[jira] Created: (SLING-991) JcrResourceResolver2.map does not handle resource paths with fragments and queries correctly
JcrResourceResolver2.map does not handle resource paths with fragments and queries correctly Key: SLING-991 URL: https://issues.apache.org/jira/browse/SLING-991 Project: Sling Issue Type: Bug Components: JCR Resource Affects Versions: JCR Resource 2.0.4 Reporter: Felix Meschberger Assignee: Felix Meschberger Fix For: JCR Resource 2.0.6 The JcrResourceResolver2.map(HttpServletRequest, String) method does not handle any fragements and queries in the resource path correctly, when mapping from the internal path to the external URL. The intent of the map method is to take any string, which is prepared to act as a link URL and to map the resource path to a valid URL, which may be resovled by the resolve method. Any selectors, extension and suffix are correctly cut of the path to get the raw resource path to map. But fragments and queries are not handled correclty. Consider the following examples based on an existing resource /content/home: /content/home --> use as is, nothing to cut off /content/home.html --> cut off extension before mapping /content/home.sel.html --> cut off selector and extension before mapping /content/home.html/some/suffix --> cut off extension and suffix before mapping /content/home.html#sec1?a:b=1 --> cut off extension, fragment and query before mapping The last part is not being done currently, which is a problem and might leed to wrong mapping results, particularly if the query contains colons, which would result in wrong namespace mangling. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: Clarification for ResourceResolver#map
Hi, Carsten Ziegeler schrieb: > Felix Meschberger wrote: >> Hi Carsten >> >> Carsten Ziegeler schrieb: >>> how is the ResourceResolver#map method supposed to work or more precisly >>> what input is expected. The javadoc mentions a resource path as input >>> parameter. >>> What is supposed to happen if the path contains a query string or an anchor? >> The query string is cut off IIRC before applying the mapping and >> appended again at the end. > Great, I didn't find this in the code. Can you give me a pointer please? :) Its in the JcrResourceResolver2.map(HttpServletRequest, String) method where the resource is resolved from the resource path calling resolveInternal (line 277). This yields the raw path (the path of the resource) and the part of the path not belonging to the resource. It seems that here, we should cut off the query and/or anchor *before* calling the resolveInternal method. Regards Felix > > Regards > Carsten > >> The anchor is not currently handled, which >> might be considered a bug to be fixed. >> >> Actually the resource path may also contain appended selectors and >> extensions, which are also cut off at the beginning and reappended at >> the end. >> >> Regards >> Felix >> >> > >
[jira] Commented: (SLING-990) Prototype for a Sling Explorer implementation based on GWT
[ https://issues.apache.org/jira/browse/SLING-990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12715822#action_12715822 ] Felix Meschberger commented on SLING-990: - I did not run the code, I just looked at the contents of the package. This lookes very interesting but misses a few things: * We need the LICENSE and NOTICE file (and the DISCLAIMER, but this we can add on SVN commit) * What is the licencse (and source) of the images and CSS files included ? These might have to be attributed in the NOTICE file and *not* be (L)GPL-ed. Also a LICENSE file would be required for them unless they are ASL licensed. In tree-node.json.esp you do : if (childNode == null) { name += child.path; } else { name += childNode.name; //name = child.path; } To get the label of the resource. You might use ResourceUtil.getName(resource) here, which does the same and does not rely on the resource being a node. children.json.esp seems to be JCR-based: How about using the Sling Resource abstractions here : listing children using ResourceResolver.listChildren and getting the propreties with Resource.adaptTo(ValueMap.class) ? > Prototype for a Sling Explorer implementation based on GWT > -- > > Key: SLING-990 > URL: https://issues.apache.org/jira/browse/SLING-990 > Project: Sling > Issue Type: New Feature > Components: Extensions >Reporter: Christophe Lombart > Attachments: Sling Explorer.zip > > > Following the Sling Explorer proposal [1], I have started an implementation > with the SwartGwt UI framework [2] (based on GWT and under LGPL licence). > Not sure but I think that LGPL is compatible with the Apache project. > Until now, it is just a prototype. Can you review the code and see if this > Gwt application is well integrated with Sling ? > [1] http://cwiki.apache.org/SLING/sling-based-jcr-explorer.html > [2] http://code.google.com/p/smartgwt/ -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: Clarification for ResourceResolver#map
Felix Meschberger wrote: > Hi Carsten > > Carsten Ziegeler schrieb: >> how is the ResourceResolver#map method supposed to work or more precisly >> what input is expected. The javadoc mentions a resource path as input >> parameter. >> What is supposed to happen if the path contains a query string or an anchor? > > The query string is cut off IIRC before applying the mapping and > appended again at the end. Great, I didn't find this in the code. Can you give me a pointer please? :) Regards Carsten > The anchor is not currently handled, which > might be considered a bug to be fixed. > > Actually the resource path may also contain appended selectors and > extensions, which are also cut off at the beginning and reappended at > the end. > > Regards > Felix > > -- Carsten Ziegeler cziege...@apache.org
Re: [jira] Commented: (SLING-990) Prototype for a Sling Explorer implementation based on GWT
Hi all, Felix Meschberger (JIRA) schrieb: >> Not sure but I think that LGPL is compatible with the Apache project. > > Unfortunately not. Apache projects are not allowed to distribute artifacts > including artifacts licensed under any GPL or LGPL license. I think, this primarily means we are not allowed to distribute the final bundle build as a JAR file containing the (L)GPL licensed stuff. IIRC we are allowed to have the source in the SVN repo provided it only contains properly licensed files and we probably should make sure that anyone using this is aware of using (L)GPL licensed when building and running. Maybe Jukka may add to this ? Regards Felix > >> Prototype for a Sling Explorer implementation based on GWT >> -- >> >> Key: SLING-990 >> URL: https://issues.apache.org/jira/browse/SLING-990 >> Project: Sling >> Issue Type: New Feature >> Components: Extensions >>Reporter: Christophe Lombart >> Attachments: Sling Explorer.zip >> >> >> Following the Sling Explorer proposal [1], I have started an implementation >> with the SwartGwt UI framework [2] (based on GWT and under LGPL licence). >> Not sure but I think that LGPL is compatible with the Apache project. >> Until now, it is just a prototype. Can you review the code and see if this >> Gwt application is well integrated with Sling ? >> [1] http://cwiki.apache.org/SLING/sling-based-jcr-explorer.html >> [2] http://code.google.com/p/smartgwt/ >
[jira] Commented: (SLING-990) Prototype for a Sling Explorer implementation based on GWT
[ https://issues.apache.org/jira/browse/SLING-990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12715811#action_12715811 ] Felix Meschberger commented on SLING-990: - > Not sure but I think that LGPL is compatible with the Apache project. Unfortunately not. Apache projects are not allowed to distribute artifacts including artifacts licensed under any GPL or LGPL license. > Prototype for a Sling Explorer implementation based on GWT > -- > > Key: SLING-990 > URL: https://issues.apache.org/jira/browse/SLING-990 > Project: Sling > Issue Type: New Feature > Components: Extensions >Reporter: Christophe Lombart > Attachments: Sling Explorer.zip > > > Following the Sling Explorer proposal [1], I have started an implementation > with the SwartGwt UI framework [2] (based on GWT and under LGPL licence). > Not sure but I think that LGPL is compatible with the Apache project. > Until now, it is just a prototype. Can you review the code and see if this > Gwt application is well integrated with Sling ? > [1] http://cwiki.apache.org/SLING/sling-based-jcr-explorer.html > [2] http://code.google.com/p/smartgwt/ -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: Binding to a resource Type
Hi Ian, Ian Boston schrieb: > Should a servlet (with sling.servlet.resourceTypes value="x") bind to > JCR nodes where a parent node has a resourceType of x, or will it only > bind to JCR nodes where the node itself has the resourceType x ? I do not exactly understand what you mean by "bind to JCR nodes" ? Registered servlets are not "bound to JCR nodes" but are added to the resource tree at predefined locations. For example a servlet registered with sling.servlet.resourceTypes = "x" sling.servlet.extensions = "html" is added to the resource tree (by default) at /apps/x/html.servlet This node (a leaf actually) in the resource tree is not backed by a JCR item and is only accessible through the resource resolver and only exists as long as the Servlet Resolver is active and the servlet is registered. Hope this helps. Regards Felix
Re: Clarification for ResourceResolver#map
Hi Carsten Carsten Ziegeler schrieb: > how is the ResourceResolver#map method supposed to work or more precisly > what input is expected. The javadoc mentions a resource path as input > parameter. > What is supposed to happen if the path contains a query string or an anchor? The query string is cut off IIRC before applying the mapping and appended again at the end. The anchor is not currently handled, which might be considered a bug to be fixed. Actually the resource path may also contain appended selectors and extensions, which are also cut off at the beginning and reappended at the end. Regards Felix
Re: JcrResoruceResolver2, by design ?
