SlideShare a Scribd company logo

Configuring CQ Security

connectwebex
connectwebex

Presentation “Configuring CQ Security“ by Ben Zahler at CQCON2013 in Basel on 19 and 20 June 2013.

BusinessTechnology
1 of 43
Download to read offline
Configuring CQ Security
About Me   CQ Architect for Inside Solutions   http://inside-solutions.ch   CQ Blog: http://cqblog.inside-solutions.ch   Customer Projects with Adobe CQ   Training Material on Adobe CQ
Agenda   Security Configuration Basics   Denial-Of-Service-Attacks   Repository Attacks   Access Control   Dispatcher Configuration
CQ and Security Is CQ secure?   Yes! ... if done right.   CQ is very flexible, which means in customer projects a lot of good and bad things can be done.   Security out-of-the-box is OK   Must apply security checklist   http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html   Improvements in every release   Improve it!   delete geometrixx content and users   restrict security configuration based on your application‘s needs   take care of access control
Configuring For Security The following basic rules should always applied to secure a website:   Make available as little information about your system as required.   Emphasize access restriction and correct access implementation.   Filter out invalid requests as early as possible, e.g. on firewall, web server or dispatcher.
Every Security Issue Matters Even minor flaws should be fixed because:   attacking a website often needs more than one loophole.   even a combination of small loopholes can lead to severe security issues.
Denial-Of-Service attacks
Attack Vectors   Types of Denial-of-Service attacks   brute force   exploit of system weakness that exponentially boosts the attack
General DoS Mitigation Apply the following basic rules:   Protect CQ with a Firewall to filter invalid requests   Network protocol exploits   Detection of a limited number of servers that send vast amount of similar requests   Cache Resources   Dispatcher cache and/or CDN   Cache all content from CQ if possible.   Content that cannot be cached must be explicitly stress-tested.   Expect more than just regular load
Selectors and DoS   Selectors are a very helpful utility in Adobe CQ, but they can be used to flood the dispatcher cache if not implemented correctly.   For a given page, the dispatcher cache treats each combination of selectors like a distinct page, therefore caching it separately.   If the number of selectors is not limited or if arbitrary selectors are allowed, an attacker is able to quickly fill up the dispatcher cache resulting in too much load on the CQ instance behind it.
Selector Caching Example The following requests would all be cached separately by a dispatcher cache:   Random Selectors allowed :   http://localhost:4502/libs/cq/ui/widgets.cqcon.js   http://localhost:4502/libs/cq/ui/widgets.whatever.js   1.3 Mb each   Frequently used ImageServlet with random selectors:   www.images.com/image1.120x120.jpg   www.images.com/image1.150x150.jpg   www.images.com/image1.200x200.jpg   Multiple Selectors allowed:   www.images.com/image1.green.red.jpg   www.images.com/image1.red.green.jpg   www.images.com/image1.red.green.blue.jpg
Rules for Selectors: Development The following rules should be applied in the application code:   Design components so that the allowed selectors are known.   Do not allow excessive amounts of selectors   Avoid multiple selectors on a resource except for clearly defined patterns   Use multiple selectors with a fixed ordering if possible   Requests with unknown selectors should not be accepted, but should result in an HTTP response with status other than 200.   Ideally implemented in Dispatcher filtering   Also possible to create a Servlet Filter
Rules for Selectors: Configuration   The following rules should be configured in the dispatcher configuration:   Only allow selectors that are actually used in the application   Limit the number of selectors in a URL as low as the application accepts   Disable default selectors from CQ.   .feed.xml   .infinity.json
Repository Attacks
Attack Vectors   Place unwanted content on website   create security holes   change application to perform further attacks   Get access to restricted information   system information such as user information can be used for social engineering
Protect The Content   In CQ, everything is content   Content can be manipulated with POST requests    everything can be manipulated with POST requests   Only prohibited by correct ACL setup and by correct dispatcher configuration.
Repository Attack Details POST to /content manipulates the CQ instance   Manipulate the Website   Create XSS vulnerabilities   curl --data 'redirectTarget=http://www.cqcon.eu' --user author:author http://localhost:4502/content/geometrixx/en.html/jcr:content PUT / POST to /apps can install bundles and components   Takes control of the CQ Instance   Can be used to attack internal systems in a corporate network   curl -v -u admin:admin --upload-file malicious-bundle.jar http://localhost/ apps/malicious/install/ --header "Content-Type: application/java-archive“
