Details
-
New Feature
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
Servlets Resolver 2.4.22
-
None
-
None
Description
Issue
Most of the web servers provide a way to restrict access to urls based on roles/groups of users. Also, since mapping of urls and scripts (servlets/jsp) is internal and end user cannot define this mapping, this method effectively restricts access to scripts (servlets/jsp).
On the other hand, sling restricts access to end point using ACLs setup of content nodes having sling:resourceType property set in the repository. i.e. nodes which have "sling:resourceType" set can be used to invoke script identified by value of "sling:resourceType" property by a user only if she also has read permission on the node
But as we know that mapping of paths and scripts(servlets/jsp) is done via "sling:resourceType" property and since this property can written by end users having write access to the repository using SlingPostServlet or possibly other tools.
Which means that any user having read/write access to any part of repository can invoke, any servlet or script by creating a node with sling:resourceType property with its value set to resourceType of desired script/servlet.
Although, the scripts which make use of current user session are not particularly affected by this since permission checks would be done by repository layer once this scripts access/modify content using this session.
But many scripts which either use service user (thus un-linking repository permission check from current users session) or scripts which may have nothing to do with repository such as contacting an external service, crypto, filesystem access, launching processes etc. have no way to restrict access other than manually checking in code for session permissions etc.)
Expected
A declarative method to restrict access to scripts (servlet/jsp).