Hi Ian, I could imagine two approaches to your problem: (1) Register a resource provider for the root node of your "hashed" tree. When asked for a resource, it will apply the mapping function to find the actual resource. (2) Employ the dynamic URL Rewriting patch you proposed in SLING-986: You attach that rewriter such that it resoloves and maps as required. The advantage of the second approach is, that you have a "free" two-way mapping for resolving URLs (incoming) and mapping resource paths to URLs (outgoing). The disadvantage of both approaches is, that it is actually configuration and a simple resource creation à-la curl -F"sling:resourceType:sakai/store" http://localhost:8080/bigstore might not be enough and you would have some additional functionality (a listener maybe) to set this up on demand. Regards Felix Ian Boston schrieb: > > On 2 Jun 2009, at 16:09, Paul Noden wrote: > >> Hi Ian, >> >> 2009/6/2 Ian Boston >> >>> AFAICT its impossible to virtualize paths (URI wrt JCR path) using this >>> approach in the JCR. >>> >>> Unfortunately for me, its a use case I can't ignore as we have lots of >>> situations where a non listable could contain millions of items. >>> Back to square one. >>> >>> > The current design and intention is, that for any one (root) path > there > may only be one resource provider registered. So for example, for a > (root) path "/some/path", there may only one. Of course there may be > another one at "/some" or at "/some/path/below". > > I want to be able to bind a special Resource to a node with a corresponding resourceType (created by the application) anywhere in the content system, so that all the standard Sling processing can access that Resource. For example: I want to be able to create a node anywhere in the content system, and under that node have a hashed store that is managed as if the entire node space was flattened. eg the URL /x/y/z/store/12312312/a/b/c is mapped to JCR space /x/y/z/store/content/aa/bb/cc/dd/12312312/a/b/c using the ResourceProducer mechanism. >>> >> Can you go into some more detail regarding the requirements for this >> strategy? > > Paul, > > Sure, > I need to create stores of potentially a large number of items single > locations in URL space where the items can be > accessed by a URL > reference each other. > be listed by paged search. > > The main requirement is that the collection should be addressable with > the following form > /x/y/z/1001 > > The path might extend further eg > /x/y/z/1001/d/e/f > > the cannonical form being > /x/y/z/n/** > where n is one of a set of a large number of items (eg 10M) > > AFAIK, to make this work JCR n needs to be expanded to a hashed tree eg > /x/y/z/aa/bb/cc/dd/n/** > > Having performed the hashing, I would ideally like to reuse the > SlingPostServlet and related functionality, so that > > curl -F"sling:resourceType:sakai/store" http://localhost:8080/bigstore > > creates a store (identified by the sakai/store resourceType) > > curl -F"status:stage1" http://localhost:8080/bigstore.create.html > > a redirect coming back to (ad23415g4 is an opaque token) > http://localhost:8080/bigstore/ad23415g4 > > Which can then be used in further operations on that item. > > >> >> >> Could you use node representations in store to placehold/redirect to the >> nested content at "content/aa/bb/cc/dd/"? > > Provided that HTTP would never see content/aa/bb/cc/dd/, but I guess by > redirect, you mean http redirect, in which case, no since relative URL's > break at this point. > eg ../ad23415g4/related_information.html > > >> >> >> Regards, >> >> Paul Noden > >
Re: Google Analytics for the Sling web site
Hi, Jukka Zitting schrieb: > Jackrabbit is using Google Analytics to track usage of the > jackrabbit.apache.org web site, and I was wondering if Sling would be > interested in similar data. See [1] for an example report. With my Sling Hat on I could be interested in these figures and favor it. With my Internet Surfer hat on I am not really sure whether I like the idea of Google gathering this information. All in all I tend to rather not be in favor of this. Regards Felix
[jira] Updated: (SLING-990) Prototype for a Sling Explorer implementation based on GWT
[ https://issues.apache.org/jira/browse/SLING-990?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Christophe Lombart updated SLING-990: - Attachment: Sling Explorer.zip Here is the code. The README file contains information on useful maven command & GWT setting. > Prototype for a Sling Explorer implementation based on GWT > -- > > Key: SLING-990 > URL: https://issues.apache.org/jira/browse/SLING-990 > Project: Sling > Issue Type: New Feature > Components: Extensions >Reporter: Christophe Lombart > Attachments: Sling Explorer.zip > > > Following the Sling Explorer proposal [1], I have started an implementation > with the SwartGwt UI framework [2] (based on GWT and under LGPL licence). > Not sure but I think that LGPL is compatible with the Apache project. > Until now, it is just a prototype. Can you review the code and see if this > Gwt application is well integrated with Sling ? > [1] http://cwiki.apache.org/SLING/sling-based-jcr-explorer.html > [2] http://code.google.com/p/smartgwt/ -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Google Analytics for the Sling web site
Hi, Jackrabbit is using Google Analytics to track usage of the jackrabbit.apache.org web site, and I was wondering if Sling would be interested in similar data. See [1] for an example report. [1] http://markmail.org/download.xqy?id=7xwz2anfrp4tfiko&number=1 BR, Jukka Zitting
[jira] Created: (SLING-990) Prototype for a Sling Explorer implementation based on GWT
Prototype for a Sling Explorer implementation based on GWT -- Key: SLING-990 URL: https://issues.apache.org/jira/browse/SLING-990 Project: Sling Issue Type: New Feature Components: Extensions Reporter: Christophe Lombart Following the Sling Explorer proposal [1], I have started an implementation with the SwartGwt UI framework [2] (based on GWT and under LGPL licence). Not sure but I think that LGPL is compatible with the Apache project. Until now, it is just a prototype. Can you review the code and see if this Gwt application is well integrated with Sling ? [1] http://cwiki.apache.org/SLING/sling-based-jcr-explorer.html [2] http://code.google.com/p/smartgwt/ -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
RE: Sling Documentation
Hi Stuart > OK, I'd like to update the "Getting and Building Sling" page. > > On Tue, Jun 02, 2009 at 10:22:06PM +0200, Mike Müller wrote: > > Hi Stuart > > > > You just tell me, which page you like to update, and either > > create this page in the public wiki or I will create you a copy > > of the original page there. You'll then be able to make > your changes. > > After that I will take them over to the Sling website. > > So just tell me, which page you like to update or rewrite. > > As I said, every help is very welcome. >>> snip snap Ok, I made you a copy of the original under [1]. Please let me know as soon as you have finished updating. [1] http://cwiki.apache.org/confluence/display/SLING/Getting+and+Building+Sling best regards mike
Re: Sling Documentation
