Starter).
> To achieve that an approach like in 
> https://github.com/apache/jackrabbit-filevault/blob/0b3c4cb5a99d14e3d0ae881d7864806ed950c622/parent/pom.xml#L177
>  should be used.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (SLING-7534) Release policy - stop providing MD5 and start providing SHA-512 checksums

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-7534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated SLING-7534:
---
Fix Version/s: (was: Parent 41)
   Parent 42
   Parent 42

> Release policy - stop providing MD5 and start providing SHA-512 checksums
> -
>
> Key: SLING-7534
> URL: https://issues.apache.org/jira/browse/SLING-7534
> Project: Sling
>  Issue Type: Task
>  Components: Tooling
>Reporter: Robert Munteanu
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Parent 42
>
>  Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> See http://www.apache.org/dev/release-distribution#sigs-and-sums , we SHOULD 
> no longer provide MD5 checksums for new releases.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (SLING-9189) release:perform issues [WARNING] The requested profile "pom.xml" could not be activated because it does not exist.

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-9189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated SLING-9189:
---
Fix Version/s: (was: Parent 41)
   Parent 42

> release:perform issues [WARNING] The requested profile "pom.xml" could not be 
> activated because it does not exist.
> --
>
> Key: SLING-9189
> URL: https://issues.apache.org/jira/browse/SLING-9189
> Project: Sling
>  Issue Type: Bug
>  Components: General
>Affects Versions: Parent 38
>Reporter: Konrad Windszus
>Priority: Minor
> Fix For: Parent 42
>
>
> During the {{mvn release:perform}} execution the following line in the log 
> can be observed
> {code}
> [INFO] [INFO] 
> 
> [INFO] [INFO] BUILD SUCCESS
> [INFO] [INFO] 
> 
> [INFO] [INFO] Total time:  25.851 s
> [INFO] [INFO] Finished at: 2020-03-09T19:59:04+01:00
> [INFO] [INFO] 
> 
> [INFO] [WARNING] The requested profile "pom.xml" could not be activated 
> because it does not exist.
> [INFO] phase cleanup
> [INFO] Cleaning up after release...
> [INFO] 
> 
> [INFO] BUILD SUCCESS
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (SLING-10053) Replace Ianal Maven Plugin

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-10053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated SLING-10053:

Fix Version/s: (was: Parent 41)
   Parent 42
   Parent 42

> Replace Ianal Maven Plugin
> --
>
> Key: SLING-10053
> URL: https://issues.apache.org/jira/browse/SLING-10053
> Project: Sling
>  Issue Type: Improvement
>  Components: General
>Reporter: Konrad Windszus
>Priority: Major
> Fix For: Parent 42
>
>
> The ianal-maven-plugin only had a single pre-release in 2008 
> (https://www.mojohaus.org/plugins.html). Since then there were no follow-up 
> releases and the source code has not been migrated to GitHub. 
> Using the plugin leads to warning with Java 11 due to usage of an old version 
> of Groovy.
> Other alternatives should be evaluated. This has been discussed in 
> https://lists.apache.org/thread.html/rd7a164cced307aba249dd2ba30d1e7d95db332658fe8b90c4e7d730b%40%3Cdev.sling.apache.org%3E
>  as well.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (SLING-9463) Document reproducible builds and check automatically via check-staged-release

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-9463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated SLING-9463:
---
Fix Version/s: (was: Parent 41)
   Parent 42
   Parent 42

> Document reproducible builds and check automatically via check-staged-release
> -
>
> Key: SLING-9463
> URL: https://issues.apache.org/jira/browse/SLING-9463
> Project: Sling
>  Issue Type: Improvement
>  Components: Documentation, General
>Reporter: Konrad Windszus
>Priority: Major
> Fix For: Parent 42
>
>
> With SLING-9307 and SLING-8951 all builds relying Parent 39 or newer should 
> be reproducible. Still some parts are missing:
>  # buildinfo files should be uploaded along with the artifacts 
> ([https://maven.apache.org/guides/mini/guide-reproducible-builds.html]) which 
> allows to easily reproduce build (as they contain info about linebreaks and 
> major JDK versions).
>  # The check-staged-release.sh should be updated accordingly to optionally 
> try rebuilding and comparing with the given checksums.
>  # 
> [https://sling.apache.org/documentation/development/release-management.html] 
> should be extended with how to properly check a release after a vote.
>  # There should be some documentation covering how end-users could reproduce 
> builds.
>  # On the downloads page ([https://sling.apache.org/downloads.cgi]) there 
> should be a link to the buildinfo files for new/reproducible releases 
> pointing to downloads.apache.org.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (SLING-9611) Enforce setting the "project.build.outputTimestamp" property

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-9611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated SLING-9611:
---
Fix Version/s: (was: Parent 41)
   Parent 42
   Parent 42

> Enforce setting the "project.build.outputTimestamp" property
> 
>
> Key: SLING-9611
> URL: https://issues.apache.org/jira/browse/SLING-9611
> Project: Sling
>  Issue Type: Improvement
>  Components: General
>Reporter: Konrad Windszus
>Priority: Major
> Fix For: Parent 42
>
>
> The property is required for reproducible builds and should therefore be 
> enforced 
> ([https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-do-i-configure-my-maven-build]).
> Right now it will fallback to the property set on the parent, but this cannot 
> be updated with each release, therefore preferably the property should be set 
> on each reactor pom.xml.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-10160) Create source-release.zip for pom artifacts

