You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@sling.apache.org by "David G." <da...@gmail.com> on 2012/11/16 22:06:12 UTC
Disabled default "Property Printing" behavior in the Sling GET Servlet
Is there a way to prevent making a GET for the full path to a property
to NOT return the property's value:
HTTP GET /content/site/page/jcr:content/page-property ==> "this is
the page property value"
I want it to return nothing -- i would be find being able to control
this on a per-resourcetype basis as well.
I did not see this an a option on the Sling GET Servlet. Is it
configured someplace else perhaps?
Thanks!
Re: Disabled default "Property Printing" behavior in the Sling
GET Servlet
Posted by "David G." <da...@gmail.com>.
wow. just re-read my post. my apologies for the monster type-o's -- was trying to do 2 things at once when i wrote that :)
--
David Gonzalez
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)
On Monday, November 19, 2012 at 8:17 AM, David G. wrote:
> Felix,
>
> 1) The problem is controlling the message. Many folks, very
> reasonably, want to control exactly how they serve their content (from
> their "trusted" domain) so its taken in context. For example, in
> Pharma, if i have a page resource, and the body paragraph and the
> disclaimer content is maintained in separate nodes and/or properties,
> i do not want there to be *ANY WAY* for to serve up the content
> without the disclaimer (if someone links straight to the body
> property, patients could see this content served from
> www.im-a-pharma.com (http://www.im-a-pharma.com) and the Pharma company could have *big* legal
> issues. This is an extreme (legal) example, but its very reasonable
> for folks to control how their messages are made available. Default
> renditions make this di
>
> 2) A number of people have alluded to property level ACLs (lars did as
> well in a thread I started ahwile back), however I have not been able
> to locate the exact mechanism for this. The closest I can find is the
> Jackrabbit ACL GlobPattern which, AFIAT, does node level restrictions,
> not property-level. [1] Have I been misinterpretion the suggestions
> and it Is really to move any "permissioned properties" into a subnode
> (or some other node) and ACE that node?
>
> [1] http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html
>
> Thanks!
>
>
> On Mon, Nov 19, 2012 at 3:58 AM, Felix Meschberger <fmeschbe@adobe.com (mailto:fmeschbe@adobe.com)> wrote:
> > Hi,
> >
> > A property also resolves to a Resource when accessed and the default get servlet sends it as a response.
> >
> > What's the problem here ?
> >
> > You might want to use access control to prevent this.
> >
> > Regards
> > Felix
> >
> > Am 16.11.2012 um 22:06 schrieb David G.:
> >
> > > Is there a way to prevent making a GET for the full path to a property
> > > to NOT return the property's value:
> > >
> > > HTTP GET /content/site/page/jcr:content/page-property ==> "this is
> > > the page property value"
> > >
> > > I want it to return nothing -- i would be find being able to control
> > > this on a per-resourcetype basis as well.
> > >
> > > I did not see this an a option on the Sling GET Servlet. Is it
> > > configured someplace else perhaps?
> > >
> > > Thanks!
Re: Disabled default "Property Printing" behavior in the Sling GET Servlet
Posted by "David G." <da...@gmail.com>.
Felix,
1) The problem is controlling the message. Many folks, very
reasonably, want to control exactly how they serve their content (from
their "trusted" domain) so its taken in context. For example, in
Pharma, if i have a page resource, and the body paragraph and the
disclaimer content is maintained in separate nodes and/or properties,
i do not want there to be *ANY WAY* for to serve up the content
without the disclaimer (if someone links straight to the body
property, patients could see this content served from
www.im-a-pharma.com and the Pharma company could have *big* legal
issues. This is an extreme (legal) example, but its very reasonable
for folks to control how their messages are made available. Default
renditions make this di
2) A number of people have alluded to property level ACLs (lars did as
well in a thread I started ahwile back), however I have not been able
to locate the exact mechanism for this. The closest I can find is the
Jackrabbit ACL GlobPattern which, AFIAT, does node level restrictions,
not property-level. [1] Have I been misinterpretion the suggestions
and it Is really to move any "permissioned properties" into a subnode
(or some other node) and ACE that node?
[1] http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/core/security/authorization/GlobPattern.html
Thanks!
On Mon, Nov 19, 2012 at 3:58 AM, Felix Meschberger <fm...@adobe.com> wrote:
> Hi,
>
> A property also resolves to a Resource when accessed and the default get servlet sends it as a response.
>
> What's the problem here ?
>
> You might want to use access control to prevent this.
>
> Regards
> Felix
>
> Am 16.11.2012 um 22:06 schrieb David G.:
>
>> Is there a way to prevent making a GET for the full path to a property
>> to NOT return the property's value:
>>
>> HTTP GET /content/site/page/jcr:content/page-property ==> "this is
>> the page property value"
>>
>> I want it to return nothing -- i would be find being able to control
>> this on a per-resourcetype basis as well.
