[jira] Commented: (SLING-936) The use of the JR UserManager may not scale.
[ https://issues.apache.org/jira/browse/SLING-936?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12701667#action_12701667 ] Ian Boston commented on SLING-936: -- The current patch has been tested with a bash script and curl and appears to be keeping the add user response time linear, although initially the operation takes slightly longer. (presumably as a result of populating the parts of the tree on each new user) > The use of the JR UserManager may not scale. > > > Key: SLING-936 > URL: https://issues.apache.org/jira/browse/SLING-936 > Project: Sling > Issue Type: Improvement >Reporter: Ian Boston > Attachments: SLING-936.patch > > > By default the CreateUserServlet and CreateGroupServlet create users under > the node of the current user, or the base node if no current user (anon). For > systems that want have more than a few 1000 users or groups this will make > add and possibly access slow as the parent nodes will become large. > Patch to follow. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (SLING-936) The use of the JR UserManager may not scale.
[ https://issues.apache.org/jira/browse/SLING-936?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ian Boston updated SLING-936: - Attachment: SLING-936.patch Very small change to the patch to make the path ab/ef/f3/ rather than a/b/e > The use of the JR UserManager may not scale. > > > Key: SLING-936 > URL: https://issues.apache.org/jira/browse/SLING-936 > Project: Sling > Issue Type: Improvement >Reporter: Ian Boston > Attachments: SLING-936.patch > > > By default the CreateUserServlet and CreateGroupServlet create users under > the node of the current user, or the base node if no current user (anon). For > systems that want have more than a few 1000 users or groups this will make > add and possibly access slow as the parent nodes will become large. > Patch to follow. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (SLING-936) The use of the JR UserManager may not scale.
[ https://issues.apache.org/jira/browse/SLING-936?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ian Boston updated SLING-936: - Attachment: (was: SLING-936.patch) > The use of the JR UserManager may not scale. > > > Key: SLING-936 > URL: https://issues.apache.org/jira/browse/SLING-936 > Project: Sling > Issue Type: Improvement >Reporter: Ian Boston > Attachments: SLING-936.patch > > > By default the CreateUserServlet and CreateGroupServlet create users under > the node of the current user, or the base node if no current user (anon). For > systems that want have more than a few 1000 users or groups this will make > add and possibly access slow as the parent nodes will become large. > Patch to follow. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
multiple Servlets registered for resourceTypes sling/servlet/default
Hi If you register an own Servlet which should be used as default servlet you can register it with sling.servlet.resourceTypes=sling/servlet/default sling.servlet.methods=GET (if it should work only for GET requests) If I upload a bundle with such a Servlet (call it MyServlet) in Sling everything seems to be fine, the GET requests are dispatched by the MyServlet. But after a restart of Sling it's a random luck which Servlet (the DefaultGetServlet or the MyServlet) will dispatch the request. Shouldn't there be a way to mark a Servlet as the one with higher priority. There is the getWeightedResources method on the ResourceCollector, but this doesn't help, because neither Servlet has more "weight". In my case I would like to install a Servlet which implements the OptingServlet and gets all requests first to decide if the DefaultGetServlet should handle the request or if it should be handled by the MyServlet itself. best regards mike
[jira] Updated: (SLING-937) Coding Conventions
[ https://issues.apache.org/jira/browse/SLING-937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Felix Meschberger updated SLING-937: Attachment: sling-eclipse-codestyle.xml The Codestyle setup for Eclipse, which I currently use (no tabs, indentation is 4) > Coding Conventions > -- > > Key: SLING-937 > URL: https://issues.apache.org/jira/browse/SLING-937 > Project: Sling > Issue Type: RTC > Components: General >Reporter: Felix Meschberger > Attachments: sling-eclipse-codestyle.xml > > > Based on the discussion "Code Style" [1] we should come up with a coding > style. > For reference (from the mailing list): Apache Shinding has a number of > definitions and helpers > * Issue https://issues.apache.org/jira/browse/SHINDIG-76 > * Eclipse Configuration files: > http://svn.apache.org/repos/asf/incubator/shindig/trunk/etc/eclipse/ > * Checkstyle config: > http://svn.apache.org/repos/asf/incubator/shindig/trunk/etc/checkstyle/checkstyle.xml > * Style Description: http://cwiki.apache.org/SHINDIGxSITE/java-style.html > [1] http://www.mail-archive.com/sling-dev@incubator.apache.org/msg09649.html -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: Code Style
Hi Ian, Thanks for providing this. This is very much appreciated. It is probably about time to start thinking and fighting about such a thing as a coding convention ... Ian Boston schrieb: > For what it is worth, and I wont say I agree with all of it, but thats ok. > > The shindig eclipse files are here > http://svn.apache.org/repos/asf/incubator/shindig/trunk/etc/eclipse/ > but you probably wont want the import order as it reverses to allow > overrides. > > and there is a checkstyle config > http://svn.apache.org/repos/asf/incubator/shindig/trunk/etc/checkstyle/checkstyle.xml > > which is almost right. > > There is a description of the thought process > http://cwiki.apache.org/SHINDIGxSITE/java-style.html (mentions 4 and 2 > space indents) > > > YM -will- V > Ian > > I hope I haven't opened up pandora's box :) It may well be, but in the end, sooner or later this box would have been opened upon us anyway ;-) So no worry. To track this I created SLING-937 [1]. Feel free to add to this... Regards Felix [1] https://issues.apache.org/jira/browse/SLING-937 > > On 22 Apr 2009, at 17:48, Felix Meschberger wrote: > >> Hi Ian, >> >> Ian Boston schrieb: >>> Is there a code style guide for sling, or better still an eclipse config >>> and import order. >>> It looks like standard java style but I am not sure about the space >>> policy. >> >> Interesting topic which is as important as it is controverse. >> >> As Bertrand, I am basically using the default Eclipse Setup. What I >> think is very important is the no-tab policy (I think we are pretty much >> in agreement nowadays, that tabs are bad ;-) ) >> >> Another thing is the formatting of comments and the line length. The >> default in Eclipse is something like 80. In Apache Felix we have >> something like 120. >> >> Sometimes I have the impression, that 120 would be better than 80 for >> editing etc. But then I am hooked on my own personal vt100 legacy >> thinking ;-) >> >> Regards >> Felix > >
[jira] Created: (SLING-937) Coding Conventions
Coding Conventions -- Key: SLING-937 URL: https://issues.apache.org/jira/browse/SLING-937 Project: Sling Issue Type: RTC Components: General Reporter: Felix Meschberger Based on the discussion "Code Style" [1] we should come up with a coding style. For reference (from the mailing list): Apache Shinding has a number of definitions and helpers * Issue https://issues.apache.org/jira/browse/SHINDIG-76 * Eclipse Configuration files: http://svn.apache.org/repos/asf/incubator/shindig/trunk/etc/eclipse/ * Checkstyle config: http://svn.apache.org/repos/asf/incubator/shindig/trunk/etc/checkstyle/checkstyle.xml * Style Description: http://cwiki.apache.org/SHINDIGxSITE/java-style.html [1] http://www.mail-archive.com/sling-dev@incubator.apache.org/msg09649.html -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
AW: AW: Easy way to get path of sling.home
> Have you looked at the filesystem resource provider ? This provides > access to the OS filesystem through the Sling > ResourceResolver. Carsten > also wrote an interesting blog about this [1] > > Regards > Felix > > [1] http://www.osoco.org/blog/?p=69 Thank you Felix, very interesting feature. best regards mike
Re: Code Style
For what it is worth, and I wont say I agree with all of it, but thats ok. The shindig eclipse files are here http://svn.apache.org/repos/asf/incubator/shindig/trunk/etc/eclipse/ but you probably wont want the import order as it reverses to allow overrides. and there is a checkstyle config http://svn.apache.org/repos/asf/incubator/shindig/trunk/etc/checkstyle/checkstyle.xml which is almost right. There is a description of the thought process http://cwiki.apache.org/SHINDIGxSITE/java-style.html (mentions 4 and 2 space indents) YM -will- V Ian I hope I haven't opened up pandora's box :) On 22 Apr 2009, at 17:48, Felix Meschberger wrote: Hi Ian, Ian Boston schrieb: Is there a code style guide for sling, or better still an eclipse config and import order. It looks like standard java style but I am not sure about the space policy. Interesting topic which is as important as it is controverse. As Bertrand, I am basically using the default Eclipse Setup. What I think is very important is the no-tab policy (I think we are pretty much in agreement nowadays, that tabs are bad ;-) ) Another thing is the formatting of comments and the line length. The default in Eclipse is something like 80. In Apache Felix we have something like 120. Sometimes I have the impression, that 120 would be better than 80 for editing etc. But then I am hooked on my own personal vt100 legacy thinking ;-) Regards Felix
Re: AW: Easy way to get path of sling.home
Hi Mike, Mike Müller schrieb: > Hi Alex > >> On Wed, Apr 22, 2009 at 5:25 PM, Mike Müller >> wrote: >>> Is there an easy way to get the absolute path to the >> sling.home directory in a bundle or servlet? >>> (sling launched as standalone app, not in a servlet container) >> Sorry if I cannot answer your question, but why do you want to access >> the filesystem if you have a JCR? :-) > > Good question: What I am trying to do is integrating a bridge (bundle) for > existing applications to run in Sling. These legacy apps use the file system. > I do not want to change all that legacy stuff to use the JCR instead of the > file system. Have you looked at the filesystem resource provider ? This provides access to the OS filesystem through the Sling ResourceResolver. Carsten also wrote an interesting blog about this [1] Regards Felix [1] http://www.osoco.org/blog/?p=69 > > best regards > mike >
Re: Easy way to get path of sling.home
Hi,
Mike Müller schrieb:
> Hi
>
> Is there an easy way to get the absolute path to the sling.home directory in
> a bundle or servlet?
