http://robert.muntea.nu @rombert

Secure by Default Web Applications With Apache Sling

Secure by Default Web Applications With Apache Sling

Robert Munteanu, Adobe SystemsApacheCon Core 2016

http://robert.muntea.nu @rombert

Who I am

$DAYJOB Adobe Experience

Manager Apache Sling Apache Jackrabbit Apache Felix

Open Source Apache Sling MantisBT Mylyn Connector for

MantisBT Mylyn Connector for Review

Board

http://robert.muntea.nu @rombert

Purpose of the talk

Scope

Cost Schedule

http://robert.muntea.nu @rombert

Purpose of the talk

Scope

Cost Schedule

http://robert.muntea.nu @rombert

Purpose of the talk

Scope

Cost Schedule

http://robert.muntea.nu @rombert

Agenda

● Apache Sling● Demo application review● Threat model● Security with Apache Sling● Demo● Conclusion● Q&A

http://robert.muntea.nu @rombert

Apache Sling – Brief History

2007Incubation

2009TLP

2015Version 8

200xPre-Apache

http://robert.muntea.nu @rombert

Apache Sling – Code Statistics

http://robert.muntea.nu @rombert

Apache Sling – Contributor activity

http://robert.muntea.nu @rombert

Apache Sling – Value proposition

● Content-oriented ● RESTful● Lightweight● Integrated authentication and authorization● OSGi-powered● Scripting inside● Easily deployable

http://robert.muntea.nu @rombert

Apache Sling – Content-Oriented

Blog posts

Images

Users and Groups

http://robert.muntea.nu @rombert

Apache Sling – Content-Oriented

Server-side templates and scripts

Configurations

http://robert.muntea.nu @rombert

Apache Sling – RESTful

$ http localhost:8080/content/↵ blog/posts/hello_world.html

jsonxmltxtpdfphp3

http://robert.muntea.nu @rombert

Apache Sling – RESTful

http://robert.muntea.nu @rombert

Apache Sling – Persistence via JCR

http://robert.muntea.nu @rombert

Apache Sling – Topologies

Standalone High Availability

http://robert.muntea.nu @rombert

Agenda

● Apache Sling● Demo application review● Threat model● Security with Apache Sling● Demo● Conclusion● Q&A

http://robert.muntea.nu @rombert

Demo App – main page

http://robert.muntea.nu @rombert

Demo App – Article Page

http://robert.muntea.nu @rombert

Demo App – Submitting comments

http://robert.muntea.nu @rombert

Agenda

● Apache Sling● Demo application review● Threat model● Security with Apache Sling● Demo● Conclusion● Q&A

http://robert.muntea.nu @rombert

Threat modelling

“Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application”

Threat Modeling Web Applications on MSDN

http://robert.muntea.nu @rombert

Threat Modelling - Assets

http://robert.muntea.nu @rombert

Threat Modelling - Assets

● Availability● Content● User Credentials● Ability to execute code on server● Ability to execute code in the browser context

http://robert.muntea.nu @rombert

Threat Modelling - Trust Levels

http://robert.muntea.nu @rombert

Threat Modelling - Trust Levels

1. Anonymous

2. Author

3. Administrator

http://robert.muntea.nu @rombert

Threat Modelling - Threats

OWASP

http://robert.muntea.nu @rombert

Threat Modelling - Threats

1. Denial of Service

2. Defacement / Deletion

3. Leaking credentials

4. SQL/Shell Injection

5. Stored/Reflected XSS

http://robert.muntea.nu @rombert

Threat Modelling - Mitigation

http://robert.muntea.nu @rombert

Agenda

● Apache Sling● Demo application review● Threat model● Security with Apache Sling● Demo● Conclusion● Q&A

http://robert.muntea.nu @rombert

Apache Sling Security – Natural layering of ACEs

http://robert.muntea.nu @rombert

Apache Sling Security – Security applied at the lowest level

$ http --auth bob:bob localhost:8080/content/blog/posts/new_blog_post 'jcr\:title=New post'

http://robert.muntea.nu @rombert

Apache Sling Security – Context-aware templating language

<div class="comment clearfix"> <img class="avatar img-rounded pull-left" src="${resource.valueMap['authorAvatar']}"/> <h3>${resource.valueMap['jcr:title']}</h3> <p>${resource.valueMap['jcr:description']}</p></div>

http://robert.muntea.nu @rombert

Apache Sling Security – Injection-safe APIs

Children of/content/blog/posts

http://robert.muntea.nu @rombert

Apache Sling Security – Injection-safe APIs

Children of/content/blog/comments/hello_world

http://robert.muntea.nu @rombert

Agenda

● Apache Sling● Demo application review● Threat model● Security with Apache Sling● Demo● Conclusion● Q&A

http://robert.muntea.nu @rombert

Demo Application – Actual demo!!!!1oneone

http://robert.muntea.nu @rombert

Conclusions – Security

● Aim to be “Secure by Default”● Build a threat model for your application● Look for components that eliminate problems altogether

http://robert.muntea.nu @rombert

Conclusions – Apache Sling

● Simple to be “Secure by Default”● Eventing, Thread Pooling, Job Management, Caching● Scripting: Groovy, Scala, JSP, Sightly, Java, Ruby, Thymeleaf● Flexible resource rendering with resource types● Very extensible due to being internally powered by OSGi – most extension points available to clients

http://robert.muntea.nu @rombert

Resources

● Apache Sling – https://sling.apache.org ● Apache Jackrabbit

● https://jackrabbit.apache.org● http://jackrabbit.apache.org/oak/

● OWASP - https://www.owasp.org ● https://www.owasp.org/index.php/OWASP_Top_Ten

_Cheat_Sheet● https://www.owasp.org/index.php/Application_Thre

at_Modeling