You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Bertrand Delacretaz <bd...@apache.org> on 2016/07/22 13:41:46 UTC
LoginAdministrative whitelisting patch ready for review
Hi,
Feedback on the patch that I just attached to
https://issues.apache.org/jira/browse/SLING-5135 is welcome.
-Bertrand
Re: LoginAdministrative whitelisting patch ready for review
Posted by Carsten Ziegeler <cz...@apache.org>.
> Hi,
>
> On Fri, Jul 22, 2016 at 5:13 PM, Carsten Ziegeler <cz...@apache.org> wrote:
>>> https://issues.apache.org/jira/browse/SLING-5135 ...
>> What about provisioning the whitelist with the usual Sling core bundles
>> that are used in an installation, so you can run a "simple" Sling
>> without any configuration?...
>
> The problem with such a hardcoded default configuration is the need to
> release the bundle if we need to change that config.
Well, sure - but as we don't want to introduce new loginAdministrative
calls, it's unlikely to happen. And it's still an OSGi configuration, so
you can override.
I seriously think, Sling should run without any OSGi configuration, at
least the basics. We can discuss what the basics are, but from the list
belowe jcr.oak.server and jcr.base sound pretty basic to me.
Regards
Carsten
>
> Right now the below whitelist [1] is needed for most of the launchpad
> integration tests to pass.
>
> While some bundles like oak.server are obviously ok, others might need
> deeper investigation which I wasn't planning to do right now, so I'd
> prefer starting with an empy config. Unless someone can look at those
> bundles to reduce the list.
>
> -Bertrand
>
> [1]
> "org.apache.sling.extensions.webconsolesecurityprovider",
> "org.apache.sling.jcr.base"
> "org.apache.sling.jcr.contentloader",
> "org.apache.sling.jcr.davex",
> "org.apache.sling.jcr.jackrabbit.usermanager",
> "org.apache.sling.jcr.webconsole",
> "org.apache.sling.jcr.webdav",
> "org.apache.sling.servlets.post",
> "org.apache.sling.jcr.oak.server",
> "org.apache.sling.installer.provider.jcr",
> "org.apache.sling.jcr.resource"]
>
--
Carsten Ziegeler
Adobe Research Switzerland
cziegeler@apache.org
Re: LoginAdministrative whitelisting patch ready for review
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Fri, Jul 22, 2016 at 5:13 PM, Carsten Ziegeler <cz...@apache.org> wrote:
>> https://issues.apache.org/jira/browse/SLING-5135 ...
> What about provisioning the whitelist with the usual Sling core bundles
> that are used in an installation, so you can run a "simple" Sling
> without any configuration?...
The problem with such a hardcoded default configuration is the need to
release the bundle if we need to change that config.
Right now the below whitelist [1] is needed for most of the launchpad
integration tests to pass.
While some bundles like oak.server are obviously ok, others might need
deeper investigation which I wasn't planning to do right now, so I'd
prefer starting with an empy config. Unless someone can look at those
bundles to reduce the list.
-Bertrand
[1]
"org.apache.sling.extensions.webconsolesecurityprovider",
"org.apache.sling.jcr.base"
"org.apache.sling.jcr.contentloader",
"org.apache.sling.jcr.davex",
"org.apache.sling.jcr.jackrabbit.usermanager",
"org.apache.sling.jcr.webconsole",
"org.apache.sling.jcr.webdav",
"org.apache.sling.servlets.post",
"org.apache.sling.jcr.oak.server",
"org.apache.sling.installer.provider.jcr",
"org.apache.sling.jcr.resource"]
Re: LoginAdministrative whitelisting patch ready for review
Posted by Carsten Ziegeler <cz...@apache.org>.
> Hi,
>
> Feedback on the patch that I just attached to
> https://issues.apache.org/jira/browse/SLING-5135 is welcome.
>
What about provisioning the whitelist with the usual Sling core bundles
that are used in an installation, so you can run a "simple" Sling
without any configuration?
Carsten
--
Carsten Ziegeler
Adobe Research Switzerland
cziegeler@apache.org