> (sling launched as standalone app, not in a servlet container)
The sling.home is available as an absolute path as a framework property
through the BundleContext.getProperty method:
String home = bundleContext.getProperty("sling.home");
Regards
Felix
>
> best regards
> mike
>
Re: Code Style
Hi, Bertrand Delacretaz schrieb: > On Wed, Apr 22, 2009 at 5:49 PM, Ian Boston wrote: >> Is there a code style guide for sling, or better still an eclipse config and >> import order. >> It looks like standard java style but I am not sure about the space policy... > > I'm not sure if we're sure either ;-) > > I use two spaces and no tabs for indents, and for the rest all the > default Eclipse settings. two spaces ? Isn't the default 4 (which is also what Sun is recommending IIRC). Anyway, I use 4 and most of the code seems to also be 4. Regards Felix > > -Bertrand >
Re: Code Style
Hi Ian, Ian Boston schrieb: > Is there a code style guide for sling, or better still an eclipse config > and import order. > It looks like standard java style but I am not sure about the space policy. Interesting topic which is as important as it is controverse. As Bertrand, I am basically using the default Eclipse Setup. What I think is very important is the no-tab policy (I think we are pretty much in agreement nowadays, that tabs are bad ;-) ) Another thing is the formatting of comments and the line length. The default in Eclipse is something like 80. In Apache Felix we have something like 120. Sometimes I have the impression, that 120 would be better than 80 for editing etc. But then I am hooked on my own personal vt100 legacy thinking ;-) Regards Felix
[jira] Updated: (SLING-936) The use of the JR UserManager may not scale.
[ https://issues.apache.org/jira/browse/SLING-936?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ian Boston updated SLING-936: - Attachment: SLING-936.patch This patch adds a 3 level tree based on a sha1 of the user name and a bit of JVM instance entropy (the ms time the Servlet was created) I still need to do some more testing, but it builds and I think addresses the issue. > The use of the JR UserManager may not scale. > > > Key: SLING-936 > URL: https://issues.apache.org/jira/browse/SLING-936 > Project: Sling > Issue Type: Improvement >Reporter: Ian Boston > Attachments: SLING-936.patch > > > By default the CreateUserServlet and CreateGroupServlet create users under > the node of the current user, or the base node if no current user (anon). For > systems that want have more than a few 1000 users or groups this will make > add and possibly access slow as the parent nodes will become large. > Patch to follow. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Security in Sling
Bertrand Delacretaz wrote: 2) Prevent legitimate scripts from messing up with the system An variant of 2) just showed up in the "Accessing JCR" thread. Looks like anyone that can upload a script can do the following: <% SlingRepository repo = sling.getService(SlingRepository.class); Session superSession = repo.loginAdministrative(null); // and then do anything, like superSession.getRootNode().remove(); %> Regards, Rory
Re: Code Style
In Shindig we created a code style, although its made patching easier, it did generate discussion. It was basically java standard, with some mods, eg 2 spaces rather than tabs, no trailing spaces on lines and a bunch of other things. I can share these if you like (they are in the Shindig svn), but I am happy either way. I don't really want to start producing patches that are a pain to apply because of trivial formatting differences. Ian On 22 Apr 2009, at 16:55, Bertrand Delacretaz wrote: On Wed, Apr 22, 2009 at 5:49 PM, Ian Boston wrote: Is there a code style guide for sling, or better still an eclipse config and import order. It looks like standard java style but I am not sure about the space policy... I'm not sure if we're sure either ;-) I use two spaces and no tabs for indents, and for the rest all the default Eclipse settings. -Bertrand
AW: Easy way to get path of sling.home
Hi Alex > On Wed, Apr 22, 2009 at 5:25 PM, Mike Müller > wrote: > > Is there an easy way to get the absolute path to the > sling.home directory in a bundle or servlet? > > (sling launched as standalone app, not in a servlet container) > > Sorry if I cannot answer your question, but why do you want to access > the filesystem if you have a JCR? :-) Good question: What I am trying to do is integrating a bridge (bundle) for existing applications to run in Sling. These legacy apps use the file system. I do not want to change all that legacy stuff to use the JCR instead of the file system. best regards mike
[jira] Created: (SLING-936) The use of the JR UserManager may not scale.
The use of the JR UserManager may not scale. Key: SLING-936 URL: https://issues.apache.org/jira/browse/SLING-936 Project: Sling Issue Type: Improvement Reporter: Ian Boston By default the CreateUserServlet and CreateGroupServlet create users under the node of the current user, or the base node if no current user (anon). For systems that want have more than a few 1000 users or groups this will make add and possibly access slow as the parent nodes will become large. Patch to follow. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: Code Style
On Wed, Apr 22, 2009 at 5:49 PM, Ian Boston wrote: > Is there a code style guide for sling, or better still an eclipse config and > import order. > It looks like standard java style but I am not sure about the space policy... I'm not sure if we're sure either ;-) I use two spaces and no tabs for indents, and for the rest all the default Eclipse settings. -Bertrand
Re: Easy way to get path of sling.home
On Wed, Apr 22, 2009 at 5:25 PM, Mike Müller wrote: > Is there an easy way to get the absolute path to the sling.home directory in > a bundle or servlet? > (sling launched as standalone app, not in a servlet container) Sorry if I cannot answer your question, but why do you want to access the filesystem if you have a JCR? :-) Regards, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com
Code Style
Is there a code style guide for sling, or better still an eclipse config and import order. It looks like standard java style but I am not sure about the space policy. Ian
Easy way to get path of sling.home
Hi Is there an easy way to get the absolute path to the sling.home directory in a bundle or servlet? (sling launched as standalone app, not in a servlet container) best regards mike
Re: Accessing JCR
Hi Carl, On Wed, Apr 22, 2009 at 4:26 PM, Carl Hall wrote: > I've searched through docs but have yet to discover this though I'm > probably just overlooking something. What's the suggested way to > access data in a jcr repository when not coming from a user related > request (ie. when in an event listener)? Also, how do I get hold of > the observation manager to register my listener? In addition to Alex's explanations, you might want to have a look at the espblog sample [1], where the ThumbnailGeneratorServiceImpl uses a JCR listener to detect added images, generates thumbnails and stores those in the repository. -Bertrand [1] http://svn.apache.org/repos/asf/incubator/sling/trunk/samples/espblog
Re: UserManager
To answer my own question, for anyone else to travels the same route.
This makes no difference since the url the UI sees is an
AuthorizableResource produced by the AuthorizableResourceProvider
which is mapped onto the root path of /system/userManager/
so that
/system/userManager/user/ieb
is converted to a AuthorizableResource by the
UserManager.getAuthorizable("ieb"), which searches the subtree in the
repo for the user ieb.
So regardless of how ieb has been stored, the url will always resolve
to the location of the user in the /rep:system/rep:authorizables/
rep:users subtree.
Starting to understand more.
Ian
On 21 Apr 2009, at 20:21, Ian Boston wrote:
Does this have impact elsewhere ? Like adding members to groups or
is there an assumption that the UI will discover users and/or work
from a list of found users ?
Re: Accessing JCR
On Wed, Apr 22, 2009 at 4:26 PM, Carl Hall wrote:
> I've searched through docs but have yet to discover this though I'm
> probably just overlooking something. What's the suggested way to
> access data in a jcr repository when not coming from a user related
> request (ie. when in an event listener)? Also, how do I get hold of
> the observation manager to register my listener?
The o.a.s.jcr.api.SlingRepository interface [1] can be used for that
(it is simply an extension of the Repository interface). It is
directly available as OSGi service. With scr and annotations through
the maven scr plugin, this typically looks like this:
/** @scr.reference */
private SlingRepository repository;
To use it, simply work with standard JCR API calls:
Session session = repository.login(new SimpleCredentials("user", "password"));
or for handy admin-sessions (password is globally configured in the
SlingRepository service config):
Session adminSession = repository.loginAdministrative(null);
[1]
https://svn.apache.org/repos/asf/incubator/sling/trunk/bundles/jcr/api/src/main/java/org/apache/sling/jcr/api/SlingRepository.java
Regards,
Alex
--
Alexander Klimetschek
alexander.klimetsc...@day.com
Accessing JCR
I've searched through docs but have yet to discover this though I'm probably just overlooking something. What's the suggested way to access data in a jcr repository when not coming from a user related request (ie. when in an event listener)? Also, how do I get hold of the observation manager to register my listener?
Re: Security in Sling
On Wed, Apr 22, 2009 at 2:44 PM, Jukka Zitting wrote: > Hi, > > On Wed, Apr 22, 2009 at 2:22 PM, Tobias Bocanegra wrote: >> System.exit() bears IMO no real risk, since it can be prevented by >> java security. > > I'd like to see the relevant java security settings. With all the OSGi > stuff, JCR bundle loading, and script compiling in place I think > coming up with a correct security policy is a major undertaking. > > Do we want to go down that path, or use alternative means like the > proposed script resolution restrictions?... Those are different concerns: 1) Prevent users from uploading and executing arbitrary scripts 2) Prevent legitimate scripts from messing up with the system So we probably need both approaches. -Bertrand
Re: Security in Sling
Hi, Jukka Zitting schrieb: > Hi, > > On Wed, Apr 22, 2009 at 2:22 PM, Tobias Bocanegra wrote: >> System.exit() bears IMO no real risk, since it can be prevented by >> java security. > > I'd like to see the relevant java security settings. With all the OSGi > stuff, JCR bundle loading, and script compiling in place I think > coming up with a correct security policy is a major undertaking. > > Do we want to go down that path, or use alternative means like the > proposed script resolution restrictions? The result is different: with Java security, we do not prevent anyone from injection scripts in the "wrong" location. With the path alternative we do not prevent anyone from calling System.exit(0). So, it depends on what you want ;-) I think, the first thing might be better to be approached first. Though I would prefer the "execution permission" approach over the path based approach, I think the path based approach is probably easier to implement. Regards Felix
[jira] Closed: (SLING-934) AbstractSlingRepository.java unbindLog() sets method scoped log to null
[
https://issues.apache.org/jira/browse/SLING-934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stuart Freeman closed SLING-934.
