You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@sling.apache.org by "Andreas Schaefer Sr." <sc...@me.com> on 2017/04/10 20:15:56 UTC
Securing a Servlet w/o Resource
Hi
If I have a servlet that is not based on a resource how would
I secure access in Sling?
This is what I came up with on doPost():
userManager = AccessControlUtil.getUserManager(session);
Authorizable authorizable = userManager.getAuthorizable(request.getUserPrincipal());
if(authorizable == null) {
// handle anonymous user
return;
}
boolean ok = false;
if("admin".equals(authorizable.getID())) {
ok = true;
} else {
Iterator<Group> i = authorizable.declaredMemberOf();
while(i.hasNext()) {
Group group = i.next();
if("sling-node".equals(group.getID())) {
ok = true;
break;
}
}
}
if(!ok) {
// Handle wrong permissions
return;
}
Re: Securing a Servlet w/o Resource
Posted by "Andreas Schaefer Sr." <sc...@me.com>.
Yeah, that might be a good idea.
That said I ran into an issue with JCR Package and Groups.
Having a group part of the package will replace the group
node during installation even when filter mode is set to update
or merge.
This is an issue because User Group Membership is stored on
the group and a redeployment will wipe that.
Is that by design?
Thanks - Andy Schaefer
> On Apr 11, 2017, at 12:27 AM, Bertrand Delacretaz <bd...@apache.org> wrote:
>
> Hi,
>
> On Mon, Apr 10, 2017 at 10:15 PM, Andreas Schaefer Sr. <sc...@me.com> wrote:
>> ...If I have a servlet that is not based on a resource how would
>> I secure access in Sling?..
>
> IIUC in your code you check for membership in a specific group - that
> would probably work but it might be more flexible and manageable to
> check that the current user has access to a specific "permissions
> shadow" resource.
>
> You could have a /permissions resource with specific children for
> various operations like /permissions/send-email-to-example_com, and
> have your servlet check read access to those based on operations
> names.
>
> -Bertrand
Re: Securing a Servlet w/o Resource
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Mon, Apr 10, 2017 at 10:15 PM, Andreas Schaefer Sr. <sc...@me.com> wrote:
> ...If I have a servlet that is not based on a resource how would
> I secure access in Sling?..
IIUC in your code you check for membership in a specific group - that
would probably work but it might be more flexible and manageable to
check that the current user has access to a specific "permissions
shadow" resource.
You could have a /permissions resource with specific children for
various operations like /permissions/send-email-to-example_com, and
have your servlet check read access to those based on operations
names.
-Bertrand