Re: [RT] ResourceProviderDecorator

2013-03-07 Thread Ian Boston
On 8 March 2013 18:27, Mike Müller wrote: >> Sorry for asking a stupid question, but why would a ResourceProvider >> that delivered resources subject to security, not implement it that >> security and cover the use cases required as a part of its >> implementation ? >> >> 1 Allowing insecure Reso

[jira] [Commented] (SLING-2780) Make ResourceMetadata read-only when delivered to client code

2013-03-07 Thread Felix Meschberger (JIRA)
[ https://issues.apache.org/jira/browse/SLING-2780?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13596925#comment-13596925 ] Felix Meschberger commented on SLING-2780: -- I think we are hit by the fact that w

Re: [RT] ResourceProviderDecorator

2013-03-07 Thread Carsten Ziegeler
2013/3/7 Carsten Ziegeler : > Therefore I propose we add a simple interface: > public interface ResourceProviderDecorator { > > ResourceProvider decorate(final ResourceProvider provider); > > AttributableResourceProvider decorate(final > AttributableResourceProvider provider); > > Modi

Re: [RT] ResourceMetadata

2013-03-07 Thread Carsten Ziegeler
I've created SLING-2780 and made an implementation (well I made three different ones to see how they work). If no one complains, I'll set this to resolved. Thanks Carsten 2013/3/6 Carsten Ziegeler : > I've asked @work, but it seems no one is using ResourceMetadata for writing. > As no one else c

[jira] [Commented] (SLING-2780) Make ResourceMetadata read-only when delivered to client code

2013-03-07 Thread Carsten Ziegeler (JIRA)
[ https://issues.apache.org/jira/browse/SLING-2780?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13596917#comment-13596917 ] Carsten Ziegeler commented on SLING-2780: - Third implementation in revision 145425

RE: [RT] ResourceProviderDecorator

2013-03-07 Thread Mike Müller
> Sorry for asking a stupid question, but why would a ResourceProvider > that delivered resources subject to security, not implement it that > security and cover the use cases required as a part of its > implementation ? > > 1 Allowing insecure ResourceProviders to exist with the intention of > d

[jira] [Commented] (SLING-2780) Make ResourceMetadata read-only when delivered to client code

2013-03-07 Thread Carsten Ziegeler (JIRA)
[ https://issues.apache.org/jira/browse/SLING-2780?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13596911#comment-13596911 ] Carsten Ziegeler commented on SLING-2780: - New implementation with revision 145425

[jira] [Commented] (SLING-2780) Make ResourceMetadata read-only when delivered to client code

2013-03-07 Thread Carsten Ziegeler (JIRA)
[ https://issues.apache.org/jira/browse/SLING-2780?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13596904#comment-13596904 ] Carsten Ziegeler commented on SLING-2780: - I've committed a first implementation i

[jira] [Created] (SLING-2780) Make ResourceMetadata read-only when delivered to client code

2013-03-07 Thread Carsten Ziegeler (JIRA)
Carsten Ziegeler created SLING-2780: --- Summary: Make ResourceMetadata read-only when delivered to client code Key: SLING-2780 URL: https://issues.apache.org/jira/browse/SLING-2780 Project: Sling

Re: [RT] ResourceProviderDecorator

2013-03-07 Thread Ian Boston
On 7 March 2013 21:40, Carsten Ziegeler wrote: > Hi, > > as recent discussion showed, there might be use cases for a resource > provider decorator. A decorator can be used to add functionality > across several resource providers. E.g. this would simplify securing > resource providers which don't s

Jenkins build became unstable: sling-trunk-1.6 #1590

2013-03-07 Thread Apache Jenkins Server
See

[jira] [Updated] (SLING-2779) Support for default properties values of a resource

2013-03-07 Thread Gilles Knobloch (JIRA)
[ https://issues.apache.org/jira/browse/SLING-2779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Gilles Knobloch updated SLING-2779: --- Attachment: DefaultsValueMap.java Attached file > Support for default proper

[jira] [Created] (SLING-2779) Support for default properties values of a resource

2013-03-07 Thread Gilles Knobloch (JIRA)
Gilles Knobloch created SLING-2779: -- Summary: Support for default properties values of a resource Key: SLING-2779 URL: https://issues.apache.org/jira/browse/SLING-2779 Project: Sling Issue T

Re: Sling and Security

2013-03-07 Thread Bertrand Delacretaz
On Thu, Mar 7, 2013 at 12:09 PM, Angela Schreiber wrote: > ...b) the script execution: that's obviously related to the former with > one additional twist. everyone that can create a script may not only > become admin in sling but also gets file system access That's "anyone who can write a scr