> AbstractSlingRepository.java unbindLog() sets method scoped log to null
> ---
>
> Key: SLING-934
> URL: https://issues.apache.org/jira/browse/SLING-934
> Project: Sling
> Issue Type: Bug
> Components: JCR
>Reporter: Stuart Freeman
>Assignee: Felix Meschberger
> Fix For: JCR Base 2.0.4
>
>
> bundles/jcr/base/src/main/java/org/apache/sling/jcr/base/AbstractSlingRepository.java
> contains the following snippet:
> protected void unbindLog(LogService log) {
> if (this.log == log) {
> log = null;
> }
> }
> That sets the method scoped log to null, not the instance scoped this.log. I
> beleive it should look like:
> protected void unbindLog(LogService log) {
> if (this.log == log) {
> this.log = null;
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: Security in Sling
Hi, On Wed, Apr 22, 2009 at 2:22 PM, Tobias Bocanegra wrote: > System.exit() bears IMO no real risk, since it can be prevented by > java security. I'd like to see the relevant java security settings. With all the OSGi stuff, JCR bundle loading, and script compiling in place I think coming up with a correct security policy is a major undertaking. Do we want to go down that path, or use alternative means like the proposed script resolution restrictions? BR, Jukka Zitting
Re: Security in Sling
On Wed, Apr 22, 2009 at 12:41 PM, Felix Meschberger wrote: > Hi, > > Jukka Zitting schrieb: >> Hi, >> >> I was thinking about the implications of giving a user write access to >> a subtree of the repository. With that access the user could now >> upload a new script and create a node that invokes that script when >> rendered. >> >> What if the script contains something like System.exit(1)? Or >> something even more malicious? >> >> Do we have mechanisms for preventing attack scenarios like that? > > No, unless Java platform security (SecurityManager) is enabled, in which > case the "exitVM" PlatformPersmission would be required to call > System.exit() and likewise for other actions. System.exit() bears IMO no real risk, since it can be prevented by java security. scripts that heavily consume resources and/or eat CPU in endless loops are more dangerous and much harder to detect and prevent. regards, toby
Re: Security in Sling
On Wed, Apr 22, 2009 at 1:42 PM, Felix Meschberger wrote: > Hi, > > Carsten Ziegeler schrieb: >> ...scripts are >> only picked >> up from configured paths (libs and apps by default). So as long as the >> user is not allowed to write in these locations, everything should be fine. > > Well, there is a chance here, of course: Consider the node is created as > /content/bad with resource type "/content/malicious" and the script as > /content/malicious/html.esp... > Then the request to /content/bad.html would in fact call the script. That's what I meant. > ...Of course, restricing scripts to live in side any of the > ResourceResolver.getSearchPath() or defining an excecution permission > would help resolve this issue. I personally would prefer the execution > permission approach (though it may fall short of scripting languages > calling into the resource resolver (or the repository directly) to load > included scripts )... Restricting scripts to ResourceResolver.getSearchPath() locations sounds much easier and less risky, at least until we have a concept of execution permissions. There's no real reason to have scripts anywhere else than under those search paths. -Bertrand
Re: Security in Sling
Hi, Carsten Ziegeler schrieb: > Bertrand Delacretaz wrote: >> Hi Jukka, >> >> On Wed, Apr 22, 2009 at 12:25 PM, Jukka Zitting >> wrote: >>> ...I was thinking about the implications of giving a user write access to >>> a subtree of the repository. With that access the user could now >>> upload a new script and create a node that invokes that script when >>> rendered >> Requiring scripts to be stored under /libs or /apps, as a first step >> until we have something better, could help here, as website users are >> not supposed to be able to write to these locations. >> > I'm not sure if I understand the whole discussion here. But scripts are > only picked > up from configured paths (libs and apps by default). So as long as the > user is not allowed to write in these locations, everything should be fine. Well, there is a chance here, of course: Consider the node is created as /content/bad with resource type "/content/malicious" and the script as /content/malicious/html.esp. Then the request to /content/bad.html would in fact call the script. This is kind of the security downside of the full flexibility and openness we have Of course, restricing scripts to live in side any of the ResourceResolver.getSearchPath() or defining an excecution permission would help resolve this issue. I personally would prefer the execution permission approach (though it may fall short of scripting languages calling into the resource resolver (or the repository directly) to load included scripts ) But it would not prevent a properly authorized user from writing and using malicious script in /apps/sling/servlet/default/html.esp. Regards Felix
Re: Security in Sling
Bertrand Delacretaz wrote: > Hi Jukka, > > On Wed, Apr 22, 2009 at 12:25 PM, Jukka Zitting > wrote: >> ...I was thinking about the implications of giving a user write access to >> a subtree of the repository. With that access the user could now >> upload a new script and create a node that invokes that script when >> rendered > > Requiring scripts to be stored under /libs or /apps, as a first step > until we have something better, could help here, as website users are > not supposed to be able to write to these locations. > I'm not sure if I understand the whole discussion here. But scripts are only picked up from configured paths (libs and apps by default). So as long as the user is not allowed to write in these locations, everything should be fine. Carsten -- Carsten Ziegeler cziege...@apache.org
Re: Security in Sling
Hi Jukka, On Wed, Apr 22, 2009 at 12:25 PM, Jukka Zitting wrote: > ...I was thinking about the implications of giving a user write access to > a subtree of the repository. With that access the user could now > upload a new script and create a node that invokes that script when > rendered Requiring scripts to be stored under /libs or /apps, as a first step until we have something better, could help here, as website users are not supposed to be able to write to these locations. -Bertrand
Re: Security in Sling
Felix, That sounds like it would address the issue of accepting scripts from trusted sources but would not, make the scripts safe as per your original post. On System.exit itself I cant remember if the runtime shutdown handler can veto System.exit, although the damage will already be done. enabling java security feels (to me at least) like potentially hard work, especially with all the OSGi classloaders in play. Ian On 22 Apr 2009, at 12:00, Felix Meschberger wrote: Hi, Ian Boston schrieb: This is an interesting one for us, since all users will have write access to the repository. Is there an 'execute' permission in sling, or perhaps even an equivalent to the no execute mount option in posix. I see some extensions to the DefaultAccessControlManager looming. No, there is no such thing. Neither on the repository level nor on the Sling level. In fact such an exception can also not be enforced by the repository, since it has no notion of "execution". I think, though, the storing such a permission would probably be possible and the scriping handlers we have would have to ensure the permissions, which is not currently done. Regards Felix Ian On 22 Apr 2009, at 11:25, Jukka Zitting wrote: Hi, I was thinking about the implications of giving a user write access to a subtree of the repository. With that access the user could now upload a new script and create a node that invokes that script when rendered. What if the script contains something like System.exit(1)? Or something even more malicious? Do we have mechanisms for preventing attack scenarios like that? BR, Jukka Zitting
[jira] Closed: (SLING-911) ResourceProvider registration issues: better info on duplicate, prevent loss on registration
[ https://issues.apache.org/jira/browse/SLING-911?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Felix Meschberger closed SLING-911. --- Tests seem to indicate this issue is really fixed. So closing this issue now. > ResourceProvider registration issues: better info on duplicate, prevent loss > on registration > > > Key: SLING-911 > URL: https://issues.apache.org/jira/browse/SLING-911 > Project: Sling > Issue Type: Bug > Components: JCR Resource >Affects Versions: JCR Resource 2.0.4 >Reporter: Felix Meschberger >Assignee: Felix Meschberger > Fix For: JCR Resource 2.0.4 > > > The resource provider registration and unregistration has some issues > currently: > * Multi-threading: ResourceProvider may be registered and/or unregistered at > any time. Currently the handling of this registration or unregistration is > not done in a thread safe way. Therefore it may happen that some > registrations are lost or that some unregistrations are actually lost and do > not take place. > * If a resource provider is registered for a path for which a registered > provider already exists, there is currently no information on the existing > resource provider. > This bug is about fixing these issues by synchronizing on provider > registration and unregistration and by providing a hint to the resource > provider in the log message on duplicate registrations. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: Security in Sling
Hi, Ian Boston schrieb: > This is an interesting one for us, since all users will have write > access to the repository. > Is there an 'execute' permission in sling, or perhaps even an equivalent > to the no execute mount option in posix. I see some extensions to the > DefaultAccessControlManager looming. No, there is no such thing. Neither on the repository level nor on the Sling level. In fact such an exception can also not be enforced by the repository, since it has no notion of "execution". I think, though, the storing such a permission would probably be possible and the scriping handlers we have would have to ensure the permissions, which is not currently done. Regards Felix > Ian > > On 22 Apr 2009, at 11:25, Jukka Zitting wrote: > >> Hi, >> >> I was thinking about the implications of giving a user write access to >> a subtree of the repository. With that access the user could now >> upload a new script and create a node that invokes that script when >> rendered. >> >> What if the script contains something like System.exit(1)? Or >> something even more malicious? >> >> Do we have mechanisms for preventing attack scenarios like that? >> >> BR, >> >> Jukka Zitting > >
Re: Security in Sling
Hi, Torgeir Veimo schrieb: > The servlet container usually have default security policies defined, which > can easily be changed. Eg for tomcat, look at conf/catalina.policy. > Am not sure what facilities ogsi containers provide in this area though? OSGi containers basically also depend on standard Java security, for example many operations in the framework and compendium services are defined to fail with a SecurityException if some Permission is not granted. By defualt (in Sling), Java security is turned off. Be warned, though, Java Security is a thorny road ;-) Regards Felix > > 2009/4/22 Jukka Zitting > >> Hi, >> >> I was thinking about the implications of giving a user write access to >> a subtree of the repository. With that access the user could now >> upload a new script and create a node that invokes that script when >> rendered. >> >> What if the script contains something like System.exit(1)? Or >> something even more malicious? >> >> Do we have mechanisms for preventing attack scenarios like that? >> >> BR, >> >> Jukka Zitting >> > > >
Re: Security in Sling
Hi, On Wed, Apr 22, 2009 at 12:40 PM, Torgeir Veimo wrote: > The servlet container usually have default security policies defined, which > can easily be changed. Eg for tomcat, look at conf/catalina.policy. What would such a policy file look like, i.e. what codeBase should be used and what permissions granted? Also, I'm not sure how easy it would be to apply the Java security policies to things like ESP scripts. BR, Jukka Zitting
Re: Security in Sling
This is an interesting one for us, since all users will have write access to the repository. Is there an 'execute' permission in sling, or perhaps even an equivalent to the no execute mount option in posix. I see some extensions to the DefaultAccessControlManager looming. Ian On 22 Apr 2009, at 11:25, Jukka Zitting wrote: Hi, I was thinking about the implications of giving a user write access to a subtree of the repository. With that access the user could now upload a new script and create a node that invokes that script when rendered. What if the script contains something like System.exit(1)? Or something even more malicious? Do we have mechanisms for preventing attack scenarios like that? BR, Jukka Zitting
Re: Security in Sling
Hi, Jukka Zitting schrieb: > Hi, > > I was thinking about the implications of giving a user write access to > a subtree of the repository. With that access the user could now > upload a new script and create a node that invokes that script when > rendered. > > What if the script contains something like System.exit(1)? Or > something even more malicious? > > Do we have mechanisms for preventing attack scenarios like that? No, unless Java platform security (SecurityManager) is enabled, in which case the "exitVM" PlatformPersmission would be required to call System.exit() and likewise for other actions. Regards Felix
Re: Security in Sling
The servlet container usually have default security policies defined, which can easily be changed. Eg for tomcat, look at conf/catalina.policy. Am not sure what facilities ogsi containers provide in this area though? 2009/4/22 Jukka Zitting > Hi, > > I was thinking about the implications of giving a user write access to > a subtree of the repository. With that access the user could now > upload a new script and create a node that invokes that script when > rendered. > > What if the script contains something like System.exit(1)? Or > something even more malicious? > > Do we have mechanisms for preventing attack scenarios like that? > > BR, > > Jukka Zitting > -- -Tor
Security in Sling
Hi, I was thinking about the implications of giving a user write access to a subtree of the repository. With that access the user could now upload a new script and create a node that invokes that script when rendered. What if the script contains something like System.exit(1)? Or something even more malicious? Do we have mechanisms for preventing attack scenarios like that? BR, Jukka Zitting
Re: Refining the authentication process
Hi Juanjo, Juan José Vázquez Delgado schrieb: > Hi Felix, > >> I propose to create a new service interface Authenticator, which is >> implemented by the existing SlingAuthenticator class (both in the >> o.a.sling.engine bundle). This interface has a requestAuthentication >> method, which may be used to initiate authentication from within >> servlets or scripts and have the requestAuthentication method of the >> appropriate handler be called for the current request. >> >> In addition, the sling:authRequestLogin parameter supported by the HTTP >> Basic authentication handler should actually be handled by the >> SlingAuthenticator. This enables any client to initiate authentication >> by just specifying this parameter and have the SlingAuthenticator call >> the requestAuthentication method of the appropriate handler be called >> for the request. > > I agree with your propossal and understand and share the reasons. > > +1 Thanks. > > In the other hand, and I hope this is not off-topic, I still see a > little bit contradictory that Sling let having different > authentication handlers, but in the other hand, they are all tied to > jcr specification (javax.jcr.Credentials type for instance). I > understand this draft [1] is in line with this point, reallly?. It is not really off-topic. Point is that this proposal is not targeted at this end of the line. Yet, I agree, that we have another issue in the AuthenticationInfo class, which is tied into JCR style login. I think we will solve this issue when we tackle the ResourceResolverFactory implementation [2]. Regards Felix [2] http://cwiki.apache.org/SLING/add-resourceresolverfactory-service-interface.html > > BR, > > Juanjo. > > [1] > http://cwiki.apache.org/SLING/add-resourceresolverfactory-service-interface.html >
Re: Refining the authentication process
Hi Felix, > I propose to create a new service interface Authenticator, which is > implemented by the existing SlingAuthenticator class (both in the > o.a.sling.engine bundle). This interface has a requestAuthentication > method, which may be used to initiate authentication from within > servlets or scripts and have the requestAuthentication method of the > appropriate handler be called for the current request. > > In addition, the sling:authRequestLogin parameter supported by the HTTP > Basic authentication handler should actually be handled by the > SlingAuthenticator. This enables any client to initiate authentication > by just specifying this parameter and have the SlingAuthenticator call > the requestAuthentication method of the appropriate handler be called > for the request. I agree with your propossal and understand and share the reasons. +1 In the other hand, and I hope this is not off-topic, I still see a little bit contradictory that Sling let having different authentication handlers, but in the other hand, they are all tied to jcr specification (javax.jcr.Credentials type for instance). I understand this draft [1] is in line with this point, reallly?. BR, Juanjo. [1] http://cwiki.apache.org/SLING/add-resourceresolverfactory-service-interface.html
Refining the authentication process
Hi all, Currently the authentication process is kind of broken and should be fixed. See the concept page "Authentication Initiation" [1]. In essence the problem is, that authentication can only be initiated by visiting special authentication pages explicitly or by being redirected. Servlets and scripts (e.g. a 404/NOT FOUND error handler) cannot easily initiate authentication without knowing the URL to the login page. I propose to create a new service interface Authenticator, which is implemented by the existing SlingAuthenticator class (both in the o.a.sling.engine bundle). This interface has a requestAuthentication method, which may be used to initiate authentication from within servlets or scripts and have the requestAuthentication method of the appropriate handler be called for the current request. In addition, the sling:authRequestLogin parameter supported by the HTTP Basic authentication handler should actually be handled by the SlingAuthenticator. This enables any client to initiate authentication by just specifying this parameter and have the SlingAuthenticator call the requestAuthentication method of the appropriate handler be called for the request. This makes the whole authentication initiation process much more transparent and allows for better alignment of login forms to the authentication handlers they are intended to work with. WDYT ? Regards Felix [1] http://cwiki.apache.org/SLING/authentication-initiation.html PS: Sorry, if this comes in as duplicate, but I suspect the first mail got eaten somewhere in space...