OK, I'd like to update the "Getting and Building Sling" page. On Tue, Jun 02, 2009 at 10:22:06PM +0200, Mike Müller wrote: > Hi Stuart > > You just tell me, which page you like to update, and either > create this page in the public wiki or I will create you a copy > of the original page there. You'll then be able to make your changes. > After that I will take them over to the Sling website. > So just tell me, which page you like to update or rewrite. > As I said, every help is very welcome. > > best regards > mike > > > > -Original Message- > > From: D. Stuart Freeman [mailto:stuart.free...@et.gatech.edu] > > Sent: Tuesday, June 02, 2009 5:58 PM > > To: sling-dev@incubator.apache.org > > Subject: Re: Sling Documentation > > > > > > That seems doable. Where should I put the output of this effort? It > > looks like I can edit the "setting up eclipse..." page, but not the > > "getting and building sling" page in place on cwiki. > > > > On Sat, May 30, 2009 at 09:15:05PM +0200, Mike Müller wrote: > > > Hi Stuart > > > > > > The update process has just started. If you can help you're > > > very welcome. > > > On the page you mentioned, you're right, there's not much to update, > > > but the goal is to merge/combine the content with the wiki content > > > on [1] > > > > > > [1] > > http://cwiki.apache.org/confluence/display/SLING/Setting+up+Ec > lipse+3.4+for+Sling > > > > best regards > > mike > > > > > > > -Original Message- > > > From: D. Stuart Freeman [mailto:stuart.free...@et.gatech.edu] > > > Sent: Friday, May 29, 2009 3:59 PM > > > To: sling-dev@incubator.apache.org > > > Subject: Sling Documentation > > > > > > > > > I'm here to help. I've looked at > > > http://cwiki.apache.org/confluence/display/SLING/Status+of+doc > > > umentation+progress > > > and thought "Getting and building Sling [UPDATE]" would be a > > > good place > > > to start. The existing page appears to be > > > http://incubator.apache.org/sling/site/getting-and-building-sl > > ing.html it > > looks to be accurate, so I wonder if there's a specific goal to updating > > this page. > > > > -- > > D. Stuart Freeman > > Georgia Institute of Technology > > -- > D. Stuart Freeman > Georgia Institute of Technology -- D. Stuart Freeman Georgia Institute of Technology signature.asc Description: Digital signature
RE: Sling Documentation
Hi Stuart You just tell me, which page you like to update, and either create this page in the public wiki or I will create you a copy of the original page there. You'll then be able to make your changes. After that I will take them over to the Sling website. So just tell me, which page you like to update or rewrite. As I said, every help is very welcome. best regards mike > -Original Message- > From: D. Stuart Freeman [mailto:stuart.free...@et.gatech.edu] > Sent: Tuesday, June 02, 2009 5:58 PM > To: sling-dev@incubator.apache.org > Subject: Re: Sling Documentation > > > That seems doable. Where should I put the output of this effort? It > looks like I can edit the "setting up eclipse..." page, but not the > "getting and building sling" page in place on cwiki. > > On Sat, May 30, 2009 at 09:15:05PM +0200, Mike Müller wrote: > > Hi Stuart > > > > The update process has just started. If you can help you're > > very welcome. > > On the page you mentioned, you're right, there's not much to update, > > but the goal is to merge/combine the content with the wiki content > > on [1] > > > > [1] > http://cwiki.apache.org/confluence/display/SLING/Setting+up+Ec lipse+3.4+for+Sling > > best regards > mike > > > > -Original Message- > > From: D. Stuart Freeman [mailto:stuart.free...@et.gatech.edu] > > Sent: Friday, May 29, 2009 3:59 PM > > To: sling-dev@incubator.apache.org > > Subject: Sling Documentation > > > > > > I'm here to help. I've looked at > > http://cwiki.apache.org/confluence/display/SLING/Status+of+doc > > umentation+progress > > and thought "Getting and building Sling [UPDATE]" would be a > > good place > > to start. The existing page appears to be > > http://incubator.apache.org/sling/site/getting-and-building-sl > ing.html it > looks to be accurate, so I wonder if there's a specific goal to updating > this page. > > -- > D. Stuart Freeman > Georgia Institute of Technology -- D. Stuart Freeman Georgia Institute of Technology
Re: (In)Security in Sling
I have been wondering about this as well. The reverse proxy seems not to be the right place to add the security since once bypassed one would have full access to the site and the code of the site. a sling based lockdown may be a problem too, since one site may need json (say the content management on top of sling) but another may not (such as a public web site). The content reported by some formats should also be different based on what server accesses it and be better filtered - so for example there is no need to output some nodes in a .json file when used by the web site but there is for a content management system. Otherwise too many attack vectors are exposed for potential attacks. Ruben Christian Sprecher wrote: Hi all This is something that has been nagging me for a while now: imho the whole JSR 283 security stuff looks good from the JCR context, but Sling is a different beast: it is a web framework, and therefore susceptible to the whole web attack vectors, like information disclosure (e.g. unwanted JSON output), injection attacks (unsure about possible attack vectors), malicious file execution and others, see http://www.owasp.org/index.php/Top_10_2007 for some examples. Therefore relying on JSR 283 is necessary but not sufficient to provide state of the art security for Sling. There are several possibilities to provide this additional layer of security, one is to provide a secure reverse proxy with filter possibilities, like John mentioned. This is state of the art for enterprises, but not necessarly the best approach for more lightweight environments. Another approach would be to have a servlet filter handling all web attack mitigation strategies and in the same time beeing able to communicate with the underlying repository. Perhaps this would also allow to create something like an "execute" privilege, which doesn't make sense in JCR context but does make very much sense for Sling. The spec doc btw, mentions the possibility to define additional javax.jcr.security.Privilege namespaces, so it looks (without knowing details) to be well prepared for enhancements. I am unsure if and how OSGI might be another mechanism to implement web security. wdyt? Cheers, CSp.
Re: (In)Security in Sling
Hi all This is something that has been nagging me for a while now: imho the whole JSR 283 security stuff looks good from the JCR context, but Sling is a different beast: it is a web framework, and therefore susceptible to the whole web attack vectors, like information disclosure (e.g. unwanted JSON output), injection attacks (unsure about possible attack vectors), malicious file execution and others, see http://www.owasp.org/index.php/Top_10_2007 for some examples. Therefore relying on JSR 283 is necessary but not sufficient to provide state of the art security for Sling. There are several possibilities to provide this additional layer of security, one is to provide a secure reverse proxy with filter possibilities, like John mentioned. This is state of the art for enterprises, but not necessarly the best approach for more lightweight environments. Another approach would be to have a servlet filter handling all web attack mitigation strategies and in the same time beeing able to communicate with the underlying repository. Perhaps this would also allow to create something like an "execute" privilege, which doesn't make sense in JCR context but does make very much sense for Sling. The spec doc btw, mentions the possibility to define additional javax.jcr.security.Privilege namespaces, so it looks (without knowing details) to be well prepared for enhancements. I am unsure if and how OSGI might be another mechanism to implement web security. wdyt? Cheers, CSp.