[Konrad Windszus (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291429#comment-17291429
 ] 

Konrad Windszus commented on SLING-10160:
-

PR: https://github.com/apache/sling-parent/pull/15

> Create source-release.zip for pom artifacts
> ---
>
> Key: SLING-10160
> URL: https://issues.apache.org/jira/browse/SLING-10160
> Project: Sling
>  Issue Type: Improvement
>  Components: General
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Parent 41, Bundle Parent 41
>
>  Time Spent: 20m
>  Remaining Estimate: 0h
>
> All our parent pom.xml releases should be accompanied by a source-release.zip 
> as well similar to what Maven is providing in 
> https://dist.apache.org/repos/dist/release/maven/pom/.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-10027) Update JUnit to 4.13.1

[Konrad Windszus (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291433#comment-17291433
 ] 

Konrad Windszus commented on SLING-10027:
-

Updated to JUnit 4.13.2 in 
https://github.com/apache/sling-parent/commit/88484200aa99093e750e329781fa0a98fc5f9292

> Update JUnit to 4.13.1
> --
>
> Key: SLING-10027
> URL: https://issues.apache.org/jira/browse/SLING-10027
> Project: Sling
>  Issue Type: Improvement
>  Components: General
>Affects Versions: Parent 40
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Parent 41
>
>
> The managed version should be updated from 4.12 to 4.13.1
> [https://github.com/junit-team/junit4/blob/HEAD/doc/ReleaseNotes4.13.md]
> [https://github.com/junit-team/junit4/releases/tag/r4.13.1]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (SLING-10027) Update JUnit to 4.13.1

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-10027?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated SLING-10027:

Description: 
The managed version should be updated from 4.12 to 4.13.2

[https://github.com/junit-team/junit4/blob/HEAD/doc/ReleaseNotes4.13.md]

[https://github.com/junit-team/junit4/releases/tag/r4.13.1]

 

  was:
The managed version should be updated from 4.12 to 4.13.1

[https://github.com/junit-team/junit4/blob/HEAD/doc/ReleaseNotes4.13.md]

[https://github.com/junit-team/junit4/releases/tag/r4.13.1]

 


> Update JUnit to 4.13.1
> --
>
> Key: SLING-10027
> URL: https://issues.apache.org/jira/browse/SLING-10027
> Project: Sling
>  Issue Type: Improvement
>  Components: General
>Affects Versions: Parent 40
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Parent 41
>
>
> The managed version should be updated from 4.12 to 4.13.2
> [https://github.com/junit-team/junit4/blob/HEAD/doc/ReleaseNotes4.13.md]
> [https://github.com/junit-team/junit4/releases/tag/r4.13.1]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Comment Edited] (SLING-10027) Update JUnit to 4.13.1

[Konrad Windszus (Jira)]

[ 
https://issues.apache.org/jira/browse/SLING-10027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17255593#comment-17255593
 ] 

Konrad Windszus edited comment on SLING-10027 at 2/26/21, 7:07 AM:
---

Updated to JUnit 4.13.1 in 
https://github.com/apache/sling-parent/commit/96e3aa372ae124d0ab982d9c3fe560766f2d5ede.


was (Author: kwin):
Fixed in 
https://github.com/apache/sling-parent/commit/96e3aa372ae124d0ab982d9c3fe560766f2d5ede.

> Update JUnit to 4.13.1
> --
>
> Key: SLING-10027
> URL: https://issues.apache.org/jira/browse/SLING-10027
> Project: Sling
>  Issue Type: Improvement
>  Components: General
>Affects Versions: Parent 40
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Parent 41
>
>
> The managed version should be updated from 4.12 to 4.13.1
> [https://github.com/junit-team/junit4/blob/HEAD/doc/ReleaseNotes4.13.md]
> [https://github.com/junit-team/junit4/releases/tag/r4.13.1]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (SLING-10027) Update JUnit to 4.13.2

[Konrad Windszus (Jira)]

 [ 
https://issues.apache.org/jira/browse/SLING-10027?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Konrad Windszus updated SLING-10027:

Summary: Update JUnit to 4.13.2  (was: Update JUnit to 4.13.1)

> Update JUnit to 4.13.2
> --
>
> Key: SLING-10027
> URL: https://issues.apache.org/jira/browse/SLING-10027
> Project: Sling
>  Issue Type: Improvement
>  Components: General
>Affects Versions: Parent 40
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Parent 41
>
>
> The managed version should be updated from 4.12 to 4.13.2
> [https://github.com/junit-team/junit4/blob/HEAD/doc/ReleaseNotes4.13.md]
> [https://github.com/junit-team/junit4/releases/tag/r4.13.1]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (SLING-10170) Update animal-sniffer-maven-plugin to 1.20

[Konrad Windszus (Jira)]

Konrad Windszus created SLING-10170:
---

 Summary: Update animal-sniffer-maven-plugin to 1.20
 Key: SLING-10170
 URL: https://issues.apache.org/jira/browse/SLING-10170
 Project: Sling
  Issue Type: Improvement
  Components: General
Reporter: Konrad Windszus
Assignee: Konrad Windszus
 Fix For: Parent 41


https://github.com/mojohaus/animal-sniffer/releases/tag/animal-sniffer-parent-1.20



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[GitHub] [sling-parent] kwin merged pull request #15: SLING-10160 generate source-release.zip for both parent poms

[GitBox]

kwin merged pull request #15:
URL: https://github.com/apache/sling-parent/pull/15


   



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org