You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Ben Zahler <be...@inside-solutions.ch> on 2013/07/01 08:30:47 UTC
Sling Proposal
Hi all,
I have done some work on selectors and security in CQ lately, and in the process I've had an idea how to handle some of the issues in Sling.
>From my point of view, this could well be intergrated into Sling, but it can also easily work as an addition, so I'd like to hear some feedback from you.
The basic idea is to have the developer of a component/template define the selectors allowed on the component. I've used a property sling:allowedSelectors to do so.
In a servlet filter, we can then check for all the allowed selectors in the application and verify if the request's selector are valid.
Of course, there are a quite a few open questions/points:
* should the allowed selectors be cached?
* Servlets with sling.servlet.selectors property need to be included as well
* Should the sling:allowedSelectors configuration be component or template based? Component based means the definition is where the selectors are actually implemented, template based provides more accurate means of checking whether request selectors are valid.
* How can multisites be configured?
Attached is a very basic implementation of the Servlet Filter. Be aware that installing this into a CQ author instance will break some things as the default CQ selectors are not supported.
So basically, my question to you is if you think this is an interesting feature or if you consider this rather unnecessary. ;-)
Mit besten Grüssen
Ben Zahler
Inside Solutions AG | Felsenstrasse 11 | 4450 Sissach | Schweiz
Telefon: +41 61 551 00 40 | Direkt: +41 61 551 00 43
http://www.inside-solutions.ch<http://www.inside-solutions.ch/>
Re: Sling Proposal
Posted by Felix Meschberger <fm...@adobe.com>.
Hi
It looks like this limiting of selectors has had some discussion recently. So, yes, I would think the Sling community would well be interested in a good solution.
I am not exactly sure, what you mean by "template based". Also, there is no such thing as a "component" in Sling. Something becomes a component if it is referred to by a resource type.
Another consideration is resource type inheritance through Resource.getResourceSuperType(). Are selectors inherited ? Can they be reduced ?
Finally: Sling is open-ended by intent and default. So limiting will always some side effects we have to carefully consider.
For example: Consider you create a "component" with support for some selectors and extensions and declare it to cope with those. Then you extend it and add suppport for another selector (or another extension) and forget to update the definition: Now your requests may fail and you have to find out how ...
Alas, your attachement didn't make it to the list (probably due to list filtering). You might want to create an issue and attach your code there.
Regards
Felix
Am 01.07.2013 um 08:30 schrieb Ben Zahler:
Hi all,
I have done some work on selectors and security in CQ lately, and in the process I've had an idea how to handle some of the issues in Sling.
>From my point of view, this could well be intergrated into Sling, but it can also easily work as an addition, so I'd like to hear some feedback from you.
The basic idea is to have the developer of a component/template define the selectors allowed on the component. I've used a property sling:allowedSelectors to do so.
In a servlet filter, we can then check for all the allowed selectors in the application and verify if the request's selector are valid.
Of course, there are a quite a few open questions/points:
* should the allowed selectors be cached?
* Servlets with sling.servlet.selectors property need to be included as well
* Should the sling:allowedSelectors configuration be component or template based? Component based means the definition is where the selectors are actually implemented, template based provides more accurate means of checking whether request selectors are valid.
* How can multisites be configured?
Attached is a very basic implementation of the Servlet Filter. Be aware that installing this into a CQ author instance will break some things as the default CQ selectors are not supported.
So basically, my question to you is if you think this is an interesting feature or if you consider this rather unnecessary. ;-)
Mit besten Grüssen
Ben Zahler
Inside Solutions AG | Felsenstrasse 11 | 4450 Sissach | Schweiz
Telefon: +41 61 551 00 40 | Direkt: +41 61 551 00 43
http://www.inside-solutions.ch<http://www.inside-solutions.ch/>
Re: Sling Proposal
Posted by Justin Edelson <ju...@justinedelson.com>.
Ben-
You also might want to take a look at
https://github.com/justinedelson/cq-urlfilter, which is virtually the same
code, just adapted to work better in a CQ/AEM environment.
Regards,
Justin
On Tue, Jul 2, 2013 at 4:49 PM, Ben Zahler
<be...@inside-solutions.ch>wrote:
> Justin, Felix,
> Thanks for your responses and please excuse that my terminology makes it a
> little too clear that I'm coming from CQ ;-).
>
> Justins's solution is actually very close to what I had in mind with the
> "template based" solution. I will mull over this and create ticket also
> referencing Justin's solution.
>
> Ben
>
>
>
>
>
> Am 01.07.13 11:48 schrieb "Justin Edelson" unter
> <ju...@justinedelson.com>:
>
> >Ben-
> >Have you looked at the filter at
> >http://svn.apache.org/repos/asf/sling/trunk/samples/urlfilter ? It sounds
> >like your solution is roughly inline with this implementation.
> >
> >Justin
> >
> >
> >On Mon, Jul 1, 2013 at 2:30 AM, Ben Zahler
> ><be...@inside-solutions.ch>wrote:
> >
> >> Hi all,
> >> I have done some work on selectors and security in CQ lately, and in the
> >> process I've had an idea how to handle some of the issues in Sling.
> >> From my point of view, this could well be intergrated into Sling, but it
> >> can also easily work as an addition, so I'd like to hear some feedback
> >>from
> >> you.
> >>
> >> The basic idea is to have the developer of a component/template define
> >> the selectors allowed on the component. I've used a property
> >> sling:allowedSelectors to do so.
