SLING-10588 - Updated to not set localhost by default, check that a value is set - not just the array, removed the default configuration and updated security documentation
diff --git a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityConfigInstance.java b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityConfigInstance.java
index f073ee7..cec6110 100644
--- a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityConfigInstance.java
+++ b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityConfigInstance.java
@@ -23,6 +23,7 @@
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.ArrayUtils;
+import org.apache.commons.lang3.StringUtils;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
@@ -47,9 +48,20 @@
}
+ private boolean domainsSet() {
+ if (ArrayUtils.isEmpty(config.hostDomains())) {
+ return false;
+ }
+ for (String value : config.hostDomains()) {
+ if (StringUtils.isNotEmpty(value)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
public boolean applies(HttpServletRequest request) {
- return ArrayUtils.isEmpty(config.hostDomains())
- || ArrayUtils.contains(config.hostDomains(), request.getServerName());
+ return !domainsSet() || ArrayUtils.contains(config.hostDomains(), request.getServerName());
}
public String getGroupName() {
diff --git a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
index e1ac4c2..8aab1d0 100644
--- a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
+++ b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
@@ -32,6 +32,7 @@
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
+import org.apache.http.HttpStatus;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
@@ -42,6 +43,7 @@
import org.apache.sling.cms.PublishableResource;
import org.apache.sling.cms.publication.PUBLICATION_MODE;
import org.apache.sling.cms.publication.PublicationManagerFactory;
+import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
@@ -83,7 +85,7 @@
if (!allowed) {
log.trace("Request to {} not allowed for user {}", slingRequest.getRequestURI(),
slingRequest.getResourceResolver().getUserID());
- ((HttpServletResponse) response).sendError(401);
+ ((HttpServletResponse) response).sendError(HttpStatus.SC_UNAUTHORIZED);
return;
}
}
@@ -145,9 +147,7 @@
return false;
}
log.trace("Retrieved user manager {} with session {}", userManager, session);
- Authorizable auth;
-
- auth = userManager.getAuthorizable(slingRequest.getUserPrincipal());
+ Authorizable auth = userManager.getAuthorizable(slingRequest.getUserPrincipal());
if (auth == null) {
log.warn("Unable to retrieve user from principal {}", slingRequest.getUserPrincipal());
return false;
diff --git a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilterConfig.java b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilterConfig.java
index 5c95f36..bfaf75f 100644
--- a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilterConfig.java
+++ b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilterConfig.java
@@ -25,8 +25,8 @@
@ObjectClassDefinition(name = "%cms.security.filter.name", description = "%cms.security.filter.description", localization = "OSGI-INF/l10n/bundle")
public @interface CMSSecurityFilterConfig {
- @AttributeDefinition(name = "%hostDomains.name", description = "%hostDomains.description")
- String[] hostDomains() default "localhost";
+ @AttributeDefinition(name = "%hostDomains.name", description = "%hostDomains.description", defaultValue = "localhost")
+ String[] hostDomains();
@AttributeDefinition(name = "%allowedPatterns.name", description = "%allowedPatterns.description")
String[] allowedPatterns() default { "^\\/content\\/starter/.*$", "^\\/static/.*$",
diff --git a/docs/securing.md b/docs/securing.md
index 489e020..a175521 100644
--- a/docs/securing.md
+++ b/docs/securing.md
@@ -15,9 +15,14 @@
Sling CMS by default is pretty open, so you will want to secure the application with the following steps:
1. Configure the Apache Sling CMS Security Filter - The Apache Sling CMS Security Filter allows for limiting access to non-published content and content directly through the CMS domain. To configure the Apache Sling CMS Security Filter:
- - Open the OSGi console to [http://localhost:8080/system/console/configMgr/org.apache.sling.cms.core.filters.CMSSecurityFilter](http://localhost:8080/system/console/configMgr/org.apache.sling.cms.core.filters.CMSSecurityFilter)
- - Configure the Host Domain and the Group
+ - Open the OSGi console to [http://localhost:8080/system/console/configMgr](http://localhost:8080/system/console/configMgr/)
+ - Select the plus indicator by _Apache Sling CMS Security Filter_
+ - Configure the Host Domain, Allowed Patterns and, optionally, the Group required to access the CMS
![Configure Security Filter](img/configure-security-filter.png)
+ 2. Configure the Referrer Filter - this filters which referrers are allowed send modification requests to the CMS instance. To configure the Referrer Filter:
+ - Open the OSGi console at [http://localhost:8080/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter](http://localhost:8080/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter)
+ - Configure the _Allow Hosts_ or _Allow Regexp Hosts_ to the host names allowed
+ ![Configure Referrer Filter](img/configure-referrer-filter.png)
2. Configure Apache for Security - Add configurations to make Apache HTTPD secure:
# Security Protection
diff --git a/feature/src/main/features/runmodes/standalone.json b/feature/src/main/features/runmodes/standalone.json
index 23eba0a..364571b 100644
--- a/feature/src/main/features/runmodes/standalone.json
+++ b/feature/src/main/features/runmodes/standalone.json
@@ -4,14 +4,6 @@
"instanceType": "STANDALONE",
"publicationMode": "STANDALONE",
"agents": []
- },
- "org.apache.sling.cms.core.internal.filters.CMSSecurityConfigInstance": {
- "hostDomains": [],
- "allowedPatterns": [
- "^\/content\/starter/.*$",
- "^\/static/.*$",
- "^\/system\/sling\/form\/login$"
- ]
}
}
}
\ No newline at end of file