You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@sling.apache.org by sam lee <sk...@gmail.com> on 2010/11/22 15:41:58 UTC

how can I disable sling json servlet for some nodes?

Is there a way to disable json servlet for some nodes?

For example, I can think of DDoS for sling applications:
http://www.example.com/content/dam.tidy.-1.json
http://www.example.com/content/dam.tidy.-2.json
...
http://www.example.com/content/dam.acl.-1.json
http://www.example.com/content/dam.acl.-2.json
...
http://www.example.com/content/dam.eacl.-1.json
http://www.example.com/content/dam.eacl.-2.json
...
in parallel..
where /content/dam is a very deep hierarchy.

I see live sites accepting such GET requests (for example, adobe.com).

How do you partially disable json servlet? (be it only selected nodes accept
json request.. or maybe set a limit on json "level" selector?)

Thanks.
Sam

Re: how can I disable sling json servlet for some nodes?

Posted by Felix Meschberger <fm...@gmail.com>.

Hi,

The maximum depths supported for JSON requests is configurable for the
Default GET Servlet (IIRC the default is 200).

To disable the default JSON rendering for some nodes, you might want to
implement a JSON servlet/script that is assigned to these types of nodes
and which does "nothing" or sends back an error.

For example, to prevent rendering nt:folder nodes for JSON you might
register an Servlet service implementing the OptingServlet interface for
the nt/folder resource type and implement the accepts method to return
true or false in certain situations. In case false would be returned
your servlet is ignored and the default one used. In case true is
returned, your servlet would be called and you may then return whatever
you like incl. an error.

Regards
Felix

Am Montag, den 22.11.2010, 09:41 -0500 schrieb sam lee: 
> Is there a way to disable json servlet for some nodes?
> 
> For example, I can think of DDoS for sling applications:
> http://www.example.com/content/dam.tidy.-1.json
> http://www.example.com/content/dam.tidy.-2.json
> ...
> http://www.example.com/content/dam.acl.-1.json
> http://www.example.com/content/dam.acl.-2.json
> ...
> http://www.example.com/content/dam.eacl.-1.json
> http://www.example.com/content/dam.eacl.-2.json
> ...
> in parallel..
> where /content/dam is a very deep hierarchy.
> 
> I see live sites accepting such GET requests (for example, adobe.com).
> 
> How do you partially disable json servlet? (be it only selected nodes accept
> json request.. or maybe set a limit on json "level" selector?)
> 
> Thanks.
> Sam