> >> In a servlet filter, we can then check for all the allowed selectors in
> >> the application and verify if the request's selector are valid.
> >> Of course, there are a quite a few open questions/points:
> >>
> >> - should the allowed selectors be cached?
> >> - Servlets with sling.servlet.selectors property need to be included
> >> as well
> >> - Should the sling:allowedSelectors configuration be component or
> >> template based? Component based means the definition is where the
> >>selectors
> >> are actually implemented, template based provides more accurate
> >>means of
> >> checking whether request selectors are valid.
> >> - How can multisites be configured?
> >>
> >> Attached is a very basic implementation of the Servlet Filter. Be aware
> >> that installing this into a CQ author instance will break some things as
> >> the default CQ selectors are not supported.
> >>
> >> So basically, my question to you is if you think this is an interesting
> >> feature or if you consider this rather unnecessary. ;-)
> >>
> >> Mit besten Grüssen
> >> Ben Zahler
> >>
> >> Inside Solutions AG | Felsenstrasse 11 | 4450 Sissach | Schweiz
> >> Telefon: +41 61 551 00 40 | Direkt: +41 61 551 00 43
> >> http://www.inside-solutions.ch
> >>
>
>
Re: Sling Proposal
Posted by Ben Zahler <be...@inside-solutions.ch>.
Justin, Felix,
Thanks for your responses and please excuse that my terminology makes it a
little too clear that I'm coming from CQ ;-).
Justins's solution is actually very close to what I had in mind with the
"template based" solution. I will mull over this and create ticket also
referencing Justin's solution.
Ben
Am 01.07.13 11:48 schrieb "Justin Edelson" unter
<ju...@justinedelson.com>:
>Ben-
>Have you looked at the filter at
>http://svn.apache.org/repos/asf/sling/trunk/samples/urlfilter ? It sounds
>like your solution is roughly inline with this implementation.
>
>Justin
>
>
>On Mon, Jul 1, 2013 at 2:30 AM, Ben Zahler
><be...@inside-solutions.ch>wrote:
>
>> Hi all,
>> I have done some work on selectors and security in CQ lately, and in the
>> process I've had an idea how to handle some of the issues in Sling.
>> From my point of view, this could well be intergrated into Sling, but it
>> can also easily work as an addition, so I'd like to hear some feedback
>>from
>> you.
>>
>> The basic idea is to have the developer of a component/template define
>> the selectors allowed on the component. I've used a property
>> sling:allowedSelectors to do so.
>> In a servlet filter, we can then check for all the allowed selectors in
>> the application and verify if the request's selector are valid.
>> Of course, there are a quite a few open questions/points:
>>
>> - should the allowed selectors be cached?
>> - Servlets with sling.servlet.selectors property need to be included
>> as well
>> - Should the sling:allowedSelectors configuration be component or
>> template based? Component based means the definition is where the
>>selectors
>> are actually implemented, template based provides more accurate
>>means of
>> checking whether request selectors are valid.
>> - How can multisites be configured?
>>
>> Attached is a very basic implementation of the Servlet Filter. Be aware
>> that installing this into a CQ author instance will break some things as
>> the default CQ selectors are not supported.
>>
>> So basically, my question to you is if you think this is an interesting
>> feature or if you consider this rather unnecessary. ;-)
>>
>> Mit besten Grüssen
>> Ben Zahler
>>
>> Inside Solutions AG | Felsenstrasse 11 | 4450 Sissach | Schweiz
>> Telefon: +41 61 551 00 40 | Direkt: +41 61 551 00 43
>> http://www.inside-solutions.ch
>>
Re: Sling Proposal
Posted by Justin Edelson <ju...@justinedelson.com>.
Ben-
Have you looked at the filter at
http://svn.apache.org/repos/asf/sling/trunk/samples/urlfilter ? It sounds
like your solution is roughly inline with this implementation.
Justin
On Mon, Jul 1, 2013 at 2:30 AM, Ben Zahler
<be...@inside-solutions.ch>wrote:
> Hi all,
> I have done some work on selectors and security in CQ lately, and in the
> process I've had an idea how to handle some of the issues in Sling.
> From my point of view, this could well be intergrated into Sling, but it
> can also easily work as an addition, so I'd like to hear some feedback from
> you.
>
> The basic idea is to have the developer of a component/template define
> the selectors allowed on the component. I've used a property
> sling:allowedSelectors to do so.
> In a servlet filter, we can then check for all the allowed selectors in
> the application and verify if the request's selector are valid.
> Of course, there are a quite a few open questions/points:
>
> - should the allowed selectors be cached?
> - Servlets with sling.servlet.selectors property need to be included
> as well
> - Should the sling:allowedSelectors configuration be component or
> template based? Component based means the definition is where the selectors
> are actually implemented, template based provides more accurate means of
> checking whether request selectors are valid.
> - How can multisites be configured?
>
> Attached is a very basic implementation of the Servlet Filter. Be aware
> that installing this into a CQ author instance will break some things as
> the default CQ selectors are not supported.
>
> So basically, my question to you is if you think this is an interesting
> feature or if you consider this rather unnecessary. ;-)
>
> Mit besten Grüssen
> Ben Zahler
>
> Inside Solutions AG | Felsenstrasse 11 | 4450 Sissach | Schweiz
> Telefon: +41 61 551 00 40 | Direkt: +41 61 551 00 43
> http://www.inside-solutions.ch
>