Clarification for ResourceResolver#map
Hi, how is the ResourceResolver#map method supposed to work or more precisly what input is expected. The javadoc mentions a resource path as input parameter. What is supposed to happen if the path contains a query string or an anchor? Regards Carsten -- Carsten Ziegeler cziege...@apache.org
Re: JcrResoruceResolver2, by design ?
On 2 Jun 2009, at 16:09, Paul Noden wrote: Could you use node representations in store to placehold/redirect to the nested content at "content/aa/bb/cc/dd/"? Thank you for you hint, the simple solution appears to be to use a servlet and request dispatch with a modified Resource, wrapping the response, throwing away the output and sending redirect to URL of the created resource ( not the jcr path). Thanks Ian
Binding to a resource Type
Hi, Should a servlet (with sling.servlet.resourceTypes value="x") bind to JCR nodes where a parent node has a resourceType of x, or will it only bind to JCR nodes where the node itself has the resourceType x ? I have searched, documentation and source code, but I cant find an answer. Thanks Ian
Re: Sling Documentation
That seems doable. Where should I put the output of this effort? It looks like I can edit the "setting up eclipse..." page, but not the "getting and building sling" page in place on cwiki. On Sat, May 30, 2009 at 09:15:05PM +0200, Mike Müller wrote: > Hi Stuart > > The update process has just started. If you can help you're > very welcome. > On the page you mentioned, you're right, there's not much to update, > but the goal is to merge/combine the content with the wiki content > on [1] > > [1] > http://cwiki.apache.org/confluence/display/SLING/Setting+up+Eclipse+3.4+for+Sling > > best regards > mike > > > > -Original Message- > > From: D. Stuart Freeman [mailto:stuart.free...@et.gatech.edu] > > Sent: Friday, May 29, 2009 3:59 PM > > To: sling-dev@incubator.apache.org > > Subject: Sling Documentation > > > > > > I'm here to help. I've looked at > > http://cwiki.apache.org/confluence/display/SLING/Status+of+doc > > umentation+progress > > and thought "Getting and building Sling [UPDATE]" would be a > > good place > > to start. The existing page appears to be > > http://incubator.apache.org/sling/site/getting-and-building-sl > ing.html it > looks to be accurate, so I wonder if there's a specific goal to updating > this page. > > -- > D. Stuart Freeman > Georgia Institute of Technology -- D. Stuart Freeman Georgia Institute of Technology signature.asc Description: Digital signature
Re: (In)Security in Sling
Michael, No worries at all. I figured I could resolve most of this through a front end proxy (like Apache2), but wanted to see if there was a better way. +1 on the json restriction. Would be kind of cool to be able to restrict/grant access based upon a regexp as well. Thank you for your help. Respectfully, John On Tue, Jun 2, 2009 at 6:03 AM, Michael Marth wrote: > Hi, > > thanks John, for pointing this out. > > Part of the problem you describe is misconfigurations on my part (I did not > realize that the "anonymous" user is not part of the "everyone" group). But > as Felix has described the problem with the /apps directory cannot be fixed > by configuration. I just filed bug 989 [1] for this (an in-the-air > collision > with Felix' mail). > > As a third aspect: I believe there are parts in most sites where the json > representation is not desired. What do you think about making the json > servlet more configurable in terms of black/whitelisting properties it > renders? That would be on top of all other "proper" security measures, of > course. > > Michael > > [1] https://issues.apache.org/jira/browse/SLING-989 > > On Tue, Jun 2, 2009 at 12:33 PM, Felix Meschberger >wrote: > > > Hi, > > > > John Crawford schrieb: > > > I have been working with sling for quite some time and, of course, Day > > > products. One thing that I have been increasingly concerned with is > the > > end > > > users ability to scrape all of the sites content and code with minimal > > > effort using the built in functionality of the SlingPostServlet. > > > > The Sling Get Servlet to be precise ;-) > > > > > > > > For Example: > > > > > > http://dev.day.com/discussion-groups/users.infinity.json > > > http://dev.day.com/discussion-groups/apps.infinity.json > > > > As Jukka said, you may employ access control to prevent this. > > > > But there is a glitch for the scripts located in /apps and /libs: > > Currently scripts are read from the repository using the session of the > > current user, that is the request user. > > > > So preventing access to > > > > > > http://dev.day.com/discussion-groups/apps/mailingLists/mailingLists.jsp > > > > by simply denying read-access for the anonymous user actually prevents > > using the site at all. > > > > One solution to this problem could be to not load the scripts with the > > session of the current user but to use a special-purpose session (for > > example an admin session) to do this. > > > > This way, you may lock down /apps and /libs for general consumption but > > may still execute the scripts in there. > > > > WDYT ? > > > > Regards > > Felix > > > > > > (this > > > one really disturbs me) > > > > > > So far, my solution has been to provide a proxy (namely Apache2) in > front > > of > > > sling to filter out any undesired requests. Seems to work. But, by > > doing > > > this, it takes way what is so cool about Sling. I have reported to Day > > > Support numerous times, but they don't seem too concerned about it. > But > > for > > > sites where the content is critical or where we require users to pay > for > > our > > > content, it is very important to us. > > > > > > Is there a better way to handle this? > > > > > > Please let me know your thoughts. > > > > > > Respectfully, > > > John > > > > > > > > > -- > Michael Marth | http://dev.day.com/ >
Re: JcrResoruceResolver2, by design ?
On 2 Jun 2009, at 16:09, Paul Noden wrote: Hi Ian, 2009/6/2 Ian Boston AFAICT its impossible to virtualize paths (URI wrt JCR path) using this approach in the JCR. Unfortunately for me, its a use case I can't ignore as we have lots of situations where a non listable could contain millions of items. Back to square one. The current design and intention is, that for any one (root) path there may only be one resource provider registered. So for example, for a (root) path "/some/path", there may only one. Of course there may be another one at "/some" or at "/some/path/below". I want to be able to bind a special Resource to a node with a corresponding resourceType (created by the application) anywhere in the content system, so that all the standard Sling processing can access that Resource. For example: I want to be able to create a node anywhere in the content system, and under that node have a hashed store that is managed as if the entire node space was flattened. eg the URL /x/y/z/store/12312312/a/b/c is mapped to JCR space /x/y/z/store/content/aa/bb/cc/dd/12312312/a/b/c using the ResourceProducer mechanism. Can you go into some more detail regarding the requirements for this strategy? Paul, Sure, I need to create stores of potentially a large number of items single locations in URL space where the items can be accessed by a URL reference each other. be listed by paged search. The main requirement is that the collection should be addressable with the following form /x/y/z/1001 The path might extend further eg /x/y/z/1001/d/e/f the cannonical form being /x/y/z/n/** where n is one of a set of a large number of items (eg 10M) AFAIK, to make this work JCR n needs to be expanded to a hashed tree eg /x/y/z/aa/bb/cc/dd/n/** Having performed the hashing, I would ideally like to reuse the SlingPostServlet and related functionality, so that curl -F"sling:resourceType:sakai/store" http://localhost:8080/bigstore creates a store (identified by the sakai/store resourceType) curl -F"status:stage1" http://localhost:8080/bigstore.create.html a redirect coming back to (ad23415g4 is an opaque token) http://localhost:8080/bigstore/ad23415g4 Which can then be used in further operations on that item. Could you use node representations in store to placehold/redirect to the nested content at "content/aa/bb/cc/dd/"? Provided that HTTP would never see content/aa/bb/cc/dd/, but I guess by redirect, you mean http redirect, in which case, no since relative URL's break at this point. eg ../ad23415g4/related_information.html Regards, Paul Noden
Re: JcrResoruceResolver2, by design ?
Hi Ian, 2009/6/2 Ian Boston > AFAICT its impossible to virtualize paths (URI wrt JCR path) using this > approach in the JCR. > > Unfortunately for me, its a use case I can't ignore as we have lots of > situations where a non listable could contain millions of items. > Back to square one. > > >>> The current design and intention is, that for any one (root) path there >>> may only be one resource provider registered. So for example, for a >>> (root) path "/some/path", there may only one. Of course there may be >>> another one at "/some" or at "/some/path/below". >>> >>> I want to be able to bind a special Resource to a node with a >> corresponding resourceType (created by the application) anywhere in the >> content system, so that all the standard Sling processing can access that >> Resource. >> >> For example: >> I want to be able to create a node anywhere in the content system, and >> under that node have a hashed store that is managed as if the entire node >> space was flattened. >> >> eg >> the URL >> /x/y/z/store/12312312/a/b/c >> is mapped to JCR space >> /x/y/z/store/content/aa/bb/cc/dd/12312312/a/b/c >> >> using the ResourceProducer mechanism. >> > Can you go into some more detail regarding the requirements for this strategy? Could you use node representations in store to placehold/redirect to the nested content at "content/aa/bb/cc/dd/"? Regards, Paul Noden
Re: JcrResoruceResolver2, by design ?
Ignore everything I have said :). It doesnt work, there is no way of telling if a non existent resource is virtual or real, and so AFAICT its impossible to virtualize paths (URI wrt JCR path) using this approach in the JCR. Unfortunately for me, its a use case I can't ignore as we have lots of situations where a non listable could contain millions of items. Back to square one. Ian On 2 Jun 2009, at 09:39, Ian Boston wrote: On 2 Jun 2009, at 07:02, Felix Meschberger wrote: Hi Ian, Ian Boston schrieb: Hi, I don't know if this is intentional, but it looks like its not possible to register more than one ResourceProvider at /, and so its not possible to bind a ResourceProvider to a node (anywhere in the content system) with a specific resource type. Is this intentional or a mistake ? The current design and intention is, that for any one (root) path there may only be one resource provider registered. So for example, for a (root) path "/some/path", there may only one. Of course there may be another one at "/some" or at "/some/path/below". Felix, Thank you, It looks like I am exploiting a loophole in the implementation, before I go further should ask how I should achieve what I want to. I want to be able to bind a special Resource to a node with a corresponding resourceType (created by the application) anywhere in the content system, so that all the standard Sling processing can access that Resource. For example: I want to be able to create a node anywhere in the content system, and under that node have a hashed store that is managed as if the entire node space was flattened. eg the URL /x/y/z/store/12312312/a/b/c is mapped to JCR space /x/y/z/store/content/aa/bb/cc/dd/12312312/a/b/c using the ResourceProducer mechanism. At the moment, I have a ResourceProducer registered at / that looks processes /x/y/z/store/12312312/a/b/c looking for a real parent JCR node with a specific sling:resourceType, if found a VirtualResource (my own class) is created that has a path of /x/y/z/store/content/aa/ bb/cc/dd/12312312/a/b/c Although this works, from what you are saying its a fluke, and will not extend to more than one of this type of ResoruceProducer (only one can be mapped to each prefix ). The other worry I have with this approach is that I have to register the ResourceProducer at / which means every url is resolved in this way. Is there a better way? Ian As a consequence, there may only be one resource provider for "/" and this currently is the JcrResourceProvider, which is hard-coded (currently). There is a concept to change the situation with the hard-coded JcrResourceProvider at "/" [1]. But there is no concrete concept or idea yet to allow more than one resource provider fro the exact same (root) path. Hope this helps. Regards Felix [1] http://cwiki.apache.org/SLING/add-resourceresolverfactory-service-interface.html The root ResourceProviderEntry, accepts a registration of a provider registered with /, however all paths as assumed to be relative and so have the leading / removed, hence the ResourceProvider with a prefix of / will never match anything, as the path will have already had the leading / removed. eg resolving /home/ieb/messagestore/1231231 results in a test against the default ResourceProviderEntry, the leading / is removed (eg home/ieb/messagestore/1231231) which does not match the contained ResourceEntryProvider with a prefix of / Checking if the prefix was / before assuming the path is relative would probably fix the problem. WDYT ? Ian
Re: (In)Security in Sling
David, On 2 Jun 2009, at 13:06, David Nuescheler wrote: hi ian, sorry for the confusion. there are is no privilege to "execute" something in jcr. i am not even sure that they should be part of the repository since the repository is not going to execute things anyway. agreed. i think if one has a tight coupling like between the os and the fs this may make sense, but i see the repo/sling coupling much looser so i would probably just go for the read privilege. the read privilege seems to be cause issue as far as i can tell not necessarily the execute privilege. right? If the execute session only ever requires read to the areas of the repository that are executable and no other areas, "read" will work. If that session requires read elsewhere, then there needs to be some other mechanism. (ideally a AccessControlPolicy (named, or list)) Ian regards, david
[jira] Commented: (SLING-917) Use repository.apache.org for deployments
[ https://issues.apache.org/jira/browse/SLING-917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12715518#action_12715518 ] Felix Meschberger commented on SLING-917: - Created INFRA-2081 to ask for addition of Sling to the Nexus Repository > Use repository.apache.org for deployments > - > > Key: SLING-917 > URL: https://issues.apache.org/jira/browse/SLING-917 > Project: Sling > Issue Type: Task > Components: General >Affects Versions: Parent 5 >Reporter: Bertrand Delacretaz > Fix For: Parent 6 > > Attachments: SLING-917.patch > > > See INFRA-1896 for getting access to repository.apache.org . > Once that's done, we'll need to configure http://vmbuild.apache.org to push > snapshots there. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[RESULT] [VOTE] Use repository.a.o for deployments
Hi all, Time to close this vote. We have received the following votes (binding votes marked with *) : +1 Felix Meschberger (*) +1 Bertrand Delacretaz (*) +1 Juan Jose Vazquez Delgado (*) +1 Ian Boston +1 Vidar Ramdal (*) This vote passes with 5 votes (4 of which binding). No other votes were cast. Thanks for your votes. I will not proceed with the next steps. Regards Felix Felix Meschberger schrieb: > Hi all > > After the discussion, lets vote on using repository.apache.org for > deployments. As has been said repository.apache.org is run by a Nexus > repository manager which makes it much easier to prepare releases for > inspection and later deploy the releases out to the maven repositories > (Copying to www.a.o/dist is still a manual, though trivial, process). > > So, please cast your votes: > > [ ] +1 use repository.a.o (Nexus repository) for deployment > [ ] 0 don't care > [ ] -1 don't use repository.a.o, because ... > > This is a simple majority vote open for the next 72h. > > Regards > Felix >
Re: Continue Sling request procesing in POST.jsp
Hi, Daniel, de la Cuesta Navarrete schrieb: > I have my script POST.jsp. I want to filter requests that contains only one > property. > > The problem is that the POST.jsp stops the usual sling request procesing for > all request > > Is there any way to continue with the usual Sling request procesing from a > jsp script? > > Something like what we do in a filter? > > if (request.getParameter(":operation") != null) > chain.doFilter(request, response); Well, you could do a filter ;-) On the other hand you could just forward to the standard POST processing by using a resource whose resource type is "sling/servlet/default", e.g. by creating a ResourceWrapper on the request's resource and overwriting the getResourceType() method to return "sling/servlet/resource". Regards Felix
Re: (In)Security in Sling