[jira] [Resolved] (SLING-2778) initial Sling/Jolokia integration bundle

2013-03-07 Thread Justin Edelson (JIRA)
[ https://issues.apache.org/jira/browse/SLING-2778?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Edelson resolved SLING-2778. --- Resolution: Fixed committed in r1453896 > initial Sling/Jolokia integration

Re: Monitoring and Statistics

2013-03-07 Thread Justin Edelson
Hi Ian, On Sat, Mar 2, 2013 at 12:12 AM, Ian Boston wrote: > On 2 March 2013 10:42, Ian Boston wrote: > > > 2. > > GETs can only query 1 bean at a time. > > If you need a snapshot of the state of the server and have 50 MBeans, > > you have to make 50 requests. You can make POST requests to perf

[jira] [Created] (SLING-2778) initial Sling/Jolokia integration bundle

2013-03-07 Thread Justin Edelson (JIRA)
Justin Edelson created SLING-2778: - Summary: initial Sling/Jolokia integration bundle Key: SLING-2778 URL: https://issues.apache.org/jira/browse/SLING-2778 Project: Sling Issue Type: New Feat

[jira] [Resolved] (SLING-2777) Expand the Servlets documentation to include examples on how to bind servlets

2013-03-07 Thread Felix Meschberger (JIRA)
[ https://issues.apache.org/jira/browse/SLING-2777?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Felix Meschberger resolved SLING-2777. -- Resolution: Fixed Thank you very much for providing the patch. I have applied it with

[jira] [Assigned] (SLING-2777) Expand the Servlets documentation to include examples on how to bind servlets

2013-03-07 Thread Felix Meschberger (JIRA)
[ https://issues.apache.org/jira/browse/SLING-2777?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Felix Meschberger reassigned SLING-2777: Assignee: Felix Meschberger > Expand the Servlets documentation to include exam

[jira] [Created] (SLING-2777) Expand the Servlets documentation to include examples on how to bind servlets

2013-03-07 Thread Radu Cotescu (JIRA)
Radu Cotescu created SLING-2777: --- Summary: Expand the Servlets documentation to include examples on how to bind servlets Key: SLING-2777 URL: https://issues.apache.org/jira/browse/SLING-2777 Project: Sl

[jira] [Updated] (SLING-2777) Expand the Servlets documentation to include examples on how to bind servlets

2013-03-07 Thread Radu Cotescu (JIRA)
[ https://issues.apache.org/jira/browse/SLING-2777?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Radu Cotescu updated SLING-2777: Attachment: servlets.patch I have attached a patch for updating the corresponding documentation pag

[jira] [Updated] (SLING-2777) Expand the Servlets documentation to include examples on how to bind servlets

2013-03-07 Thread Radu Cotescu (JIRA)
[ https://issues.apache.org/jira/browse/SLING-2777?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Radu Cotescu updated SLING-2777: Description: The Servlets documentation lacks examples on how a developer can bind their servlets u

Re: [RT] ResourceProviderDecorator

2013-03-07 Thread Alexander Klimetschek
On 07.03.2013, at 11:40, Carsten Ziegeler wrote: > Decorating a resource provider is not as trivial as decorating a > resource because a provider might come in different flavours Wait - I misunderstood your proposal in the other thread. I thought this would still decorate Resources, but only for

Re: Sling and Security

2013-03-07 Thread Angela Schreiber
hi carsten and ian thanks for the clarification. feel asserted that we will report any vulnerabilities to the sling-security list as we detect them. what i would love to discuss on the list in general are ways or possibilities on how we could prevent the strength and flexibility of sling to turn

[RT] ResourceProviderDecorator

2013-03-07 Thread Carsten Ziegeler
Hi, as recent discussion showed, there might be use cases for a resource provider decorator. A decorator can be used to add functionality across several resource providers. E.g. this would simplify securing resource providers which don't support access checks ootb, like the file resource provider

[jira] [Created] (SLING-2776) A POST that runs into an AccessDeniedException returns a 500 instead of a 403

2013-03-07 Thread Thorben Heins (JIRA)
Thorben Heins created SLING-2776: Summary: A POST that runs into an AccessDeniedException returns a 500 instead of a 403 Key: SLING-2776 URL: https://issues.apache.org/jira/browse/SLING-2776 Project:

Re: Sling and Security (was: Re: ResourceAccessGate (SLING-2698))

2013-03-07 Thread Bertrand Delacretaz
On Thu, Mar 7, 2013 at 12:55 AM, Ian Boston wrote: > ...If there are other areas where its possible, with ease to create > critical security issues, then I think we must address those > immediately. > > Please share, ideally on list. > If you think its not for public list consumption please send a