Re: Script resolved when creating a new resource
Hi Daniel, Daniel, de la Cuesta Navarrete schrieb: > Thank you, > > Sorry for my late response, but I have a new idea. > > My problem is that I want to return a service ticket in the POST response > when a new resource is created. This service ticket can appear in a response > header or in the response body. > > I am agree with you, and I don't want to stop the node creation with my > custom POST script. > > Can I set up a filter that adds a new header to the http resonse and get > this header in the final response to the client? Yes, you can register a javax.servlet.Filter service which acts upon the request. Or you might want to explore the SlingPostProcessor (though this does not allow you to set a response header). But in the SlingPostProcessor you can add a Modification to the list of Modifications, which is then added as an entry in changelog of the response. Hope this helps. Regards Felix > > Any ideas? > > Thank you. > > 2009/4/3 Felix Meschberger > >> Hi Daniel, >> >> Posting to a resource with a trailing /* yields a StarResource of >> default resource type "sling:syntheticStarResource". If you post to a >> non-existing resource with a trailing slash / (which is recommended >> here), a NonExistingResource with resource type "sling:nonexisting" is >> assumed. >> >> So so the scripts would be looked up in >> /apps/sling/syntheticStarResource in the first case or >> /apps/sling/nonexisting in the second case. >> >> If you configure the path based resource type provider correctly (for >> example to have requests to /content/blog/* to have a star resource of >> type foo/bar) you may have your POST script in /apps/foo/bar. >> >> But unless you want to do something special to your newly created page, >> I would suggest to not provide your own POST script and have the default >> script handle the node creation. >> >> Hope this helps. >> >> Regards >> Felix >> >> >> >> Daniel, de la Cuesta Navarrete schrieb: >>> Hi, >>> >>> How can overwrite the http response when I create a new resurce? >>> >>> I mean, >>> >>> I have created a new resource with sling:resourceType=foo/bar. >>> I have a POST.esp script in apps/foo/bar >>> >>> If a create a new resource the POST.esp is not resolved. It is only >> resolved >>> when I edit the resource >>> >>> What script is resolved when I create a new resource? >>> >>> For example when I do: >>> curl -F"sling:resourceType=foo/bar" -F"title=Fuente 1" -F"file=" >>> -F"mimetype=" http://admin:ad...@localhost:/content/blog/* >>> >>> Thank you. >>> >
Re: Script resolved when creating a new resource
Thank you, Sorry for my late response, but I have a new idea. My problem is that I want to return a service ticket in the POST response when a new resource is created. This service ticket can appear in a response header or in the response body. I am agree with you, and I don't want to stop the node creation with my custom POST script. Can I set up a filter that adds a new header to the http resonse and get this header in the final response to the client? Any ideas? Thank you. 2009/4/3 Felix Meschberger > Hi Daniel, > > Posting to a resource with a trailing /* yields a StarResource of > default resource type "sling:syntheticStarResource". If you post to a > non-existing resource with a trailing slash / (which is recommended > here), a NonExistingResource with resource type "sling:nonexisting" is > assumed. > > So so the scripts would be looked up in > /apps/sling/syntheticStarResource in the first case or > /apps/sling/nonexisting in the second case. > > If you configure the path based resource type provider correctly (for > example to have requests to /content/blog/* to have a star resource of > type foo/bar) you may have your POST script in /apps/foo/bar. > > But unless you want to do something special to your newly created page, > I would suggest to not provide your own POST script and have the default > script handle the node creation. > > Hope this helps. > > Regards > Felix > > > > Daniel, de la Cuesta Navarrete schrieb: > > Hi, > > > > How can overwrite the http response when I create a new resurce? > > > > I mean, > > > > I have created a new resource with sling:resourceType=foo/bar. > > I have a POST.esp script in apps/foo/bar > > > > If a create a new resource the POST.esp is not resolved. It is only > resolved > > when I edit the resource > > > > What script is resolved when I create a new resource? > > > > For example when I do: > > curl -F"sling:resourceType=foo/bar" -F"title=Fuente 1" -F"file=" > > -F"mimetype=" http://admin:ad...@localhost:/content/blog/* > > > > Thank you. > > >