hi ian, sorry for the confusion. there are is no privilege to "execute" something in jcr. i am not even sure that they should be part of the repository since the repository is not going to execute things anyway. i think if one has a tight coupling like between the os and the fs this may make sense, but i see the repo/sling coupling much looser so i would probably just go for the read privilege. the read privilege seems to be cause issue as far as i can tell not necessarily the execute privilege. right? regards, david On Tue, Jun 2, 2009 at 2:00 PM, Ian Boston wrote: > So that marker should be and ACL containing an ACE with execute privilege > granted to the appropriate session. > I wasn't aware that there was such a privilege in the Jackrabbit > DefaultAccessManager or 283, > but I agree thats were it should be. > > On a practical note, > Unless DefaultAccessManager et al is going to be re-implemented for Sling, > then this should go back to Jackrabbit as DAM is heavily protected for > obvious reasons, and when I looked trying to extend the way in which > principals for a session were resolved, there didn't appear to be many (if > any) extension points available in DAM since registration of bits in the > compiled privileges bitmap > (o.a.j.core.security.authorization.PrivilegeRegistry.registerPrivilege) is > private (very) > > Ian > > On 2 Jun 2009, at 11:59, David Nuescheler wrote: > >> hi guys, >> >> i really think this should be dealt with, using proper repository >> access control. >> as soon as we start to let the application deal with security we need to >> worry about it every specific application, and become prone to >> "xyz-injection" >> similar to the problem that db's have with "sql injection". >> it becomes particularly tricky if you try to filter things out of the >> query results >> and the likes... >> >> my personal guidance would be to make the access control "tighter" in the >> sense that one would forbid read privileges to "/apps" and "/homes" for >> the >> anonymous user (in case that is not desired) and have the script execution >> use a session with appropriate privileges to read and execute. >> >> regards, >> david >> >> On Tue, Jun 2, 2009 at 12:50 PM, Ian Boston wrote: >>> >>> Felix, >>> +1 >>> In addition, I would like to see a marker on the parent nodes that >>> designates the subtree as containing executable content. >>> >>> Then the special session can be used to execute the scripts, but only >>> after >>> it had checked to see the script is located in an "executable" subtree. >>> A suitably authorized user could read and write, >>> >>> Perhaps this already exists ? >>> Ian >>> On 2 Jun 2009, at 11:33, Felix Meschberger wrote: >>> Hi, John Crawford schrieb: > > I have been working with sling for quite some time and, of course, Day > products. One thing that I have been increasingly concerned with is > the > end > users ability to scrape all of the sites content and code with minimal > effort using the built in functionality of the SlingPostServlet. The Sling Get Servlet to be precise ;-) > > For Example: > > http://dev.day.com/discussion-groups/users.infinity.json > http://dev.day.com/discussion-groups/apps.infinity.json As Jukka said, you may employ access control to prevent this. But there is a glitch for the scripts located in /apps and /libs: Currently scripts are read from the repository using the session of the current user, that is the request user. So preventing access to > http://dev.day.com/discussion-groups/apps/mailingLists/mailingLists.jsp by simply denying read-access for the anonymous user actually prevents using the site at all. One solution to this problem could be to not load the scripts with the session of the current user but to use a special-purpose session (for example an admin session) to do this. This way, you may lock down /apps and /libs for general consumption but may still execute the scripts in there. WDYT ? Regards Felix (this > > one really disturbs me) > > So far, my solution has been to provide a proxy (namely Apache2) in > front > of > sling to filter out any undesired requests. Seems to work. But, by > doing > this, it takes way what is so cool about Sling. I have reported to Day > Support numerous times, but they don't seem too concerned about it. > But > for > sites where the content is critical or where we require users to pay > for > our > content, it is very important to us. > > Is there a better way to handle this? > > Please let me know your thoughts. > > Respectfully, > John > >>> >>> >> >> >> >> -- >> David Nuescheler >> Chief Technology Officer >> mailto: david.nuesche...@day.com >> >> web: http://www.day.com/ htt
Re: (In)Security in Sling
So that marker should be and ACL containing an ACE with execute privilege granted to the appropriate session. I wasn't aware that there was such a privilege in the Jackrabbit DefaultAccessManager or 283, but I agree thats were it should be. On a practical note, Unless DefaultAccessManager et al is going to be re-implemented for Sling, then this should go back to Jackrabbit as DAM is heavily protected for obvious reasons, and when I looked trying to extend the way in which principals for a session were resolved, there didn't appear to be many (if any) extension points available in DAM since registration of bits in the compiled privileges bitmap (o .a.j.core.security.authorization.PrivilegeRegistry.registerPrivilege) is private (very) Ian On 2 Jun 2009, at 11:59, David Nuescheler wrote: hi guys, i really think this should be dealt with, using proper repository access control. as soon as we start to let the application deal with security we need to worry about it every specific application, and become prone to "xyz- injection" similar to the problem that db's have with "sql injection". it becomes particularly tricky if you try to filter things out of the query results and the likes... my personal guidance would be to make the access control "tighter" in the sense that one would forbid read privileges to "/apps" and "/homes" for the anonymous user (in case that is not desired) and have the script execution use a session with appropriate privileges to read and execute. regards, david On Tue, Jun 2, 2009 at 12:50 PM, Ian Boston wrote: Felix, +1 In addition, I would like to see a marker on the parent nodes that designates the subtree as containing executable content. Then the special session can be used to execute the scripts, but only after it had checked to see the script is located in an "executable" subtree. A suitably authorized user could read and write, Perhaps this already exists ? Ian On 2 Jun 2009, at 11:33, Felix Meschberger wrote: Hi, John Crawford schrieb: I have been working with sling for quite some time and, of course, Day products. One thing that I have been increasingly concerned with is the end users ability to scrape all of the sites content and code with minimal effort using the built in functionality of the SlingPostServlet. The Sling Get Servlet to be precise ;-) For Example: http://dev.day.com/discussion-groups/users.infinity.json http://dev.day.com/discussion-groups/apps.infinity.json As Jukka said, you may employ access control to prevent this. But there is a glitch for the scripts located in /apps and /libs: Currently scripts are read from the repository using the session of the current user, that is the request user. So preventing access to http://dev.day.com/discussion-groups/apps/mailingLists/mailingLists.jsp by simply denying read-access for the anonymous user actually prevents using the site at all. One solution to this problem could be to not load the scripts with the session of the current user but to use a special-purpose session (for example an admin session) to do this. This way, you may lock down /apps and /libs for general consumption but may still execute the scripts in there. WDYT ? Regards Felix (this one really disturbs me) So far, my solution has been to provide a proxy (namely Apache2) in front of sling to filter out any undesired requests. Seems to work. But, by doing this, it takes way what is so cool about Sling. I have reported to Day Support numerous times, but they don't seem too concerned about it. But for sites where the content is critical or where we require users to pay for our content, it is very important to us. Is there a better way to handle this? Please let me know your thoughts. Respectfully, John -- David Nuescheler Chief Technology Officer mailto: david.nuesche...@day.com web: http://www.day.com/ http://dev.day.com twitter: @daysoftware
Re: (In)Security in Sling