Protect Information   Only allow outside access to relevant parts of the CRX repository   Disable default CQ features that expose data   json extension (also 1..9.json and infinity.json)   xml extension   feed.xml   If you need json or xml for specific URLs, only allow it for specific urls   Json data gives information about existing pages and user Ids   can reveal sensitive information such as pages that have an activatedDate   if user ids are know, brute force attacks can be successful   user ids can contain (or imply) email addresses   can be used for social engineering   /home/users.5.json
CQ Out Of the Box Content   Out-of-the-box, CQ comes with the geometrixx applications   content   components   users   Before going into production:   Uninstall package cq-geometrixx-all   Delete all unused users   Change the password for ALL out of the box users   google for „inurl:/content/geometrixx“   >17000 hits   some of them can be accessed with author/author   author user is part of geometrixx (since CQ 5.5), but still has write access to /content
Access Control
ACL Management in CQ   Manage ACLs in User Administration
Permissions, Actions and ACLs   CQ Actions define the right that can be assigned to a user   CQ Permissions allow or deny a user to perform an action on a resource   For each action and on each resource in the repository, a user can have either permission state Allow or Deny.   In Adobe CQ, permissions can be granted through the user administration UI.   Under the covers, these permissions are translated into JCR access control privileges stored in repository nodes.   This conversion can be quite complex depending on the permissions granted in the UI.   For many actions in the UI, specific JCR permissions are set for jcr:content nodes.
CRX Access Control Properties   CRXDE displays for a given node the access control entries that are set specifically for the node in section Access Control List.   All policies effective on the node (but possibly inherited) are displayed in section Effective Access Control Policies.
Adobe CQ Actions Action Description JCR Policy Properties Read The user is allowed to read the page and any child pages. allow: jcr:read Modify The user can: •  modify existing content on the page and on any child pages. •  create new paragraphs on the page or on any child page. At the JCR level, users can modify a resource by modifying its properties, locking, versioning, nt-modifications, and they have complete write permission on nodes defining a jcr:content child node, for example cq:Page, nt:file, cq:Asset. General: allow •  jcr:lockManagement •  jcr:modifyProperties •  jcr:versionManagement rep:glob=*/jcr:content*: allow •  jcr:addChildNodes •  jcr:nodeTypeManagement •  jcr:removeChildNodes •  jcr:removeNode Create The user can create a new page or child page. If modify is denied the subtrees below jcr:content are specifically excluded because the creation of jcr:content and its child nodes are considered a page modification. This only applies to nodes defining a jcr:content child node. General: allow •  jcr:addChildNodes •  jcr:nodeTypeManagement rep:glob=*/jcr:content*: deny •  jcr:addChildNodes •  jcr:nodeTypeManagement
Adobe CQ Actions II Delete The user can: •  delete existing paragraphs from the page or any child page. •  delete a page or child page. If modify is denied any sub trees below jcr:content are specifically excluded as removing jcr:content and its child nodes is considered a page modification. This only applies to nodes defining a jcr:content child node. General: allow •  jcr:removeChildNodes •  jcr:removeNode rep:glob=*/jcr:content*: deny •  jcr:removeChildNodes •  jcr:removeNode Read ACL The user can read the access control list of the page or child pages. Allow jcr:readAccessControl Edit ACL The user can modify the access control list of the page or any child pages. Allow jcr:modifyAccessControl Replicate The user can replicate content to another environment (for example, the Publish environment). The privilege is also applied to any child pages. Allow crx:replicate
ACL Evaluation   In JCR, access control entries are applied hierarchically: When an entry is made on a parent resource, it is also valid for all child resources.   If the same policy property is also set on one of the child nodes, that entry supersedes the entry on the parent node.   The policy is then applied for the child node and all of its children (unless they have in turn superseding entries).
ACL Evaluation II   Permission properties on user principals always take precedence over group principals irrespective of their order in the access control list and their position in the node hierarchy.   If a user is explicitly denied jcr:read on /content and the user is member of a group with “allow jcr:read” privilege on /content/foo, the user policy has precedence and the user is denied jcr:read privilege on /content/foo   Access rights from multiple group principals are evaluated based on their order, both within the hierarchy and within a single access control list.
Impersonate Functionality   Allows one user to impersonate another user   Right to impersonate can be configured in user adaministration   When impersonating another user, all actions in Adobe CQ are effectively executed with that user.   An entry is made in the audit log when the impersonation starts and ends   Other log files (such as the access log) hold no information about the fact that impersonation has occurred on the events.   Repository attributes such as jcr:createdBy will contain the name of the impersonated user.
Programmatic Access Control   Adobe CQ provides services and interfaces to manage users and permissions programmatically.   Key classes:   UserManager (org.apache.jackrabbit.api.security.user)   AccessControlManager (javax.jcr.security)   Session (javax.jcr)   UserProperties(com.adobe.granite.security.user)   Replaces deprecated Profile API
ACL Best Practices   Use groups to assign permissions rather than users   You have many more users than groups, so groups simplify the structure.   Groups help provide an overview over all accounts.   Inheritance is simpler with groups.   Users come and go. Groups are long-term.   Always use Allow statements to specify the access rights of the group principal (wherever possible). Avoid using a Deny statement.   Keep it simple
ACL Best Practices II   We have seen that ACLs are based on content hierarchy and child nodes inherit permissions.   As a consequence, security and access requirements should be a main driver when designing the content structure:   Managing access should be easy   Enforcing access control should come for free   Avoid copying content to containers such as /var/* for temporary operations or backup purposes.   Verify a proper permission setup.
Dispatcher Configuration
Dispatcher Filtering Rules The /filter directive in file dispatcher.any allows specifying the resources that are served by the dispatcher module. For a given resource, the directives in section /filter are evaluated from bottom up and the first matching rule is applied. Filter directives have the following format: /0001  {  /type  "deny"    /glob  "*"  }     0001 is the unique id of the filter directive.   The type of an entry can be either allow or deny,   The glob property allows to specify a pattern to which the directive applies.   The glob expression is evaluated against the request line of the HTTP Request, such as:      GET  /content/geometrixx-­‐outdoors/en.html  HTTP.1.1  
Dispatcher Whitelist Approach To implement the recommended whitelist approach, the first directive denies all resources: /filter              {              #  Deny  everything  first  and  then  allow  specific  entries              /0001  {  /type  "deny"    /glob  "*"  }   Based on that first directive, selected resources are allowed in more fine- grained directives. The following example allows all requests to /content and all GET requests to css files: /0023  {  /type  "allow"  /glob  "*  /content*"  }                  #  Enable  specific  mime  types  in  non-­‐public  content  directories              /0041  {  /type  "allow"  /glob  "GET  *.css  *"      }    #  enable  css  
Dispatcher Configuration   Exact configuration is driven by your application‘s needs   Adapt the dispatcher.any to allow as little as required by your application.
Recommended Dispatcher Filtering Rules   Adobe CQ provides dispatcher.any files for publish and author instances as part of the dispatcher module   The following rules are recommended for all CQ publish instances unless there are substantial requirements from your application to omit them: /1001  {  /type  "deny"  /glob  "*  *.xml*"  }   /1002  {  /type  "deny"  /glob  "GET  *.*[0-­‐9].json*"  }   /1003  {  /type  "deny"  /glob  "GET  *.infinity*.json  *"  }   /1004  {  /type  "deny"  /glob  "GET  *.feed.*"  }   /1005  {  /type  "deny"  /glob  "GET  *.query.*"  }   /1006  {  /type  "deny"  /glob  "*.*?*"  }     Particularly ensure:   Deny ALL access to /libs, /apps, /var and /home   Allow only GET requests to /etc
Selectors in Dispatcher Configuration To prevent DoS attacks that fill the dispatcher cache using excessive selectors, selectors can be generally disallowed. The selectors used in the application can then be explicitly allowed.   The following example shows how only selector cqcon.html is enabled:            /0101  {  /type  "deny"  /glob  "*  /*.*.*  *"}              /0102  {  /type  "allow"  /glob  "*  /content*.cqcon.html*"}  
Selectors in Dispatcher Configuration II The following configuration is slightly less restrictive:  /0101  {  /type  "deny"  /glob  "*  /*.*.*.*  *"}   Here, one (arbitrary) selector is allowed. Still, if the application does not validate the selectors sent and sends responses with HTTP status 200, unlimited cache entries can be created.
CQ environments without End User Login   If a website does not have functionality that is based on the login of an end user, it is recommended to disable all means of getting authenticated session on the CQ dispatcher. For this, the following two rules can be implemented:  /1010  {  /type  "deny"  /glob  "*  *sling:authRequestLogin*"}      /1011  {  /type  "deny"  /glob  "*  *j_security_check*"}         In addition, HTTP headers authorization and proxy-authorization should not be included in the /clientheaders section of file dispatcher.any.
Dispatcher Filter Rules Ordering 1.  Deny all 2.  Allow repository sections you need. 3.  Deny selectors / GET parameters. 4.  Allow special selectors /GET parameters for specific paths as used in your application. 5.  In the end, ensure that the things that must be closed are closed.
Summary Key Points for every CQ installation:   Uninstall Geometrixx content and users   Change default user’s passwords   Emphasize correct Access Control   Tighten dispatcher configuration
Questions What are your questions?
Thank You CQ Blog: http://cqblog.inside-solutions.ch

