In CQ, let's say we want to expose some sort of REST API for our internal clients, but don't want these API's accessible by the public. For example, say we'd like the said JSP to be available internally (inside firewall), and to be invoked via the web. The API's responsibility is to clear Dispatcher cache via curl command behind the scene.
Make the service API available on the Author node (not the Publish node). If your Author node resides inside a firewall, then only internal clients have access to. Instead of coding SlingServlet (see references) in CQ, we can choose to code JSP and have it been accessed through the standard sling URL decomposition. Sling then looks for a special property on that node named "sling:resourceType", then Sling will look under /apps (then /lib) to find a script according to the value of "sling:resouorceType".
Without writing a SlingServlet, we can simply code a JSP file using CRXDE Lite, and have the java code on the JSP page to be invoked. The example is to have a JSP to be invoked from the web. Its responsibility is to clear Dispatcher cache via curl command behind the scene. To invoke the JSP deployed on the Author node:
However, for accessibility on Author node, you must remember to poke a hole on the Author node so accessing the above said API (JSP) won't require username and password credential. Also, for security concern, remember not to replicate such .jsp node to your Publish node unless it's necessary.
To poke a hole, you need:
Give read access to 'everyone' group for the JSP node and other nodes:
Config 'Apache Sling Authentication Service' so that access to the node won't trigger authentication: