This is an automated email from the ASF dual-hosted git repository.
dklco pushed a commit to branch master
in repository
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-app-cms.git
The following commit(s) were added to refs/heads/master by this push:
new 963bb94 SLING-10588 - Updated to not set localhost by default, check
that a value is set - not just the array, removed the default configuration and
updated security documentation
963bb94 is described below
commit 963bb945d10f940aa326ab2015c51df4fc922cd8
Author: Dan Klco <[email protected]>
AuthorDate: Sun Jul 11 23:07:47 2021 -0400
SLING-10588 - Updated to not set localhost by default, check that a value
is set - not just the array, removed the default configuration and updated
security documentation
---
.../core/internal/filters/CMSSecurityConfigInstance.java | 16 ++++++++++++++--
.../cms/core/internal/filters/CMSSecurityFilter.java | 8 ++++----
.../core/internal/filters/CMSSecurityFilterConfig.java | 4 ++--
docs/securing.md | 9 +++++++--
feature/src/main/features/runmodes/standalone.json | 8 --------
5 files changed, 27 insertions(+), 18 deletions(-)
diff --git
a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityConfigInstance.java
b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityConfigInstance.java
index f073ee7..cec6110 100644
---
a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityConfigInstance.java
+++
b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityConfigInstance.java
@@ -23,6 +23,7 @@ import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.ArrayUtils;
+import org.apache.commons.lang3.StringUtils;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
@@ -47,9 +48,20 @@ public class CMSSecurityConfigInstance {
}
+ private boolean domainsSet() {
+ if (ArrayUtils.isEmpty(config.hostDomains())) {
+ return false;
+ }
+ for (String value : config.hostDomains()) {
+ if (StringUtils.isNotEmpty(value)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
public boolean applies(HttpServletRequest request) {
- return ArrayUtils.isEmpty(config.hostDomains())
- || ArrayUtils.contains(config.hostDomains(),
request.getServerName());
+ return !domainsSet() || ArrayUtils.contains(config.hostDomains(),
request.getServerName());
}
public String getGroupName() {
diff --git
a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
index e1ac4c2..8aab1d0 100644
---
a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
+++
b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
@@ -32,6 +32,7 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
+import org.apache.http.HttpStatus;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
@@ -42,6 +43,7 @@ import org.apache.sling.cms.CMSUtils;
import org.apache.sling.cms.PublishableResource;
import org.apache.sling.cms.publication.PUBLICATION_MODE;
import org.apache.sling.cms.publication.PublicationManagerFactory;
+import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
@@ -83,7 +85,7 @@ public class CMSSecurityFilter implements Filter {
if (!allowed) {
log.trace("Request to {} not allowed for user {}",
slingRequest.getRequestURI(),
slingRequest.getResourceResolver().getUserID());
- ((HttpServletResponse) response).sendError(401);
+ ((HttpServletResponse)
response).sendError(HttpStatus.SC_UNAUTHORIZED);
return;
}
}
@@ -145,9 +147,7 @@ public class CMSSecurityFilter implements Filter {
return false;
}
log.trace("Retrieved user manager {} with session {}",
userManager, session);
- Authorizable auth;
-
- auth =
userManager.getAuthorizable(slingRequest.getUserPrincipal());
+ Authorizable auth =
userManager.getAuthorizable(slingRequest.getUserPrincipal());
if (auth == null) {
log.warn("Unable to retrieve user from principal {}",
slingRequest.getUserPrincipal());
return false;
diff --git
a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilterConfig.java
b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilterConfig.java
index 5c95f36..bfaf75f 100644
---
a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilterConfig.java
+++
b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilterConfig.java
@@ -25,8 +25,8 @@ import
org.osgi.service.metatype.annotations.ObjectClassDefinition;
@ObjectClassDefinition(name = "%cms.security.filter.name", description =
"%cms.security.filter.description", localization = "OSGI-INF/l10n/bundle")
public @interface CMSSecurityFilterConfig {
- @AttributeDefinition(name = "%hostDomains.name", description =
"%hostDomains.description")
- String[] hostDomains() default "localhost";
+ @AttributeDefinition(name = "%hostDomains.name", description =
"%hostDomains.description", defaultValue = "localhost")
+ String[] hostDomains();
@AttributeDefinition(name = "%allowedPatterns.name", description =
"%allowedPatterns.description")
String[] allowedPatterns() default { "^\\/content\\/starter/.*$",
"^\\/static/.*$",
diff --git a/docs/securing.md b/docs/securing.md
index 489e020..a175521 100644
--- a/docs/securing.md
+++ b/docs/securing.md
@@ -15,9 +15,14 @@
Sling CMS by default is pretty open, so you will want to secure the
application with the following steps:
1. Configure the Apache Sling CMS Security Filter - The Apache Sling CMS
Security Filter allows for limiting access to non-published content and
content directly through the CMS domain. To configure the Apache Sling CMS
Security Filter:
- - Open the OSGi console to
[http://localhost:8080/system/console/configMgr/org.apache.sling.cms.core.filters.CMSSecurityFilter](http://localhost:8080/system/console/configMgr/org.apache.sling.cms.core.filters.CMSSecurityFilter)
- - Configure the Host Domain and the Group
+ - Open the OSGi console to
[http://localhost:8080/system/console/configMgr](http://localhost:8080/system/console/configMgr/)
+ - Select the plus indicator by _Apache Sling CMS Security Filter_
+ - Configure the Host Domain, Allowed Patterns and, optionally, the Group
required to access the CMS
+ 2. Configure the Referrer Filter - this filters which referrers are allowed
send modification requests to the CMS instance. To configure the Referrer
Filter:
+ - Open the OSGi console at
[http://localhost:8080/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter](http://localhost:8080/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter)
+ - Configure the _Allow Hosts_ or _Allow Regexp Hosts_ to the host names
allowed
+ 
2. Configure Apache for Security - Add configurations to make Apache HTTPD
secure:
# Security Protection
diff --git a/feature/src/main/features/runmodes/standalone.json
b/feature/src/main/features/runmodes/standalone.json
index 23eba0a..364571b 100644
--- a/feature/src/main/features/runmodes/standalone.json
+++ b/feature/src/main/features/runmodes/standalone.json
@@ -4,14 +4,6 @@
"instanceType": "STANDALONE",
"publicationMode": "STANDALONE",
"agents": []
- },
-
"org.apache.sling.cms.core.internal.filters.CMSSecurityConfigInstance": {
- "hostDomains": [],
- "allowedPatterns": [
- "^\/content\/starter/.*$",
- "^\/static/.*$",
- "^\/system\/sling\/form\/login$"
- ]
}
}
}
\ No newline at end of file
