On 7 March 2013 04:31, Angela Schreiber <[email protected]> wrote: > hi carsten > >> Finally, although this feature is optional and has no impact if not >> used, there are valid concerns that this might be easily abused. But >> we can't prevent anyone from abusing stuff and we already have various >> places where people do funny things. > > > just to make it very clear: it's not only that people make funny > things. it's infinitely easy to create critical security issues > with sling without noticing and i hope you are aware of this. > > i don't want to spread FUD here but IMHO it's time that the sling > community is taking security concerns serious and thrives for a > project that is secure by default. > > statements like "Features can be abused - no matter what we do" > will likely create the impression that you don't really care. > > kind regards > angela
Hi, IMHO: We should not be adding features that make it easy to bypass security, other than the necessary and very well known SlingRepository.loginAdministrative(..) method. I assume that is what Carsten is referencing ? also IMHO: Once it is easy for a trusted and authorised 3rd party developer to add executable code into a JVM all bets are off, even in OSGi. Unless the Java security manager is enabled and policies configured, which we all know is fiendishly hard to get right, javax.reflect and net.sf.cglib can be used to drill deep into the internals of the implementation of any bundle. Having said that: I strongly agree that Sling as a community should not be providing any features (beyond the necessary feature mentioned above) that weaken breach or bypass the intrinsic security provided by underlying repository. As for SlingRepository.loginAdministrative(..), we have to remain vigilant and provide tools to ensure it is only used when absolutely necessary. ( there are 15 classes in Sling where this is used in some way, excluding contrib, samples and tests) If there are other areas where its possible, with ease to create critical security issues, then I think we must address those immediately. Please share, ideally on list. If you think its not for public list consumption please send a message to sling-private so the issue can be added to the normal cert procedure. Best Regards, Ian
