You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Andrew Khoury (JIRA)" <ji...@apache.org> on 2011/07/11 19:19:00 UTC
[jira] [Created] (SLING-2136) Sling POST Servlet: Configuration of
Allowed Paths
Sling POST Servlet: Configuration of Allowed Paths
--------------------------------------------------
Key: SLING-2136
URL: https://issues.apache.org/jira/browse/SLING-2136
Project: Sling
Issue Type: Improvement
Components: Servlets
Affects Versions: Servlets Post 2.1.2
Reporter: Andrew Khoury
It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
For example:
Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by "Alexander Klimetschek (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156808#comment-13156808 ]
Alexander Klimetschek commented on SLING-2136:
----------------------------------------------
Forcing the :operation parameter is not very elegant IMHO and it is not backwards compatible (all existing forms would have to be changed).
Also, the problem mostly exists for non-existing paths (such as virtual servlet paths), because after they get created accidentally through the post servlet, the virtual resolution is immediately eliminated. For cases where a node is present, but only the actual servlet currently not available, you usually don't overwrite the resource type. Hence the next call when the servlet is present again will work. Only the properties have been written. And if such a servlet acts as a "filter" for the sling post servlet (and will forward to it afterwards, a quite common case), forcing the :operation parameter won't help, as it will be there anyway.
I think the filtering is a simple solution at least for the virtual paths. One doesn't have to use it.
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
> Key: SLING-2136
> URL: https://issues.apache.org/jira/browse/SLING-2136
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Post 2.1.2
> Reporter: Andrew Khoury
> Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by "Justin Edelson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13208615#comment-13208615 ]
Justin Edelson commented on SLING-2136:
---------------------------------------
The servlet at /testing/PathsServletNodeServlet is responsible for creating a node at /testing/PathsServlet/foo. So the paths aren't meant to be the same.
Admittedly, the test could be written in a clearer fashion :)
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
> Key: SLING-2136
> URL: https://issues.apache.org/jira/browse/SLING-2136
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Post 2.1.2
> Reporter: Andrew Khoury
> Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by "Justin Edelson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159753#comment-13159753 ]
Justin Edelson commented on SLING-2136:
---------------------------------------
In r1208215, I added an integration test which illustrates that if a servlet is registered for a particular path AND a JCR Node exists at that path, the servlet is still executed. This conflicts with this statement in the original description:
"Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature."
Andrew (or anyone else having this issue) - can you try running that IT (note that it depends upon a new servlet added in the test-services bundle) and see what happens for you? Perhaps there is something else going on.
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
> Key: SLING-2136
> URL: https://issues.apache.org/jira/browse/SLING-2136
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Post 2.1.2
> Reporter: Andrew Khoury
> Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by "Justin Edelson (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159754#comment-13159754 ]
Justin Edelson commented on SLING-2136:
---------------------------------------
And I should also say... if anyone can reproduce the scenario where a node prevents a servlet from executing, please open a *separate* JIRA issue with the steps to reproduce.
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
> Key: SLING-2136
> URL: https://issues.apache.org/jira/browse/SLING-2136
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Post 2.1.2
> Reporter: Andrew Khoury
> Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by "Alexander Klimetschek (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13208596#comment-13208596 ]
Alexander Klimetschek commented on SLING-2136:
----------------------------------------------
@Justin: The paths are different in your integration test, explaining why they don't conflict:
- servlet registered under "/testing/PathsServletNodeServlet"
- content path created at "/testing/PathsServlet/foo"
The content path should be exactly the same ("/testing/PathsServletNodeServlet") to test the original described issue. I am quite sure that this is a problem.
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
> Key: SLING-2136
> URL: https://issues.apache.org/jira/browse/SLING-2136
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Post 2.1.2
> Reporter: Andrew Khoury
> Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by "Alexander Klimetschek (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209308#comment-13209308 ]
Alexander Klimetschek commented on SLING-2136:
----------------------------------------------
Ok, I missed the existing http://svn.apache.org/viewvc/sling/trunk/launchpad/test-services/src/main/java/org/apache/sling/launchpad/testservices/servlets/PathsServlet.java?view=markup registered under /testing/PathsServlet/foo. Weird that this does not conflict...
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
> Key: SLING-2136
> URL: https://issues.apache.org/jira/browse/SLING-2136
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Post 2.1.2
> Reporter: Andrew Khoury
> Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SLING-2136) Sling POST Servlet: Configuration of
Allowed Paths
Posted by "Tobias Bocanegra (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tobias Bocanegra updated SLING-2136:
------------------------------------
Attachment: post_servlet_filter-1205238.patch
Patch that introduces a new configuration for a simple
allow/deny path filter list.
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
> Key: SLING-2136
> URL: https://issues.apache.org/jira/browse/SLING-2136
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Post 2.1.2
> Reporter: Andrew Khoury
> Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by "Antonio Sanso (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13186853#comment-13186853 ]
Antonio Sanso commented on SLING-2136:
--------------------------------------
"Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature."
Just for reference, I think the new new startup filter SLING-2347 might help here
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
> Key: SLING-2136
> URL: https://issues.apache.org/jira/browse/SLING-2136
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Post 2.1.2
> Reporter: Andrew Khoury
> Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by "Carsten Ziegeler (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156593#comment-13156593 ]
Carsten Ziegeler commented on SLING-2136:
-----------------------------------------
Yes, I agree with Felix - requiring the :operation paramter solves the path problem but also solves the problem if you have a special post servlet for a resource type and for whatever reason this servlet is not available. It's not maintainable nor possible to configure all combinations of paths and resource types (either white or black lists) for the post servlet to get the same result. If the default post servlet only acts when the :operation paramter is submitted is a clean and elegant way to solve all these problems.
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
> Key: SLING-2136
> URL: https://issues.apache.org/jira/browse/SLING-2136
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Post 2.1.2
> Reporter: Andrew Khoury
> Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by "Felix Meschberger (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13156588#comment-13156588 ]
Felix Meschberger commented on SLING-2136:
------------------------------------------
I don't think this is - conceptually - the correct solution to the problem. As such I am against applying this patch.
We every now and then encounter situations where the Sling POST Servlet too eagerly does the work it has originally developed to do (see also the workaround for SLING-2120 to prevent writing user names and passwords to the repository in case authentication handlers break).
I think the correct and probably ultimately most stable solution would be to have the Sling POST Servlet require the :operation request parameter indicating the request to really be handled by that servlet.
Another workaround in this current situation (preventing writes to /bin/*) is to apply ACLs.
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
> Key: SLING-2136
> URL: https://issues.apache.org/jira/browse/SLING-2136
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Post 2.1.2
> Reporter: Andrew Khoury
> Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
Re: [jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by Justin Edelson <ju...@justinedelson.com>.
On Tue, Nov 29, 2011 at 12:25 PM, Justin Edelson
<ju...@justinedelson.com> wrote:
>
> On Nov 29, 2011 11:34 AM, "Felix Meschberger" <fm...@adobe.com> wrote:
>>
>> Hi,
>>
>> Am 29.11.2011 um 17:30 schrieb Justin Edelson:
>>
>> > Hi,
>> >
>> > On Tue, Nov 29, 2011 at 11:00 AM, Felix Meschberger <fm...@adobe.com>
>> > wrote:
>> >> Hi,
>> >>
>> >> Another option would be to have a special ResourceProvider which
>> >> returns SyntheticResources in case of any access to below /bin which is not
>> >> backed by a registered servlet. Such a SyntheticResource would not allow the
>> >> POST Servlet to write anything back to anywhere !
>> >
>> > Doesn't this suffer from the same problem as described in the original
>> > JIRA description, i.e. if the component/bundle providing this
>> > ResourceProvider isn't started/active, then the POST would go through
>> > to the default POST Servlet.
>>
>> Basically, yes.
>>
>> >
>> > I'm thinking maybe the real problem isn't that the POST goes through
>> > to the default POST servlet but that the presence of a node at
>> > /bin/replicate prevents the servlet registered at that path from being
>> > executed.
>>
>> No, better matching resource providers overwrite more general ones. So if
>> there is a servlet at /bin/replicate, the node should actually be ignored.
>
> That was what I was trying to say :) If the original description is
> accurate, the more specific resource provider isn't getting picked up and
> that would be a bug.
>
> I can create an IT later in the week for this.
IT added in r1208215
Seems to be working.
>
> Justin
>
>
>>
>> Regards
>> Felix
>>
>> >
>> > WDYT?
