http://robert.muntea.nu @rombert Secure by Default Web Applications With Apache Sling Secure by Default Web Applications With Apache Sling Robert Munteanu, Adobe Systems ApacheCon Core 2016
http://robert.muntea.nu @rombert
Secure by Default Web Applications With Apache Sling
Secure by Default Web Applications With Apache Sling
Robert Munteanu, Adobe SystemsApacheCon Core 2016
http://robert.muntea.nu @rombert
Who I am
$DAYJOB Adobe Experience
Manager Apache Sling Apache Jackrabbit Apache Felix
Open Source Apache Sling MantisBT Mylyn Connector for
MantisBT Mylyn Connector for Review
Board
http://robert.muntea.nu @rombert
Agenda
● Apache Sling● Demo application review● Threat model● Security with Apache Sling● Demo● Conclusion● Q&A
http://robert.muntea.nu @rombert
Apache Sling – Brief History
2007Incubation
2009TLP
2015Version 8
200xPre-Apache
http://robert.muntea.nu @rombert
Apache Sling – Value proposition
● Content-oriented ● RESTful● Lightweight● Integrated authentication and authorization● OSGi-powered● Scripting inside● Easily deployable
http://robert.muntea.nu @rombert
Apache Sling – Content-Oriented
Blog posts
Images
Users and Groups
http://robert.muntea.nu @rombert
Apache Sling – Content-Oriented
Server-side templates and scripts
Configurations
http://robert.muntea.nu @rombert
Apache Sling – RESTful
$ http localhost:8080/content/↵ blog/posts/hello_world.html
jsonxmltxtpdfphp3
http://robert.muntea.nu @rombert
Apache Sling – Topologies
Standalone High Availability
http://robert.muntea.nu @rombert
Agenda
● Apache Sling● Demo application review● Threat model● Security with Apache Sling● Demo● Conclusion● Q&A
http://robert.muntea.nu @rombert
Agenda
● Apache Sling● Demo application review● Threat model● Security with Apache Sling● Demo● Conclusion● Q&A
http://robert.muntea.nu @rombert
Threat modelling
“Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application”
Threat Modeling Web Applications on MSDN
http://robert.muntea.nu @rombert
Threat Modelling - Assets
● Availability● Content● User Credentials● Ability to execute code on server● Ability to execute code in the browser context
http://robert.muntea.nu @rombert
Threat Modelling - Trust Levels
1. Anonymous
2. Author
3. Administrator
http://robert.muntea.nu @rombert
Threat Modelling - Threats
1. Denial of Service
2. Defacement / Deletion
3. Leaking credentials
4. SQL/Shell Injection
5. Stored/Reflected XSS
http://robert.muntea.nu @rombert
Agenda
● Apache Sling● Demo application review● Threat model● Security with Apache Sling● Demo● Conclusion● Q&A
http://robert.muntea.nu @rombert
Apache Sling Security – Natural layering of ACEs
http://robert.muntea.nu @rombert
Apache Sling Security – Security applied at the lowest level
$ http --auth bob:bob localhost:8080/content/blog/posts/new_blog_post 'jcr\:title=New post'
http://robert.muntea.nu @rombert
Apache Sling Security – Context-aware templating language
<div class="comment clearfix"> <img class="avatar img-rounded pull-left" src="${resource.valueMap['authorAvatar']}"/> <h3>${resource.valueMap['jcr:title']}</h3> <p>${resource.valueMap['jcr:description']}</p></div>
http://robert.muntea.nu @rombert
Apache Sling Security – Injection-safe APIs
Children of/content/blog/posts
http://robert.muntea.nu @rombert
Apache Sling Security – Injection-safe APIs
Children of/content/blog/comments/hello_world
http://robert.muntea.nu @rombert
Agenda
● Apache Sling● Demo application review● Threat model● Security with Apache Sling● Demo● Conclusion● Q&A
http://robert.muntea.nu @rombert
Conclusions – Security
● Aim to be “Secure by Default”● Build a threat model for your application● Look for components that eliminate problems altogether
http://robert.muntea.nu @rombert
Conclusions – Apache Sling
● Simple to be “Secure by Default”● Eventing, Thread Pooling, Job Management, Caching● Scripting: Groovy, Scala, JSP, Sightly, Java, Ruby, Thymeleaf● Flexible resource rendering with resource types● Very extensible due to being internally powered by OSGi – most extension points available to clients
http://robert.muntea.nu @rombert
Resources
● Apache Sling – https://sling.apache.org ● Apache Jackrabbit
● https://jackrabbit.apache.org● http://jackrabbit.apache.org/oak/
● OWASP - https://www.owasp.org ● https://www.owasp.org/index.php/OWASP_Top_Ten
_Cheat_Sheet● https://www.owasp.org/index.php/Application_Thre
at_Modeling