You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Robert Munteanu (Jira)" <ji...@apache.org> on 2023/03/03 16:33:00 UTC
[jira] [Commented] (SLING-11782) Document Sling threat model and how to properly secure Sling
[ https://issues.apache.org/jira/browse/SLING-11782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17696211#comment-17696211 ]
Robert Munteanu commented on SLING-11782:
-----------------------------------------
This is a very good idea. I've created https://cwiki.apache.org/confluence/display/SLING/Threat+model so we can start collaborating on it. It's been a long time since I looked at thread modelling, so I'd be happy if someone could propose a structure or a methodology we can follow.
> Document Sling threat model and how to properly secure Sling
> ------------------------------------------------------------
>
> Key: SLING-11782
> URL: https://issues.apache.org/jira/browse/SLING-11782
> Project: Sling
> Issue Type: Improvement
> Components: Documentation, Site
> Reporter: Angela Schreiber
> Priority: Major
> Labels: security
>
> The documentation should be more explicit about to run sling in a secure way. In particular we should provide some information about the underlying threat model.
> For example we should be being explicit about the fact that whoever has access to the OSGi console has file system access with the privileges of the JRE.
> cc: [~rombert], [~cziegeler]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)