Hi, Michael Marth schrieb: > Hi, > > thanks John, for pointing this out. > > Part of the problem you describe is misconfigurations on my part (I did not > realize that the "anonymous" user is not part of the "everyone" group). But > as Felix has described the problem with the /apps directory cannot be fixed > by configuration. I just filed bug 989 [1] for this (an in-the-air collision > with Felix' mail). > > As a third aspect: I believe there are parts in most sites where the json > representation is not desired. What do you think about making the json > servlet more configurable in terms of black/whitelisting properties it > renders? That would be on top of all other "proper" security measures, of > course. It is difficult to decide, when json access is desired (for example if you have client-side JavaScript which wants to grab content) and when not (attack case) - I am not really sure, whether we can solve this with proper black/whitelisting. Maybe just some ACL should be enough. Regards Felix > > Michael > > [1] https://issues.apache.org/jira/browse/SLING-989 > > On Tue, Jun 2, 2009 at 12:33 PM, Felix Meschberger wrote: > >> Hi, >> >> John Crawford schrieb: >>> I have been working with sling for quite some time and, of course, Day >>> products. One thing that I have been increasingly concerned with is the >> end >>> users ability to scrape all of the sites content and code with minimal >>> effort using the built in functionality of the SlingPostServlet. >> The Sling Get Servlet to be precise ;-) >> >>> For Example: >>> >>> http://dev.day.com/discussion-groups/users.infinity.json >>> http://dev.day.com/discussion-groups/apps.infinity.json >> As Jukka said, you may employ access control to prevent this. >> >> But there is a glitch for the scripts located in /apps and /libs: >> Currently scripts are read from the repository using the session of the >> current user, that is the request user. >> >> So preventing access to >> >>> http://dev.day.com/discussion-groups/apps/mailingLists/mailingLists.jsp >> by simply denying read-access for the anonymous user actually prevents >> using the site at all. >> >> One solution to this problem could be to not load the scripts with the >> session of the current user but to use a special-purpose session (for >> example an admin session) to do this. >> >> This way, you may lock down /apps and /libs for general consumption but >> may still execute the scripts in there. >> >> WDYT ? >> >> Regards >> Felix >> >> >> (this >>> one really disturbs me) >>> >>> So far, my solution has been to provide a proxy (namely Apache2) in front >> of >>> sling to filter out any undesired requests. Seems to work. But, by >> doing >>> this, it takes way what is so cool about Sling. I have reported to Day >>> Support numerous times, but they don't seem too concerned about it. But >> for >>> sites where the content is critical or where we require users to pay for >> our >>> content, it is very important to us. >>> >>> Is there a better way to handle this? >>> >>> Please let me know your thoughts. >>> >>> Respectfully, >>> John >>> > > >
Continue Sling request procesing in POST.jsp
Hi, I have my script POST.jsp. I want to filter requests that contains only one property. The problem is that the POST.jsp stops the usual sling request procesing for all request Is there any way to continue with the usual Sling request procesing from a jsp script? Something like what we do in a filter? if (request.getParameter(":operation") != null) chain.doFilter(request, response); Thank you!
Re: (In)Security in Sling
Hi, thanks John, for pointing this out. Part of the problem you describe is misconfigurations on my part (I did not realize that the "anonymous" user is not part of the "everyone" group). But as Felix has described the problem with the /apps directory cannot be fixed by configuration. I just filed bug 989 [1] for this (an in-the-air collision with Felix' mail). As a third aspect: I believe there are parts in most sites where the json representation is not desired. What do you think about making the json servlet more configurable in terms of black/whitelisting properties it renders? That would be on top of all other "proper" security measures, of course. Michael [1] https://issues.apache.org/jira/browse/SLING-989 On Tue, Jun 2, 2009 at 12:33 PM, Felix Meschberger wrote: > Hi, > > John Crawford schrieb: > > I have been working with sling for quite some time and, of course, Day > > products. One thing that I have been increasingly concerned with is the > end > > users ability to scrape all of the sites content and code with minimal > > effort using the built in functionality of the SlingPostServlet. > > The Sling Get Servlet to be precise ;-) > > > > > For Example: > > > > http://dev.day.com/discussion-groups/users.infinity.json > > http://dev.day.com/discussion-groups/apps.infinity.json > > As Jukka said, you may employ access control to prevent this. > > But there is a glitch for the scripts located in /apps and /libs: > Currently scripts are read from the repository using the session of the > current user, that is the request user. > > So preventing access to > > > http://dev.day.com/discussion-groups/apps/mailingLists/mailingLists.jsp > > by simply denying read-access for the anonymous user actually prevents > using the site at all. > > One solution to this problem could be to not load the scripts with the > session of the current user but to use a special-purpose session (for > example an admin session) to do this. > > This way, you may lock down /apps and /libs for general consumption but > may still execute the scripts in there. > > WDYT ? > > Regards > Felix > > > (this > > one really disturbs me) > > > > So far, my solution has been to provide a proxy (namely Apache2) in front > of > > sling to filter out any undesired requests. Seems to work. But, by > doing > > this, it takes way what is so cool about Sling. I have reported to Day > > Support numerous times, but they don't seem too concerned about it. But > for > > sites where the content is critical or where we require users to pay for > our > > content, it is very important to us. > > > > Is there a better way to handle this? > > > > Please let me know your thoughts. > > > > Respectfully, > > John > > > -- Michael Marth | http://dev.day.com/
Re: (In)Security in Sling
hi guys, i really think this should be dealt with, using proper repository access control. as soon as we start to let the application deal with security we need to worry about it every specific application, and become prone to "xyz-injection" similar to the problem that db's have with "sql injection". it becomes particularly tricky if you try to filter things out of the query results and the likes... my personal guidance would be to make the access control "tighter" in the sense that one would forbid read privileges to "/apps" and "/homes" for the anonymous user (in case that is not desired) and have the script execution use a session with appropriate privileges to read and execute. regards, david On Tue, Jun 2, 2009 at 12:50 PM, Ian Boston wrote: > Felix, > +1 > In addition, I would like to see a marker on the parent nodes that > designates the subtree as containing executable content. > > Then the special session can be used to execute the scripts, but only after > it had checked to see the script is located in an "executable" subtree. > A suitably authorized user could read and write, > > Perhaps this already exists ? > Ian > On 2 Jun 2009, at 11:33, Felix Meschberger wrote: > >> Hi, >> >> John Crawford schrieb: >>> >>> I have been working with sling for quite some time and, of course, Day >>> products. One thing that I have been increasingly concerned with is the >>> end >>> users ability to scrape all of the sites content and code with minimal >>> effort using the built in functionality of the SlingPostServlet. >> >> The Sling Get Servlet to be precise ;-) >> >>> >>> For Example: >>> >>> http://dev.day.com/discussion-groups/users.infinity.json >>> http://dev.day.com/discussion-groups/apps.infinity.json >> >> As Jukka said, you may employ access control to prevent this. >> >> But there is a glitch for the scripts located in /apps and /libs: >> Currently scripts are read from the repository using the session of the >> current user, that is the request user. >> >> So preventing access to >> >>> http://dev.day.com/discussion-groups/apps/mailingLists/mailingLists.jsp >> >> by simply denying read-access for the anonymous user actually prevents >> using the site at all. >> >> One solution to this problem could be to not load the scripts with the >> session of the current user but to use a special-purpose session (for >> example an admin session) to do this. >> >> This way, you may lock down /apps and /libs for general consumption but >> may still execute the scripts in there. >> >> WDYT ? >> >> Regards >> Felix >> >> >> (this >>> >>> one really disturbs me) >>> >>> So far, my solution has been to provide a proxy (namely Apache2) in front >>> of >>> sling to filter out any undesired requests. Seems to work. But, by >>> doing >>> this, it takes way what is so cool about Sling. I have reported to Day >>> Support numerous times, but they don't seem too concerned about it. But >>> for >>> sites where the content is critical or where we require users to pay for >>> our >>> content, it is very important to us. >>> >>> Is there a better way to handle this? >>> >>> Please let me know your thoughts. >>> >>> Respectfully, >>> John >>> > > -- David Nuescheler Chief Technology Officer mailto: david.nuesche...@day.com web: http://www.day.com/ http://dev.day.com twitter: @daysoftware
