Secure by Default Web Applications With Apache Sling Robert - - PowerPoint PPT Presentation

http://robert.muntea.nu @rombert

Secure by Default Web Applications With Apache Sling

Secure by Default Web Applications With Apache Sling Robert Munteanu, Adobe Systems ApacheCon Core 2016

http://robert.muntea.nu @rombert

Who I am

 $DAYJOB

 Adobe Experience

Manager

 Apache Sling  Apache Jackrabbit  Apache Felix

 Open Source

 Apache Sling  MantisBT  Mylyn Connector for

MantisBT

 Mylyn Connector for Review

Board

http://robert.muntea.nu @rombert

Purpose of the talk Scope Cost Schedule

http://robert.muntea.nu @rombert

Purpose of the talk Scope Cost Schedule

http://robert.muntea.nu @rombert

Purpose of the talk Scope Cost Schedule

http://robert.muntea.nu @rombert

Agenda

• Apache Sling
• Demo application review
• Threat model
• Security with Apache Sling
• Demo
• Conclusion
• Q&A

http://robert.muntea.nu @rombert

Apache Sling – Brief History

2007

Incubation

2009

TLP

2015

Version 8

200x

Pre-Apache

http://robert.muntea.nu @rombert

Apache Sling – Code Statistics

http://robert.muntea.nu @rombert

Apache Sling – Contributor activity

http://robert.muntea.nu @rombert

Apache Sling – Value proposition

• Content-oriented
• RESTful
• Lightweight
• Integrated authentication and authorization
• OSGi-powered
• Scripting inside
• Easily deployable

http://robert.muntea.nu @rombert

Apache Sling – Content-Oriented

Blog posts Images Users and Groups

http://robert.muntea.nu @rombert

Apache Sling – Content-Oriented

Server-side templates and scripts

Configurations

http://robert.muntea.nu @rombert

Apache Sling – RESTful $ h t t p l

• c

a l h

• s

t : 8 8 / c

• n

t e n t / ↵ b l

• g

/ p

• s

t s / h e l l

• _

w

• r

l d . h t m l j s

• n

x m l t x t p d f p h p 3

http://robert.muntea.nu @rombert

Apache Sling – RESTful

http://robert.muntea.nu @rombert

Apache Sling – Persistence via JCR

http://robert.muntea.nu @rombert

Apache Sling – Topologies Standalone High Availability

http://robert.muntea.nu @rombert

Agenda

• Apache Sling
• Demo application review
• Threat model
• Security with Apache Sling
• Demo
• Conclusion
• Q&A

http://robert.muntea.nu @rombert

Demo App – main page

http://robert.muntea.nu @rombert

Demo App – Article Page

http://robert.muntea.nu @rombert

Demo App – Submitting comments

http://robert.muntea.nu @rombert

Agenda

• Apache Sling
• Demo application review
• Threat model
• Security with Apache Sling
• Demo
• Conclusion
• Q&A

http://robert.muntea.nu @rombert

Threat modelling

“Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could afgect your application”

Threat Modeling Web Applications on MSDN

http://robert.muntea.nu @rombert

Threat Modelling - Assets

http://robert.muntea.nu @rombert

Threat Modelling - Assets

• Availability
• Content
• User Credentials
• Ability to execute code on server
• Ability to execute code in the browser context

http://robert.muntea.nu @rombert

Threat Modelling - Trust Levels

http://robert.muntea.nu @rombert

Threat Modelling - Trust Levels

• 1. Anonymous
• 2. Author
• 3. Administrator

http://robert.muntea.nu @rombert

Threat Modelling - Threats

OWASP

http://robert.muntea.nu @rombert

Threat Modelling - Threats

• 1. Denial of Service
• 2. Defacement / Deletion
• 3. Leaking credentials
• 4. SQL/Shell Injection
• 5. Stored/Reflected XSS

http://robert.muntea.nu @rombert

Threat Modelling - Mitigation

http://robert.muntea.nu @rombert

Agenda

• Apache Sling
• Demo application review
• Threat model
• Security with Apache Sling
• Demo
• Conclusion
• Q&A

http://robert.muntea.nu @rombert

Apache Sling Security – Natural layering of ACEs

http://robert.muntea.nu @rombert

Apache Sling Security – Security applied at the lowest level

$ h t t p

• a

u t h b

• b

: b

• b

l

• c

a l h

• s

t : 8 8 / c

• n

t e n t / b l

• g

/ p

• s

t s / n e w _ b l

• g

_ p

• s

t ' j c r \ : t i t l e = N e w p

• s

t '

http://robert.muntea.nu @rombert

Apache Sling Security – Context-aware templating language < d i v c l a s s = " c

• m

m e n t c l e a r f i x " > < i m g c l a s s = " a v a t a r i m g

• r
• u

n d e d p u l l

• l

e f t " s r c = " $ { r e s

• u

r c e . v a l u e M a p [ ' a u t h

• r

A v a t a r ' ] } " / > < h 3 > $ { r e s

• u

r c e . v a l u e M a p [ ' j c r : t i t l e ' ] } < / h 3 > < p > $ { r e s

• u

r c e . v a l u e M a p [ ' j c r : d e s c r i p t i

• n

' ] } < / p > < / d i v >

http://robert.muntea.nu @rombert

Apache Sling Security – Injection-safe APIs Children of /content/blog/posts

http://robert.muntea.nu @rombert

Apache Sling Security – Injection-safe APIs Children of /content/blog/comments/ hello_world

http://robert.muntea.nu @rombert

Agenda

• Apache Sling
• Demo application review
• Threat model
• Security with Apache Sling
• Demo
• Conclusion
• Q&A

http://robert.muntea.nu @rombert

Demo Application – Actual demo!!!!1oneone

http://robert.muntea.nu @rombert

Conclusions – Security

• Aim to be “Secure by Default”
• Build a threat model for your application
• Look for components that eliminate problems

altogether

http://robert.muntea.nu @rombert

Conclusions – Apache Sling

• Simple to be “Secure by Default”
• Eventing, Thread Pooling, Job Management,

Caching

• Scripting: Groovy, Scala, JSP, Sightly, Java, Ruby,

Thymeleaf

• Flexible resource rendering with resource types
• Very extensible due to being internally powered by

OSGi – most extension points available to clients

http://robert.muntea.nu @rombert

Resources

• Apache Sling – https://sling.apache.org
• Apache Jackrabbit
• https://jackrabbit.apache.org
• http://jackrabbit.apache.org/oak/
• OWASP - https://www.owasp.org
• https://www.owasp.org/index.php/OWASP_Top_Ten

_Cheat_Sheet

• https://www.owasp.org/index.php/Application_Thre

at_Modeling