On Wednesday, March 11, 2020 10:05:20 PM CET Cris Rockwell wrote: > I think your response helps in a way. I am asking why this default exists. > Is there is a rationale for the default or no? Based on your response, it > should be deleted if the application needs to control ACL read permissions, > and maybe there is no reason for the default other than to ensure everyone > can read everything under /content.
It is convenient for the Sling Starter and the sample applications. When you build your own Sling application (incl. starter or features) you usually configure it depending on your requirements (Tar vs Mongo, blob store, etc.) and use not the default values. What is your use case? How would removing the read permission for /content help? O. > Cris > > > On Mar 11, 2020, at 3:42 PM, Oliver Lietz <apa...@oliverlietz.de> wrote: > > > > On Wednesday, March 11, 2020 8:34:12 PM CET Cris Rockwell wrote: > >> Hi Oliver > >> > >> Thanks for the fast reply. Can I ask the exact same set of questions > >> about > >> default jcr:read access for everyone on /content? Is that required? > > > > It depends on your application. If you do not want to serve content to > > anonymous users/clients you can remove the read permissions. > > You can even remove the whole JCR from Sling if you do not want to serve > > content from it. > > > > Does it help? > > > > Regards, > > O. > > > >> Cris Rockwell > >> > >>> On Mar 11, 2020, at 3:05 PM, Oliver Lietz <apa...@oliverlietz.de> wrote: > >>> > >>> On Wednesday, March 11, 2020 6:50:51 PM CET Cris Rockwell wrote: > >>>> Hello Sling Users > >>> > >>> Hi Cris, > >>> > >>>> When I launch Sling, there is an ACL for jrc:read for the everyone > >>>> ‘principle' on jcr:root, as described in the repoinit.txt > >>>> http://archive.apache.org/dist/sling/org.apache.sling.launchpad-9.jar > >>>> <http://archive.apache.org/dist/sling/org.apache.sling.launchpad-9.jar> > >>>> > >>>> I have found these resources: > >>>> > >>>> http://apache-sling.73963.n3.nabble.com/Principal-quot-everyone-quot-is > >>>> -n > >>>> ot-> clear-td4078544.html > >>>> <http://apache-sling.73963.n3.nabble.com/Principal-quot-everyone-quot-i > >>>> s > >>>> -no t-clear-td4078544.html> > >>>> https://jackrabbit.apache.org/oak/docs/security/user/membership.html > >>>> <https://jackrabbit.apache.org/oak/docs/security/user/membership.html> > >>>> > >>>> But I still have questions: > >>>> * Why is everyone by default granted jcr:read access to the whole > >>>> repository? * If you wanted to control access, isn’t it better to > >>>> whitelist > >>>> (i.e. grant) instead of deny? * If the everyone ACL jcr:read rule was > >>>> deleted from root, what problems should be expected? > >>> > >>> That was changed several years ago already, see SLING-6130 and current > >>> setup: > >>> > >>> https://github.com/apache/sling-org-apache-sling-starter/blob/master/src > >>> /m > >>> ain/ provisioning/repoinit.txt > >>> > >>> Regards, > >>> O. > >>> > >>>> Many thanks!