>> >
>> > Justin
>> >
>> >>
>> >> Regards
>> >> Felix
>> >>
>> >> Am 29.11.2011 um 16:55 schrieb Carsten Ziegeler (Commented) (JIRA):
>> >>
>> >>>
>> >>> [
>> >>> https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159324#comment-13159324
>> >>> ]
>> >>>
>> >>> Carsten Ziegeler commented on SLING-2136:
>> >>> -----------------------------------------
>> >>>
>> >>> I think the right way is to use ACLs. Adding a new configuration
>> >>> option which basically is an ACL in a servlet is not the right approach.
>> >>>
>> >>> Another workaround is to add a servlet filter
>> >>>
>> >>>> Sling POST Servlet: Configuration of Allowed Paths
>> >>>> --------------------------------------------------
>> >>>>
>> >>>> Key: SLING-2136
>> >>>> URL: https://issues.apache.org/jira/browse/SLING-2136
>> >>>> Project: Sling
>> >>>> Issue Type: Improvement
>> >>>> Components: Servlets
>> >>>> Affects Versions: Servlets Post 2.1.2
>> >>>> Reporter: Andrew Khoury
>> >>>> Attachments: post_servlet_filter-1205238.patch
>> >>>>
>> >>>>
>> >>>> It would be nice if you could configure rules or regular expressions
>> >>>> for paths the sling post servlet is allowed to work under. This would be
>> >>>> good for both security reasons and for protecting against conflicts with
>> >>>> other servlets.
>> >>>> For example:
>> >>>> Let's say you have a servlet ReplicationServlet registered to receive
>> >>>> POST requests under path /bin/replicate.
>> >>>> However, during startup, before the ReplicationServlet component has
>> >>>> been enabled, a user tries to do a POST to /bin/replicate. In this case,
>> >>>> instead of executing the ReplicationServlet, the POST servlet is executed
>> >>>> and it creates a node under /bin/replicate. Now, as long as the node
>> >>>> /bin/replicate exists... the ReplicationServlet will not be executed for
>> >>>> requests to /bin/replicate. This presents a problem and explains the
>> >>>> necessity for this feature.
>> >>>
>> >>> --
>> >>> This message is automatically generated by JIRA.
>> >>> If you think it was sent incorrectly, please contact your JIRA
>> >>> administrators:
>> >>> https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
>> >>> For more information on JIRA, see:
>> >>> http://www.atlassian.com/software/jira
>> >>>
>> >>>
>> >>
>>
Re: [jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by Justin Edelson <ju...@justinedelson.com>.
On Nov 29, 2011 11:34 AM, "Felix Meschberger" <fm...@adobe.com> wrote:
>
> Hi,
>
> Am 29.11.2011 um 17:30 schrieb Justin Edelson:
>
> > Hi,
> >
> > On Tue, Nov 29, 2011 at 11:00 AM, Felix Meschberger <fm...@adobe.com>
wrote:
> >> Hi,
> >>
> >> Another option would be to have a special ResourceProvider which
returns SyntheticResources in case of any access to below /bin which is not
backed by a registered servlet. Such a SyntheticResource would not allow
the POST Servlet to write anything back to anywhere !
> >
> > Doesn't this suffer from the same problem as described in the original
> > JIRA description, i.e. if the component/bundle providing this
> > ResourceProvider isn't started/active, then the POST would go through
> > to the default POST Servlet.
>
> Basically, yes.
>
> >
> > I'm thinking maybe the real problem isn't that the POST goes through
> > to the default POST servlet but that the presence of a node at
> > /bin/replicate prevents the servlet registered at that path from being
> > executed.
>
> No, better matching resource providers overwrite more general ones. So if
there is a servlet at /bin/replicate, the node should actually be ignored.
That was what I was trying to say :) If the original description is
accurate, the more specific resource provider isn't getting picked up and
that would be a bug.
I can create an IT later in the week for this.
Justin
>
> Regards
> Felix
>
> >
> > WDYT?
> >
> > Justin
> >
> >>
> >> Regards
> >> Felix
> >>
> >> Am 29.11.2011 um 16:55 schrieb Carsten Ziegeler (Commented) (JIRA):
> >>
> >>>
> >>> [
https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159324#comment-13159324]
> >>>
> >>> Carsten Ziegeler commented on SLING-2136:
> >>> -----------------------------------------
> >>>
> >>> I think the right way is to use ACLs. Adding a new configuration
option which basically is an ACL in a servlet is not the right approach.