>>
>> I did not see this an a option on the Sling GET Servlet. Is it
>> configured someplace else perhaps?
>>
>> Thanks!
>
Re: Disabled default "Property Printing" behavior in the Sling GET
Servlet
Posted by Felix Meschberger <fm...@adobe.com>.
Hi,
A property also resolves to a Resource when accessed and the default get servlet sends it as a response.
What's the problem here ?
You might want to use access control to prevent this.
Regards
Felix
Am 16.11.2012 um 22:06 schrieb David G.:
> Is there a way to prevent making a GET for the full path to a property
> to NOT return the property's value:
>
> HTTP GET /content/site/page/jcr:content/page-property ==> "this is
> the page property value"
>
> I want it to return nothing -- i would be find being able to control
> this on a per-resourcetype basis as well.
>
> I did not see this an a option on the Sling GET Servlet. Is it
> configured someplace else perhaps?
>
> Thanks!
Re: Disabled default "Property Printing" behavior in the Sling GET Servlet
Posted by Carsten Ziegeler <cz...@apache.org>.
We could make this configurable
Carsten
2012/11/26 Felix Meschberger <fm...@adobe.com>:
> Hi
>
> Not that I would know of.
>
> The only practical solution I could think of would be to disable creation of the Property based Resource.
>
> Regards
> Felix
>
> PS: The the JcrPropertyResource was introduced as part of SLING-161
>
> [1] https://issues.apache.org/jira/browse/SLING-161
>
> Am 22.11.2012 um 15:37 schrieb David Gonzalez:
>
>> All/Felix, is there a way to disable this renditioning?
>>
>> Thanks
>>
>> Sent from my iPhone
>>
>> On Nov 21, 2012, at 7:11 AM, Felix Meschberger <fm...@adobe.com> wrote:
>>
>>> Hi,
>>>
>>> I don't know the exact reasoning any more. It was a result of implementing a JcrPropertyResource. IMHO it makes sense to some extent.
>>>
>>> Regards
>>> Felix
>>>
>>> Am 19.11.2012 um 15:24 schrieb Carsten Ziegeler:
>>>
>>>> I'm wondering why we introduced access a property of a resource
>>>> directly via a path in the first place? :)
>>>>
>>>> This is special to the jcr resource provider and is nothing which is
>>>> supported by any other resource provider.
>>>>
>>>> At the moment, I'm just curious
>>>>
>>>> Regards
>>>> Carsten
>>>>
>>>> 2012/11/19 Bertrand Delacretaz <bd...@apache.org>:
>>>>> On Fri, Nov 16, 2012 at 10:06 PM, David G. <da...@gmail.com> wrote:
>>>>>> Is there a way to prevent making a GET for the full path to a property
>>>>>> to NOT return the property's value:
>>>>>>
>>>>>> HTTP GET /content/site/page/jcr:content/page-property ==> "this is
>>>>>> the page property value"...
>>>>>
>>>>> If all such paths contain "jcr:content", a Filter or front-end
>>>>> blocking mechanism might help...but that depends on your overall URL
>>>>> scheme.
>>>>>
>>>>> -Bertrand
>>>>
>>>>
>>>>
>>>> --
>>>> Carsten Ziegeler
>>>> cziegeler@apache.org
>>>
>
--
Carsten Ziegeler
cziegeler@apache.org
Re: Disabled default "Property Printing" behavior in the Sling GET
Servlet
Posted by Felix Meschberger <fm...@adobe.com>.
Hi
Not that I would know of.
The only practical solution I could think of would be to disable creation of the Property based Resource.
Regards
Felix
PS: The the JcrPropertyResource was introduced as part of SLING-161
[1] https://issues.apache.org/jira/browse/SLING-161
Am 22.11.2012 um 15:37 schrieb David Gonzalez:
> All/Felix, is there a way to disable this renditioning?
>
> Thanks
>
> Sent from my iPhone
>
> On Nov 21, 2012, at 7:11 AM, Felix Meschberger <fm...@adobe.com> wrote:
>
>> Hi,
>>
>> I don't know the exact reasoning any more. It was a result of implementing a JcrPropertyResource. IMHO it makes sense to some extent.
>>
>> Regards
>> Felix
>>
>> Am 19.11.2012 um 15:24 schrieb Carsten Ziegeler:
>>
>>> I'm wondering why we introduced access a property of a resource
>>> directly via a path in the first place? :)
>>>
>>> This is special to the jcr resource provider and is nothing which is
>>> supported by any other resource provider.
>>>
>>> At the moment, I'm just curious
>>>
>>> Regards
>>> Carsten
>>>
>>> 2012/11/19 Bertrand Delacretaz <bd...@apache.org>:
>>>> On Fri, Nov 16, 2012 at 10:06 PM, David G. <da...@gmail.com> wrote:
>>>>> Is there a way to prevent making a GET for the full path to a property
>>>>> to NOT return the property's value:
>>>>>
>>>>> HTTP GET /content/site/page/jcr:content/page-property ==> "this is
>>>>> the page property value"...
>>>>
>>>> If all such paths contain "jcr:content", a Filter or front-end
>>>> blocking mechanism might help...but that depends on your overall URL
>>>> scheme.
>>>>
>>>> -Bertrand
>>>
>>>
>>>
>>> --
>>> Carsten Ziegeler
>>> cziegeler@apache.org
>>
Re: Disabled default "Property Printing" behavior in the Sling GET Servlet
Posted by David Gonzalez <da...@gmail.com>.
All/Felix, is there a way to disable this renditioning?
Thanks
Sent from my iPhone
On Nov 21, 2012, at 7:11 AM, Felix Meschberger <fm...@adobe.com> wrote:
> Hi,
>
> I don't know the exact reasoning any more. It was a result of implementing a JcrPropertyResource. IMHO it makes sense to some extent.
>
> Regards
> Felix
>
> Am 19.11.2012 um 15:24 schrieb Carsten Ziegeler:
>
>> I'm wondering why we introduced access a property of a resource
>> directly via a path in the first place? :)
>>
>> This is special to the jcr resource provider and is nothing which is
>> supported by any other resource provider.
>>
>> At the moment, I'm just curious
>>
>> Regards
>> Carsten
>>
>> 2012/11/19 Bertrand Delacretaz <bd...@apache.org>:
>>> On Fri, Nov 16, 2012 at 10:06 PM, David G. <da...@gmail.com> wrote:
>>>> Is there a way to prevent making a GET for the full path to a property
>>>> to NOT return the property's value:
>>>>
>>>> HTTP GET /content/site/page/jcr:content/page-property ==> "this is
>>>> the page property value"...
>>>
>>> If all such paths contain "jcr:content", a Filter or front-end
>>> blocking mechanism might help...but that depends on your overall URL
>>> scheme.
>>>
>>> -Bertrand
>>
>>
>>
>> --
>> Carsten Ziegeler
>> cziegeler@apache.org
>
Re: Disabled default "Property Printing" behavior in the Sling GET
Servlet
Posted by Felix Meschberger <fm...@adobe.com>.
Hi,
I don't know the exact reasoning any more. It was a result of implementing a JcrPropertyResource. IMHO it makes sense to some extent.
Regards
Felix
Am 19.11.2012 um 15:24 schrieb Carsten Ziegeler:
> I'm wondering why we introduced access a property of a resource
> directly via a path in the first place? :)
>
> This is special to the jcr resource provider and is nothing which is
> supported by any other resource provider.
>
> At the moment, I'm just curious
>
> Regards
> Carsten
>
> 2012/11/19 Bertrand Delacretaz <bd...@apache.org>:
>> On Fri, Nov 16, 2012 at 10:06 PM, David G. <da...@gmail.com> wrote:
>>> Is there a way to prevent making a GET for the full path to a property
>>> to NOT return the property's value:
>>>
>>> HTTP GET /content/site/page/jcr:content/page-property ==> "this is
>>> the page property value"...
>>
>> If all such paths contain "jcr:content", a Filter or front-end
>> blocking mechanism might help...but that depends on your overall URL
>> scheme.
>>
>> -Bertrand
>
>
>
> --
> Carsten Ziegeler
> cziegeler@apache.org
Re: Disabled default "Property Printing" behavior in the Sling GET Servlet
Posted by Carsten Ziegeler <cz...@apache.org>.
I'm wondering why we introduced access a property of a resource
directly via a path in the first place? :)
This is special to the jcr resource provider and is nothing which is
supported by any other resource provider.
At the moment, I'm just curious
Regards
Carsten
2012/11/19 Bertrand Delacretaz <bd...@apache.org>:
> On Fri, Nov 16, 2012 at 10:06 PM, David G. <da...@gmail.com> wrote:
>> Is there a way to prevent making a GET for the full path to a property
>> to NOT return the property's value:
>>
>> HTTP GET /content/site/page/jcr:content/page-property ==> "this is
>> the page property value"...
>
> If all such paths contain "jcr:content", a Filter or front-end
> blocking mechanism might help...but that depends on your overall URL
> scheme.
>
> -Bertrand
--
Carsten Ziegeler
cziegeler@apache.org
Re: Disabled default "Property Printing" behavior in the Sling GET Servlet
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Fri, Nov 16, 2012 at 10:06 PM, David G. <da...@gmail.com> wrote:
> Is there a way to prevent making a GET for the full path to a property
> to NOT return the property's value:
>
> HTTP GET /content/site/page/jcr:content/page-property ==> "this is
> the page property value"...
If all such paths contain "jcr:content", a Filter or front-end
blocking mechanism might help...but that depends on your overall URL
scheme.
-Bertrand