[ https://issues.apache.org/jira/browse/SLING-3040?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ben Zahler updated SLING-3040: ------------------------------ Attachment: SlingSelectorFilter.java SlingSelectorConfig.java > Selector Restriction > -------------------- > > Key: SLING-3040 > URL: https://issues.apache.org/jira/browse/SLING-3040 > Project: Sling > Issue Type: Wish > Components: Extensions > Reporter: Ben Zahler > Priority: Minor > Labels: security > Attachments: SlingSelectorConfig.java, SlingSelectorFilter.java > > > Sling selectors have been identified as a possible means of DoS attacks in > CQ5. Therefore, this ticket contains proposals on how selector restrictions > can be implemented in Sling. > I propose two mechanisms that can/should be used together: > - define selectors frequently used in the Sling instance and allow them > on any request > - define selectors per resource/resource type that are only allowed for > that resource/resource type (already proposed in [1]) > The original requestor is not necessarily aware of the resources that are > included internally. Therefore, all checks are performed in request scope > filters. Also, this implies that selectors added internally (e.g. through > sling:include) are not affected. > The two mechanisms in more detail: > 1. The generally allowed selectors can be configured as a list of entries > a. A configuration entry can contain multiple selectors, * allows > all selectors > b. selectors can be configured only for specific repository trees > as follows: > repositorypath:selectors > i. the repository path is evaluated as a regular expression > ii. example: /content/.*:myselector,anotherselector > c. If a configuration entry contains multiple selectors, a request > containing these selectors must contain them in the same order as in the > configuration. > 2. On a resource or on its resource type, the property > sling:resourceSelectors can be implemented. On that resource, the specified > selectors are allowed in addition to the ones specified in mechanism 1. > a. A resource/resource type without the property > sling:resourceSelectors does not allow any selectors except the ones defined > in mechanism 1. > b. Inheritance must be considered: if a resource has a > sling:resourceSuperType set, the inherited selectors must be applied and the > selectors added to the ones of the current resource. (see examples below) > i. If both the current resource and its resource type and > or its resource supertype have the property set, all selectors specified in > either node are allowed. > c. If multiple selectors are defined on a resource, a request that > has multiple selectors must contain them in the same order as defined on the > resource. > i. Fixed ordering can be switched off configuratively > d. Checks are performed only on request scope, therefore the check > is only performed on the resource actually requested. > 3. Selectors defined by a Servlet in property sling.servlet.selectors are > treated as any other selector: either these selectors must be configured in > the generally allowed selectors or the resource requested must specifically > allow for them. > Attached is a sample implementation (definitely not production ready!). > [1] > http://svn.apache.org/repos/asf/sling/trunk/samples/urlfilter/src/main/java/org/apache/sling/samples/urlfilter/impl/UrlFilter.java -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira