Google Git
Sign in
apache/sling-org-apache-sling-security

Apache Sling Security

Mirrored from https://github.com/apache/sling-org-apache-sling-security.git
Clone this repo:

Branches

Tags

More...
  1. b855c4c Add security section to AGENTS.md by Robert Munteanu · 2 weeks ago master
  2. ccdcc94 docs: improve README clarity and expand build commands (#13) by Carsten Ziegeler · 2 weeks ago
  3. 2f6df13 docs: add AGENTS.md, CLAUDE.md, and expand README (#12) by Carsten Ziegeler · 2 weeks ago
  4. 2fd82f5 build: upgrade parent POM to v66 and migrate to Java 11 (#11) by Carsten Ziegeler · 3 weeks ago
  5. a23f2f0 SLING-12866 - Restrict force pushes, auto-delete branches on merge by Robert Munteanu · 11 months ago

Apache Sling

Build Status Test Status Coverage Sonarcloud Status JavaDoc Maven Central Contrib License

Apache Sling Security

This module is part of the Apache Sling project.

The Apache Sling Security module provides:

  • CSRF protection through the Referrer Filter
  • download hardening through the Content Disposition Filter

This OSGi bundle can be used as a standalone bundle outside of Apache Sling. In that case, only the Referrer Filter functionality is available, as the Content Disposition Filter depends on the Apache Sling API.

Requirements

  • Java 11+
  • Maven

The project inherits build plugins and checks from Sling parent POM 66.

Build and test

  • Build: mvn clean install
  • Build without tests: mvn clean install -DskipTests
  • Run tests: mvn test
  • Run Spotless check: mvn spotless:check
  • Apply Spotless formatting: mvn spotless:apply
  • Run RAT license checks: mvn rat:check
  • Run OSGi baseline checks: mvn baseline:check

Referrer Filter (CSRF protection)

The Referrer Filter is registered as an OSGi HTTP Whiteboard Preprocessor and checks browser-originated modification requests. It validates the referer header and falls back to origin when referer is not present.

Configuration PID: org.apache.sling.security.impl.ReferrerFilter

Main configuration options:

  • Allow Empty (allow.empty)
  • Allow Hosts (allow.hosts)
  • Allow Regexp Host (allow.hosts.regexp)
  • Filter Methods (filter.methods)
  • Exclude Regexp User Agent (exclude.agents.regexp)
  • Exclude Paths (exclude.paths)

Sample configuration

{
  "allow.empty": false,
  "allow.hosts": ["mysite.com", "localhost"],
  "allow.hosts.regexp": [],
  "filter.methods": ["POST", "PUT", "DELETE", "COPY", "MOVE"],
  "exclude.agents.regexp": [],
  "exclude.paths": []
}

It is also possible to amend this configuration with factory configurations for:

  • Factory PID: org.apache.sling.security.impl.ReferrerFilterAmendmentImpl

Sample amendment configuration

{
  "allow.hosts": ["mysite.com", "localhost"],
  "allow.hosts.regexp": [],
  "exclude.agents.regexp": [],
  "exclude.paths": []
}

Content Disposition Filter

The Content Disposition Filter is a Sling request/forward filter that adds Content-Disposition: attachment for configured resource paths on GET and HEAD requests. It supports explicit path includes, prefix includes (* suffix), exclusions, and optional all-path mode.

The header is only added for resources that contain jcr:data directly or below jcr:content/jcr:data.

Configuration PID: org.apache.sling.security.impl.ContentDispositionFilter

Main configuration options:

  • Included Resource Paths & Content Types (sling.content.disposition.paths)
  • Excluded Resource Paths (sling.content.disposition.excluded.paths)
  • Enable For All Resource Paths (sling.content.disposition.all.paths)

Sample configuration

{
  "sling.content.disposition.paths": [
    "/content/secure/*",
    "/content/files/report.pdf:text/html,text/plain"
  ],
  "sling.content.disposition.excluded.paths": [
    "/content/secure/preview"
  ],
  "sling.content.disposition.all.paths": false
}