> >>>
> >>> Another workaround is to add a servlet filter
> >>>
> >>>> Sling POST Servlet: Configuration of Allowed Paths
> >>>> --------------------------------------------------
> >>>>
> >>>> Key: SLING-2136
> >>>> URL: https://issues.apache.org/jira/browse/SLING-2136
> >>>> Project: Sling
> >>>> Issue Type: Improvement
> >>>> Components: Servlets
> >>>> Affects Versions: Servlets Post 2.1.2
> >>>> Reporter: Andrew Khoury
> >>>> Attachments: post_servlet_filter-1205238.patch
> >>>>
> >>>>
> >>>> It would be nice if you could configure rules or regular expressions
for paths the sling post servlet is allowed to work under. This would be
good for both security reasons and for protecting against conflicts with
other servlets.
> >>>> For example:
> >>>> Let's say you have a servlet ReplicationServlet registered to
receive POST requests under path /bin/replicate.
> >>>> However, during startup, before the ReplicationServlet component has
been enabled, a user tries to do a POST to /bin/replicate. In this case,
instead of executing the ReplicationServlet, the POST servlet is executed
and it creates a node under /bin/replicate. Now, as long as the node
/bin/replicate exists... the ReplicationServlet will not be executed for
requests to /bin/replicate. This presents a problem and explains the
necessity for this feature.
> >>>
> >>> --
> >>> This message is automatically generated by JIRA.
> >>> If you think it was sent incorrectly, please contact your JIRA
administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
> >>> For more information on JIRA, see:
http://www.atlassian.com/software/jira
> >>>
> >>>
> >>
>
Re: [jira] [Commented] (SLING-2136) Sling POST Servlet:
Configuration of Allowed Paths
Posted by Felix Meschberger <fm...@adobe.com>.
Hi,
Am 29.11.2011 um 17:30 schrieb Justin Edelson:
> Hi,
>
> On Tue, Nov 29, 2011 at 11:00 AM, Felix Meschberger <fm...@adobe.com> wrote:
>> Hi,
>>
>> Another option would be to have a special ResourceProvider which returns SyntheticResources in case of any access to below /bin which is not backed by a registered servlet. Such a SyntheticResource would not allow the POST Servlet to write anything back to anywhere !
>
> Doesn't this suffer from the same problem as described in the original
> JIRA description, i.e. if the component/bundle providing this
> ResourceProvider isn't started/active, then the POST would go through
> to the default POST Servlet.
Basically, yes.
>
> I'm thinking maybe the real problem isn't that the POST goes through
> to the default POST servlet but that the presence of a node at
> /bin/replicate prevents the servlet registered at that path from being
> executed.
No, better matching resource providers overwrite more general ones. So if there is a servlet at /bin/replicate, the node should actually be ignored.
Regards
Felix
>
> WDYT?
>
> Justin
>
>>
>> Regards
>> Felix
>>
>> Am 29.11.2011 um 16:55 schrieb Carsten Ziegeler (Commented) (JIRA):
>>
>>>
>>> [ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159324#comment-13159324 ]
>>>
>>> Carsten Ziegeler commented on SLING-2136:
>>> -----------------------------------------
>>>
>>> I think the right way is to use ACLs. Adding a new configuration option which basically is an ACL in a servlet is not the right approach.
>>>
>>> Another workaround is to add a servlet filter
>>>
>>>> Sling POST Servlet: Configuration of Allowed Paths
>>>> --------------------------------------------------
>>>>
>>>> Key: SLING-2136
>>>> URL: https://issues.apache.org/jira/browse/SLING-2136
>>>> Project: Sling
>>>> Issue Type: Improvement
>>>> Components: Servlets
>>>> Affects Versions: Servlets Post 2.1.2
>>>> Reporter: Andrew Khoury
>>>> Attachments: post_servlet_filter-1205238.patch
>>>>
>>>>
>>>> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
>>>> For example:
>>>> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
>>>> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
>>>
>>> --
>>> This message is automatically generated by JIRA.
>>> If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
>>> For more information on JIRA, see: http://www.atlassian.com/software/jira
>>>
>>>
>>
Re: [jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by Justin Edelson <ju...@justinedelson.com>.
Hi,
On Tue, Nov 29, 2011 at 11:00 AM, Felix Meschberger <fm...@adobe.com> wrote:
> Hi,
>
> Another option would be to have a special ResourceProvider which returns SyntheticResources in case of any access to below /bin which is not backed by a registered servlet. Such a SyntheticResource would not allow the POST Servlet to write anything back to anywhere !
