Hi,
I'm trying to set the security for a public Sling instance. But as I
didn't found a guideline I used the CRX page [1] and the CQ page [2] as
a starting point.
I would appreciate it if somebody could crosscheck my current findings
and answer the questions in the other emails.
o Changing the default admin password works like this:
"curl -FoldPwd=admin -FnewPwd=myNewPW -FnewPwdConfirm=myNewPW
http://admin:admin@localhost:8080/sling6/system/userManager/user/admin.changePassword.html";
as specified in the Sling documentation [3].
o The security is based on paths. Is there any other security mechanism
that is based on the HTTP method, resource types, selector, suffix or
extension?
I tried to set "+.json" in the authentication requirements of the Apache
Sling Authentication Service in the hope that one would need to
authenticate in order to be able to execute it. But that didn't work. In
this specific case I guess I would need to disable json in the
GETServlet completely.
o Changing the default admin password for the repo can be done in:
system/console/configMgr ==>"Apache Sling Embedded JCR Repository"
o I understand the "everyone" group as a build-in group containing all
users and groups.
o Do you know of any other security aspect that should be configured for
a public Sling instance?
[1] -
http://dev.day.com/docs/en/crx/2-2/administering/crx_security_checklist.html
[2] -
http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html
[3] -
http://sling.apache.org/site/managing-permissions-jackrabbitaccessmanager.html
Best,
Sandro
