Hi, On Fri, Mar 27, 2009 at 4:39 PM, Ruben Reusser <[email protected]> wrote: > ...I am wondering how to best secure a sling based application so once my app > is deployed and I allow access from the internet I do not run into security > issues or unexpected outside exposure.Is there a best practice what one > should look out for or a set of apache rewrite rules one should use?...
One thing that I would recommend is having all your content under /content, and configuring a virtual httpd host so that the root of your public website points to /content, hiding everything else. This will prevent outside access to things that people shouldn't see, like /system, /libs, /apps, etc. Apart from that, the usual rules for securing webapps apply. One benefit of JCR is that handling security at the repository level makes sure nothing bad can happen as long as users cannot elevate their privileges. -Bertrand
