docs: add AGENTS.md, CLAUDE.md, and expand README (#12)

Co-authored-by: Maia <maia@noreply>
3 files changed
tree: 9ec31acc533eb42cb51b88e3ab8876d4c09b1baa
  1. .vscode/
  2. src/
  3. .asf.yaml
  4. .gitignore
  5. AGENTS.md
  6. bnd.bnd
  7. CLAUDE.md
  8. CODE_OF_CONDUCT.md
  9. CONTRIBUTING.md
  10. Jenkinsfile
  11. LICENSE
  12. pom.xml
  13. README.md
README.md

Apache Sling

Build Status Test Status Coverage Sonarcloud Status JavaDoc Maven Central Contrib License

Apache Sling Security

This module is part of the Apache Sling project.

The Apache Sling Security module provides:

  • CSRF protection through the Referrer Filter
  • download hardening through the Content Disposition Filter

This OSGi bundle can be used as a standalone bundle outside of Apache Sling. In that case, only the Referrer Filter functionality is available, as the Content Disposition Filter depends on the Apache Sling API.

Requirements

  • Java 11+
  • Maven (the project inherits build plugins and checks from Sling parent POM v66)

Build and test

  • Build: mvn clean install
  • Build without tests: mvn clean install -DskipTests
  • Run tests: mvn test

Referrer Filter (CSRF protection)

The Referrer Filter is registered as an OSGi HTTP Whiteboard Preprocessor and checks modification requests from browsers.

Configuration PID: org.apache.sling.security.impl.ReferrerFilter

Main configuration options:

  • Allow Empty (allow.empty)
  • Allow Hosts (allow.hosts)
  • Allow Regexp Host (allow.hosts.regexp)
  • Filter Methods (filter.methods)
  • Exclude Regexp User Agent (exclude.agents.regexp)
  • Exclude Paths (exclude.paths)

Sample configuration

{
  "allow.empty": false,
  "allow.hosts": ["mysite.com", "localhost"],
  "allow.hosts.regexp": [],
  "filter.methods": ["POST", "PUT", "DELETE", "COPY", "MOVE"],
  "exclude.agents.regexp": [],
  "exclude.paths": []
}

It is also possible to amend this configuration with factory configurations for:

  • Factory PID: org.apache.sling.security.impl.ReferrerFilterAmendmentImpl

Sample amendment configuration

{
  "allow.hosts": ["mysite.com", "localhost"],
  "allow.hosts.regexp": [],
  "exclude.agents.regexp": [],
  "exclude.paths": []
}

Content Disposition Filter

The Content Disposition Filter adds Content-Disposition: attachment for configured Sling resource paths (for GET and HEAD requests), with support for explicit path includes, prefix includes, exclusions, and optional all-path mode.

Configuration PID: org.apache.sling.security.impl.ContentDispositionFilter

Main configuration options:

  • Included Resource Paths & Content Types (sling.content.disposition.paths)
  • Excluded Resource Paths (sling.content.disposition.excluded.paths)
  • Enable For All Resource Paths (sling.content.disposition.all.paths)

Sample configuration

{
  "sling.content.disposition.paths": [
    "/content/secure/*",
    "/content/files/report.pdf:text/html,text/plain"
  ],
  "sling.content.disposition.excluded.paths": [
    "/content/secure/preview"
  ],
  "sling.content.disposition.all.paths": false
}