[jira] Created: (SLING-989) scripts in /apps are read by user session, this leads to security problem
scripts in /apps are read by user session, this leads to security problem - Key: SLING-989 URL: https://issues.apache.org/jira/browse/SLING-989 Project: Sling Issue Type: Bug Reporter: Michael Marth At the moment the user session is used to read the scripts stored in /apps. Most web apps have some anonymous users as well, therefore the ACLs of /apps must allow read access of the /apps directory. Hence, all scripts within /apps are readable by anyone. I suggest to allow the Sling administrator to configure which session to use when the scripts are read. He could choose the admin session or stick with the default (the user's session). -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: (In)Security in Sling
Felix, +1 In addition, I would like to see a marker on the parent nodes that designates the subtree as containing executable content. Then the special session can be used to execute the scripts, but only after it had checked to see the script is located in an "executable" subtree. A suitably authorized user could read and write, Perhaps this already exists ? Ian On 2 Jun 2009, at 11:33, Felix Meschberger wrote: Hi, John Crawford schrieb: I have been working with sling for quite some time and, of course, Day products. One thing that I have been increasingly concerned with is the end users ability to scrape all of the sites content and code with minimal effort using the built in functionality of the SlingPostServlet. The Sling Get Servlet to be precise ;-) For Example: http://dev.day.com/discussion-groups/users.infinity.json http://dev.day.com/discussion-groups/apps.infinity.json As Jukka said, you may employ access control to prevent this. But there is a glitch for the scripts located in /apps and /libs: Currently scripts are read from the repository using the session of the current user, that is the request user. So preventing access to http://dev.day.com/discussion-groups/apps/mailingLists/mailingLists.jsp by simply denying read-access for the anonymous user actually prevents using the site at all. One solution to this problem could be to not load the scripts with the session of the current user but to use a special-purpose session (for example an admin session) to do this. This way, you may lock down /apps and /libs for general consumption but may still execute the scripts in there. WDYT ? Regards Felix (this one really disturbs me) So far, my solution has been to provide a proxy (namely Apache2) in front of sling to filter out any undesired requests. Seems to work. But, by doing this, it takes way what is so cool about Sling. I have reported to Day Support numerous times, but they don't seem too concerned about it. But for sites where the content is critical or where we require users to pay for our content, it is very important to us. Is there a better way to handle this? Please let me know your thoughts. Respectfully, John
Re: (In)Security in Sling
Hi, John Crawford schrieb: > I have been working with sling for quite some time and, of course, Day > products. One thing that I have been increasingly concerned with is the end > users ability to scrape all of the sites content and code with minimal > effort using the built in functionality of the SlingPostServlet. The Sling Get Servlet to be precise ;-) > > For Example: > > http://dev.day.com/discussion-groups/users.infinity.json > http://dev.day.com/discussion-groups/apps.infinity.json As Jukka said, you may employ access control to prevent this. But there is a glitch for the scripts located in /apps and /libs: Currently scripts are read from the repository using the session of the current user, that is the request user. So preventing access to > http://dev.day.com/discussion-groups/apps/mailingLists/mailingLists.jsp by simply denying read-access for the anonymous user actually prevents using the site at all. One solution to this problem could be to not load the scripts with the session of the current user but to use a special-purpose session (for example an admin session) to do this. This way, you may lock down /apps and /libs for general consumption but may still execute the scripts in there. WDYT ? Regards Felix (this > one really disturbs me) > > So far, my solution has been to provide a proxy (namely Apache2) in front of > sling to filter out any undesired requests. Seems to work. But, by doing > this, it takes way what is so cool about Sling. I have reported to Day > Support numerous times, but they don't seem too concerned about it. But for > sites where the content is critical or where we require users to pay for our > content, it is very important to us. > > Is there a better way to handle this? > > Please let me know your thoughts. > > Respectfully, > John >
Re: JcrResoruceResolver2, by design ?
On 2 Jun 2009, at 07:02, Felix Meschberger wrote: Hi Ian, Ian Boston schrieb: Hi, I don't know if this is intentional, but it looks like its not possible to register more than one ResourceProvider at /, and so its not possible to bind a ResourceProvider to a node (anywhere in the content system) with a specific resource type. Is this intentional or a mistake ? The current design and intention is, that for any one (root) path there may only be one resource provider registered. So for example, for a (root) path "/some/path", there may only one. Of course there may be another one at "/some" or at "/some/path/below". Felix, Thank you, It looks like I am exploiting a loophole in the implementation, before I go further should ask how I should achieve what I want to. I want to be able to bind a special Resource to a node with a corresponding resourceType (created by the application) anywhere in the content system, so that all the standard Sling processing can access that Resource. For example: I want to be able to create a node anywhere in the content system, and under that node have a hashed store that is managed as if the entire node space was flattened. eg the URL /x/y/z/store/12312312/a/b/c is mapped to JCR space /x/y/z/store/content/aa/bb/cc/dd/12312312/a/b/c using the ResourceProducer mechanism. At the moment, I have a ResourceProducer registered at / that looks processes /x/y/z/store/12312312/a/b/c looking for a real parent JCR node with a specific sling:resourceType, if found a VirtualResource (my own class) is created that has a path of /x/y/z/store/content/aa/ bb/cc/dd/12312312/a/b/c Although this works, from what you are saying its a fluke, and will not extend to more than one of this type of ResoruceProducer (only one can be mapped to each prefix ). The other worry I have with this approach is that I have to register the ResourceProducer at / which means every url is resolved in this way. Is there a better way? Ian As a consequence, there may only be one resource provider for "/" and this currently is the JcrResourceProvider, which is hard-coded (currently). There is a concept to change the situation with the hard-coded JcrResourceProvider at "/" [1]. But there is no concrete concept or idea yet to allow more than one resource provider fro the exact same (root) path. Hope this helps. Regards Felix [1] http://cwiki.apache.org/SLING/add-resourceresolverfactory-service-interface.html The root ResourceProviderEntry, accepts a registration of a provider registered with /, however all paths as assumed to be relative and so have the leading / removed, hence the ResourceProvider with a prefix of / will never match anything, as the path will have already had the leading / removed. eg resolving /home/ieb/messagestore/1231231 results in a test against the default ResourceProviderEntry, the leading / is removed (eg home/ieb/messagestore/1231231) which does not match the contained ResourceEntryProvider with a prefix of / Checking if the prefix was / before assuming the path is relative would probably fix the problem. WDYT ? Ian