Doesn't this suffer from the same problem as described in the original
JIRA description, i.e. if the component/bundle providing this
ResourceProvider isn't started/active, then the POST would go through
to the default POST Servlet.
I'm thinking maybe the real problem isn't that the POST goes through
to the default POST servlet but that the presence of a node at
/bin/replicate prevents the servlet registered at that path from being
executed.
WDYT?
Justin
>
> Regards
> Felix
>
> Am 29.11.2011 um 16:55 schrieb Carsten Ziegeler (Commented) (JIRA):
>
>>
>> [ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159324#comment-13159324 ]
>>
>> Carsten Ziegeler commented on SLING-2136:
>> -----------------------------------------
>>
>> I think the right way is to use ACLs. Adding a new configuration option which basically is an ACL in a servlet is not the right approach.
>>
>> Another workaround is to add a servlet filter
>>
>>> Sling POST Servlet: Configuration of Allowed Paths
>>> --------------------------------------------------
>>>
>>> Key: SLING-2136
>>> URL: https://issues.apache.org/jira/browse/SLING-2136
>>> Project: Sling
>>> Issue Type: Improvement
>>> Components: Servlets
>>> Affects Versions: Servlets Post 2.1.2
>>> Reporter: Andrew Khoury
>>> Attachments: post_servlet_filter-1205238.patch
>>>
>>>
>>> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
>>> For example:
>>> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
>>> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
>>
>> --
>> This message is automatically generated by JIRA.
>> If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
>> For more information on JIRA, see: http://www.atlassian.com/software/jira
>>
>>
>
Re: [jira] [Commented] (SLING-2136) Sling POST Servlet:
Configuration of Allowed Paths
Posted by Felix Meschberger <fm...@adobe.com>.
Hi,
Another option would be to have a special ResourceProvider which returns SyntheticResources in case of any access to below /bin which is not backed by a registered servlet. Such a SyntheticResource would not allow the POST Servlet to write anything back to anywhere !
Regards
Felix
Am 29.11.2011 um 16:55 schrieb Carsten Ziegeler (Commented) (JIRA):
>
> [ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159324#comment-13159324 ]
>
> Carsten Ziegeler commented on SLING-2136:
> -----------------------------------------
>
> I think the right way is to use ACLs. Adding a new configuration option which basically is an ACL in a servlet is not the right approach.
>
> Another workaround is to add a servlet filter
>
>> Sling POST Servlet: Configuration of Allowed Paths
>> --------------------------------------------------
>>
>> Key: SLING-2136
>> URL: https://issues.apache.org/jira/browse/SLING-2136
>> Project: Sling
>> Issue Type: Improvement
>> Components: Servlets
>> Affects Versions: Servlets Post 2.1.2
>> Reporter: Andrew Khoury
>> Attachments: post_servlet_filter-1205238.patch
>>
>>
>> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
>> For example:
>> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
>> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
>
> --
> This message is automatically generated by JIRA.
> If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>
>
[jira] [Commented] (SLING-2136) Sling POST Servlet: Configuration
of Allowed Paths
Posted by "Carsten Ziegeler (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159324#comment-13159324 ]
Carsten Ziegeler commented on SLING-2136:
-----------------------------------------
I think the right way is to use ACLs. Adding a new configuration option which basically is an ACL in a servlet is not the right approach.
Another workaround is to add a servlet filter
> Sling POST Servlet: Configuration of Allowed Paths
> --------------------------------------------------
>
> Key: SLING-2136
> URL: https://issues.apache.org/jira/browse/SLING-2136
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Affects Versions: Servlets Post 2.1.2
> Reporter: Andrew Khoury
> Attachments: post_servlet_filter-1205238.patch
>
>
> It would be nice if you could configure rules or regular expressions for paths the sling post servlet is allowed to work under. This would be good for both security reasons and for protecting against conflicts with other servlets.
> For example:
> Let's say you have a servlet ReplicationServlet registered to receive POST requests under path /bin/replicate.
> However, during startup, before the ReplicationServlet component has been enabled, a user tries to do a POST to /bin/replicate. In this case, instead of executing the ReplicationServlet, the POST servlet is executed and it creates a node under /bin/replicate. Now, as long as the node /bin/replicate exists... the ReplicationServlet will not be executed for requests to /bin/replicate. This presents a problem and explains the necessity for this feature.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira