You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Carsten Ziegeler <cz...@apache.org> on 2013/12/16 08:00:56 UTC
[ResourceAccessSecurity] Returns NonExistingResource if acess is denied
Hi,
while looking at the ResourceAccessSecurity implementation I noticed that
it returns a NonExistingResource if read access is denied. I think it
simply should return null.
Thoughts?
Regards
Carsten
--
Carsten Ziegeler
cziegeler@apache.org
Re: [ResourceAccessSecurity] Returns NonExistingResource if acess is denied
Posted by Carsten Ziegeler <cz...@apache.org>.
Yepp, exactly - so a resource provider and that includes the resource
access security implementation should never return a NonExistingResource -
otherwise the getResource() contract of the ResourceResolver will be broken.
So, I'll go ahead and change this
Thanks
Carsten
2013/12/17 Alexander Klimetschek <ak...@adobe.com>
> On 16.12.2013, at 04:38, Dominik Süß <do...@gmail.com> wrote:
>
> > There is currently a gap between the behavior of .resolve() and
> .getResource()
> > where getResource would return null and .resolve() should return a
> > NonExistingResource. I'm pretty sure there is a reason for that, but I
> > couldn't find it.
>
> Oh, yes, there is a good reason for that:
>
> - resolve() is used for request processing, where it is necessary to
> handle the non-existing case with the special sling:nonexisting resource
> type and the original path info
> - getResource() is the more "raw" access, similar to JCR Session.getNode()
> (*)
>
> Applications would always use getResource() and handle the null check.
> resolve() is mostly only for the sling engine, or if you have some more
> complex internal forwarding etc. that requires to replicate Sling's
> resolution behavior.
>
> (*) yes, getNode() throws an exception, but that's similar to returning
> null compared to returning a special NonExistingResource object
>
> Cheers,
> Alex
>
>
--
Carsten Ziegeler
cziegeler@apache.org
Re: [ResourceAccessSecurity] Returns NonExistingResource if acess is denied
Posted by Dominik Süß <do...@gmail.com>.
Ah ok thanks, wasn't really sure about that due to the alternative resolve
signature with request but I should have read the classdescription which is
pretty clear.
So +1 from my side as well.
Best regards
Dominik
Am 16.12.2013 21:38 schrieb "Alexander Klimetschek" <ak...@adobe.com>:
> On 16.12.2013, at 04:38, Dominik Süß <do...@gmail.com> wrote:
>
> > There is currently a gap between the behavior of .resolve() and
> .getResource()
> > where getResource would return null and .resolve() should return a
> > NonExistingResource. I'm pretty sure there is a reason for that, but I
> > couldn't find it.
>
> Oh, yes, there is a good reason for that:
>
> - resolve() is used for request processing, where it is necessary to
> handle the non-existing case with the special sling:nonexisting resource
> type and the original path info
> - getResource() is the more "raw" access, similar to JCR Session.getNode()
> (*)
>
> Applications would always use getResource() and handle the null check.
> resolve() is mostly only for the sling engine, or if you have some more
> complex internal forwarding etc. that requires to replicate Sling's
> resolution behavior.
>
> (*) yes, getNode() throws an exception, but that's similar to returning
> null compared to returning a special NonExistingResource object
>
> Cheers,
> Alex
>
>
Re: [ResourceAccessSecurity] Returns NonExistingResource if acess
is denied
Posted by Alexander Klimetschek <ak...@adobe.com>.
On 16.12.2013, at 04:38, Dominik Süß <do...@gmail.com> wrote:
> There is currently a gap between the behavior of .resolve() and .getResource()
> where getResource would return null and .resolve() should return a
> NonExistingResource. I'm pretty sure there is a reason for that, but I
> couldn't find it.
Oh, yes, there is a good reason for that:
- resolve() is used for request processing, where it is necessary to handle the non-existing case with the special sling:nonexisting resource type and the original path info
- getResource() is the more "raw" access, similar to JCR Session.getNode() (*)
Applications would always use getResource() and handle the null check. resolve() is mostly only for the sling engine, or if you have some more complex internal forwarding etc. that requires to replicate Sling's resolution behavior.
(*) yes, getNode() throws an exception, but that's similar to returning null compared to returning a special NonExistingResource object
Cheers,
Alex
Re: [ResourceAccessSecurity] Returns NonExistingResource if acess is denied
Posted by Dominik Süß <do...@gmail.com>.
+0.5
I'm aware of this contract but just did check when the NonExistingResource
would be valid to be used.
Looking at [0] you could read this to be a correct behavior as well. There
is currently a gap between the behavior of .resolve() and .getResource()
where getResource would return null and .resolve() should return a
NonExistingResource. I'm pretty sure there is a reason for that, but I
couldn't find it. So could anyone enlighten me befor I can give full +1
from my side? :)
Best regards
Dominik
[0]
http://sling.apache.org/apidocs/sling5/org/apache/sling/api/resource/Resource.html#RESOURCE_TYPE_NON_EXISTING
On Mon, Dec 16, 2013 at 11:54 AM, Felix Meschberger <fm...@adobe.com>wrote:
> Hi
>
> Are you talking about "ResourceAccessSecurityImpl.getReadableResource" ?
> Yes, I agree, that returning NonExistingResource is indeed violating the
> API spec which states null is to be returned if the resource is not
> readable.
>
> Regards
> Felix
>
> Am 16.12.2013 um 08:00 schrieb Carsten Ziegeler <cz...@apache.org>:
>
> > Hi,
> >
> > while looking at the ResourceAccessSecurity implementation I noticed that
> > it returns a NonExistingResource if read access is denied. I think it
> > simply should return null.
> >
> > Thoughts?
> >
> > Regards
> > Carsten
> > --
> > Carsten Ziegeler
> > cziegeler@apache.org
>
>
Re: [ResourceAccessSecurity] Returns NonExistingResource if acess
is denied
Posted by Felix Meschberger <fm...@adobe.com>.
Hi
Are you talking about "ResourceAccessSecurityImpl.getReadableResource" ? Yes, I agree, that returning NonExistingResource is indeed violating the API spec which states null is to be returned if the resource is not readable.
Regards
Felix
Am 16.12.2013 um 08:00 schrieb Carsten Ziegeler <cz...@apache.org>:
> Hi,
>
> while looking at the ResourceAccessSecurity implementation I noticed that
> it returns a NonExistingResource if read access is denied. I think it
> simply should return null.
>
> Thoughts?
>
> Regards
> Carsten
> --
> Carsten Ziegeler
> cziegeler@apache.org