securing a sling based application

[Ruben Reusser <rr...@headwire.com>]

hi there,

I am wondering how to best secure a sling based application so once my 
app is deployed and I allow access from the internet I do not run into 
security issues or unexpected outside exposure.Is there a best practice 
what one should look out for or a set of apache rewrite rules one should 
use?

Thanks

Ruben

Re: securing a sling based application

[Bertrand Delacretaz <bd...@apache.org>]

Hi,

On Fri, Mar 27, 2009 at 4:39 PM, Ruben Reusser <rr...@headwire.com> wrote:
> ...I am wondering how to best secure a sling based application so once my app
> is deployed and I allow access from the internet I do not run into security
> issues or unexpected outside exposure.Is there a best practice what one
> should look out for or a set of apache rewrite rules one should use?...

One thing that I would recommend is having all your content under
/content, and configuring a virtual httpd host so that the root of
your public website points to /content, hiding everything else.

This will prevent outside access to things that people shouldn't see,
like /system, /libs, /apps, etc.

Apart from that, the usual rules for securing webapps apply. One
benefit of JCR is that handling security at the repository level makes
sure nothing bad can happen as long as users cannot elevate their
privileges.

-Bertrand