sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Norman (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SLING-6767) Jackrabbit Usermanager: Allow to detect whether a POST request was treated by the default POST servlet or the jackrabbit.usermanager
Date Sun, 09 Sep 2018 17:22:00 GMT

    [ https://issues.apache.org/jira/browse/SLING-6767?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608508#comment-16608508
] 

Eric Norman edited comment on SLING-6767 at 9/9/18 5:21 PM:
------------------------------------------------------------

[~joerghoh] Well, I suppose the ambiguity about whether a specific bundle or component is
active at a given moment is the nature of an extensible modular and dynamic architecture. 
I would personally not like to stuff this kind of use-case specific functionality into
the org.apache.sling.servlets.post bundle just to be guaranteed that it is there. 

In my opinion, at some point you will have to assume that whatever "gatekeeper" component
you chose to utilize has been installed and activated.  And if you want to customize the response for
someone else's operation, then a SlingPostProcessor extension or a custom PostResponseCreator
( as fixed with SLING-7831 ) would be a reasonable solution.

 

I guess the other problem I have is with the "caller can detect the difference" part of your
proposal.  That kind of thinking is dangerously close to an information disclosure security
vulnerability.  If the client can detect server side configuration details then it can assist
in refining an attack into the system.


was (Author: edn):
[~joerghoh] Well, I suppose the ambiguity about whether a specific bundle or component is
active at a given moment is the nature of an extensible modular and dynamic architecture. 
I would personally not like to stuff this kind of use-case specific functionality into
the org.apache.sling.servlets.post bundle just to be guaranteed that it is there. 

In my opinion, at some point you will have to assume that whatever "gatekeeper" component
you chose to utilize has been installed and activated.  And if you want to customize the response for
someone else's operation, then a SlingPostProcessor extension or a custom PostResponseCreator
would be a reasonable solution.

 

I guess the other problem I have is with the "caller can detect the difference" part of your
proposal.  That kind of thinking is dangerously close to an information disclosure security
vulnerability.  If the client can detect server side configuration details then it can assist
in refining an attack into the system.

> Jackrabbit Usermanager: Allow to detect whether a POST request was treated by the default
POST servlet or the jackrabbit.usermanager
> ------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SLING-6767
>                 URL: https://issues.apache.org/jira/browse/SLING-6767
>             Project: Sling
>          Issue Type: Improvement
>          Components: JCR
>            Reporter: Konrad Windszus
>            Priority: Major
>             Fix For: JCR Jackrabbit User Manager 2.2.8
>
>
> Currently it is impossible to tell from the response whether a POST request has been
answered by either the Default Sling POST servlet or the Jackrabbit Usermanager. Both the
JSON and the HTML look exactly the same no matter, who answered. It should be possible to
see from the client-side whether a request has been treated by one or the other.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message