You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Ben Zahler (JIRA)" <ji...@apache.org> on 2013/09/05 11:10:53 UTC
[jira] [Updated] (SLING-3040) Selector Restriction
[ https://issues.apache.org/jira/browse/SLING-3040?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ben Zahler updated SLING-3040:
------------------------------
Attachment: SlingSelectorFilter.java
SlingSelectorConfig.java
> Selector Restriction
> --------------------
>
> Key: SLING-3040
> URL: https://issues.apache.org/jira/browse/SLING-3040
> Project: Sling
> Issue Type: Wish
> Components: Extensions
> Reporter: Ben Zahler
> Priority: Minor
> Labels: security
> Attachments: SlingSelectorConfig.java, SlingSelectorFilter.java
>
>
> Sling selectors have been identified as a possible means of DoS attacks in CQ5. Therefore, this ticket contains proposals on how selector restrictions can be implemented in Sling.
> I propose two mechanisms that can/should be used together:
> - define selectors frequently used in the Sling instance and allow them on any request
> - define selectors per resource/resource type that are only allowed for that resource/resource type (already proposed in [1])
> The original requestor is not necessarily aware of the resources that are included internally. Therefore, all checks are performed in request scope filters. Also, this implies that selectors added internally (e.g. through sling:include) are not affected.
> The two mechanisms in more detail:
> 1. The generally allowed selectors can be configured as a list of entries
> a. A configuration entry can contain multiple selectors, * allows all selectors
> b. selectors can be configured only for specific repository trees as follows:
> repositorypath:selectors
> i. the repository path is evaluated as a regular expression
> ii. example: /content/.*:myselector,anotherselector
> c. If a configuration entry contains multiple selectors, a request containing these selectors must contain them in the same order as in the configuration.
> 2. On a resource or on its resource type, the property sling:resourceSelectors can be implemented. On that resource, the specified selectors are allowed in addition to the ones specified in mechanism 1.
> a. A resource/resource type without the property sling:resourceSelectors does not allow any selectors except the ones defined in mechanism 1.
> b. Inheritance must be considered: if a resource has a sling:resourceSuperType set, the inherited selectors must be applied and the selectors added to the ones of the current resource. (see examples below)
> i. If both the current resource and its resource type and or its resource supertype have the property set, all selectors specified in either node are allowed.
> c. If multiple selectors are defined on a resource, a request that has multiple selectors must contain them in the same order as defined on the resource.
> i. Fixed ordering can be switched off configuratively
> d. Checks are performed only on request scope, therefore the check is only performed on the resource actually requested.
> 3. Selectors defined by a Servlet in property sling.servlet.selectors are treated as any other selector: either these selectors must be configured in the generally allowed selectors or the resource requested must specifically allow for them.
> Attached is a sample implementation (definitely not production ready!).
> [1] http://svn.apache.org/repos/asf/sling/trunk/samples/urlfilter/src/main/java/org/apache/sling/samples/urlfilter/impl/UrlFilter.java
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira