Cannot load/execute scripts on 6.1.2 with dispatcher configured

[mchrominski]

When a CQ instance is behind dispatcher, it is quite often configured to restrict some dangerous paths like package manager (/crx), crxde (/crxde), OSGi console (/system/console). This is also encouraged by Adobe (http://docs.adobe.com/docs/en/dispatcher.html, http://docs.adobe.com/content/docs/en/dispatcher/_jcr_content/par/download/file.res/author_dispatcher_new.any).

Groovy console in order to load the script stored in repository fetches resources through a CRX browser e..g http://integration.groovytest.com/crx/server/crx.default/jcr%3aroot/etc/groovyconsole/scripts/samples/CreatePackage.groovy/jcr%3Acontent/jcr:data. As the crx prefix is usually forbidden, it fails to load the data.

Please change the way the scripts are loaded to get the content directly e.g. http://integration.groovytest.com/etc/groovyconsole/scripts/samples/CreatePackage.groovy/jcr%3Acontent/jcr:data

[mszu]

The reason behind Adobe's recommendation for blocking those paths (and the reason that they're "dangerous") is that they allow low level access to/control over the instance. Via the groovy console, it's possible to do pretty much anything you can do via the UIs exposed by the blocked URLs (e.g. starting or stopping bundles, installing or uninstalling packages, getting an admin session and changing properties, etc).

If you're blocking those paths, you should probably also block access to the groovy console.

That said, I guess it wouldn't hurt anything to make the change you're suggesting, so if you want to open a PR I would not personally have a problem with merging it (as long as the other maintainers are happy with it).

[markdaugherty]

Fixed in develop.