Recommended

CIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMCIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMICF CIRCUIT
 
AEM (CQ) Dispatcher Caching Webinar 2013
AEM (CQ) Dispatcher Caching Webinar 2013AEM (CQ) Dispatcher Caching Webinar 2013
AEM (CQ) Dispatcher Caching Webinar 2013Andrew Khoury
 
Master Chef class: learn how to quickly cook delightful CQ/AEM infrastructures
Master Chef class: learn how to quickly cook delightful CQ/AEM infrastructuresMaster Chef class: learn how to quickly cook delightful CQ/AEM infrastructures
Master Chef class: learn how to quickly cook delightful CQ/AEM infrastructuresFrançois Le Droff
 
CQ5.x Maintenance Webinar 2013
CQ5.x Maintenance Webinar 2013CQ5.x Maintenance Webinar 2013
CQ5.x Maintenance Webinar 2013Andrew Khoury
 
Aem dispatcher – tips & tricks
Aem dispatcher – tips & tricksAem dispatcher – tips & tricks
Aem dispatcher – tips & tricksAshokkumar T A
 
10 common cf server challenges
10 common cf server challenges10 common cf server challenges
10 common cf server challengesColdFusionConference
 
Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemColdFusionConference
 
Super Fast Application development with Mura CMS
Super Fast Application development with Mura CMSSuper Fast Application development with Mura CMS
Super Fast Application development with Mura CMSColdFusionConference
 

Recommended

CIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMCIRCUIT 2015 - Monitoring AEM
CIRCUIT 2015 - Monitoring AEMICF CIRCUIT
 
AEM (CQ) Dispatcher Caching Webinar 2013
AEM (CQ) Dispatcher Caching Webinar 2013AEM (CQ) Dispatcher Caching Webinar 2013
AEM (CQ) Dispatcher Caching Webinar 2013Andrew Khoury
 
Master Chef class: learn how to quickly cook delightful CQ/AEM infrastructures
Master Chef class: learn how to quickly cook delightful CQ/AEM infrastructuresMaster Chef class: learn how to quickly cook delightful CQ/AEM infrastructures
Master Chef class: learn how to quickly cook delightful CQ/AEM infrastructuresFrançois Le Droff
 
CQ5.x Maintenance Webinar 2013
CQ5.x Maintenance Webinar 2013CQ5.x Maintenance Webinar 2013
CQ5.x Maintenance Webinar 2013Andrew Khoury
 
Aem dispatcher – tips & tricks
Aem dispatcher – tips & tricksAem dispatcher – tips & tricks
Aem dispatcher – tips & tricksAshokkumar T A
 
10 common cf server challenges
10 common cf server challenges10 common cf server challenges
10 common cf server challengesColdFusionConference
 
Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemColdFusionConference
 
Super Fast Application development with Mura CMS
Super Fast Application development with Mura CMSSuper Fast Application development with Mura CMS
Super Fast Application development with Mura CMSColdFusionConference
 
Clustering Multiple Instances in Cold Fusion
Clustering Multiple Instances in Cold FusionClustering Multiple Instances in Cold Fusion
Clustering Multiple Instances in Cold FusionMindfire Solutions
 
Introdcution to Adobe CQ
Introdcution to Adobe CQIntrodcution to Adobe CQ
Introdcution to Adobe CQRest West
 
The Play Framework at LinkedIn
The Play Framework at LinkedInThe Play Framework at LinkedIn
The Play Framework at LinkedInYevgeniy Brikman
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
Accelerate your ColdFusion Applications using Caching
Accelerate your ColdFusion Applications using CachingAccelerate your ColdFusion Applications using Caching
Accelerate your ColdFusion Applications using CachingColdFusionConference
 
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...Uniface
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF ServersColdFusionConference
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
Build Your Own CMS with Apache Sling
Build Your Own CMS with Apache SlingBuild Your Own CMS with Apache Sling
Build Your Own CMS with Apache SlingBob Paulin
 
Node.js vs Play Framework
Node.js vs Play FrameworkNode.js vs Play Framework
Node.js vs Play FrameworkYevgeniy Brikman
 
RESTful web apps with Apache Sling - 2013 version
RESTful web apps with Apache Sling - 2013 versionRESTful web apps with Apache Sling - 2013 version
RESTful web apps with Apache Sling - 2013 versionBertrand Delacretaz
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Spring Boot & WebSocket
Spring Boot & WebSocketSpring Boot & WebSocket
Spring Boot & WebSocketMing-Ying Wu
 
CodeIgniter PHP MVC Framework
CodeIgniter PHP MVC FrameworkCodeIgniter PHP MVC Framework
CodeIgniter PHP MVC FrameworkBo-Yi Wu
 
Here Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressHere Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressRami Sayar
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Selenium Tips & Tricks - StarWest 2015
Selenium Tips & Tricks - StarWest 2015Selenium Tips & Tricks - StarWest 2015
Selenium Tips & Tricks - StarWest 2015Andrew Krug
 
Moving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway MeetupMoving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway MeetupGiulio Vian
 
Session on Launching Selenium Grid and Running tests using docker compose and...
Session on Launching Selenium Grid and Running tests using docker compose and...Session on Launching Selenium Grid and Running tests using docker compose and...
Session on Launching Selenium Grid and Running tests using docker compose and...Agile Testing Alliance
 
Java EE Services
Java EE ServicesJava EE Services
Java EE ServicesAbdalla Mahmoud
 
Behind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessBehind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessMaxim Gaponov
 

More Related Content

What's hot

Clustering Multiple Instances in Cold Fusion
Clustering Multiple Instances in Cold FusionClustering Multiple Instances in Cold Fusion
Clustering Multiple Instances in Cold FusionMindfire Solutions
 
Introdcution to Adobe CQ
Introdcution to Adobe CQIntrodcution to Adobe CQ
Introdcution to Adobe CQRest West
 
The Play Framework at LinkedIn
The Play Framework at LinkedInThe Play Framework at LinkedIn
The Play Framework at LinkedInYevgeniy Brikman
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
Accelerate your ColdFusion Applications using Caching
Accelerate your ColdFusion Applications using CachingAccelerate your ColdFusion Applications using Caching
Accelerate your ColdFusion Applications using CachingColdFusionConference
 
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...Uniface
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
Build Your Own CMS with Apache Sling
Build Your Own CMS with Apache SlingBuild Your Own CMS with Apache Sling
Build Your Own CMS with Apache SlingBob Paulin
 
RESTful web apps with Apache Sling - 2013 version
RESTful web apps with Apache Sling - 2013 versionRESTful web apps with Apache Sling - 2013 version
RESTful web apps with Apache Sling - 2013 versionBertrand Delacretaz
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Spring Boot & WebSocket
Spring Boot & WebSocketSpring Boot & WebSocket
Spring Boot & WebSocketMing-Ying Wu
 
CodeIgniter PHP MVC Framework
CodeIgniter PHP MVC FrameworkCodeIgniter PHP MVC Framework
CodeIgniter PHP MVC FrameworkBo-Yi Wu
 
Here Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressHere Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressRami Sayar
 
Selenium Tips & Tricks - StarWest 2015
Selenium Tips & Tricks - StarWest 2015Selenium Tips & Tricks - StarWest 2015
Selenium Tips & Tricks - StarWest 2015Andrew Krug
 
Moving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway MeetupMoving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway MeetupGiulio Vian
 
Session on Launching Selenium Grid and Running tests using docker compose and...
Session on Launching Selenium Grid and Running tests using docker compose and...Session on Launching Selenium Grid and Running tests using docker compose and...
Session on Launching Selenium Grid and Running tests using docker compose and...Agile Testing Alliance
 

What's hot (20)

Clustering Multiple Instances in Cold Fusion
Clustering Multiple Instances in Cold FusionClustering Multiple Instances in Cold Fusion
Clustering Multiple Instances in Cold Fusion
 
Introdcution to Adobe CQ
Introdcution to Adobe CQIntrodcution to Adobe CQ
Introdcution to Adobe CQ
 
The Play Framework at LinkedIn
The Play Framework at LinkedInThe Play Framework at LinkedIn
The Play Framework at LinkedIn
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
 
Accelerate your ColdFusion Applications using Caching
Accelerate your ColdFusion Applications using CachingAccelerate your ColdFusion Applications using Caching
Accelerate your ColdFusion Applications using Caching
 
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
Uniface Lectures Webinar - Application & Infrastructure Security - Hardening ...
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal Site
 
Build Your Own CMS with Apache Sling
Build Your Own CMS with Apache SlingBuild Your Own CMS with Apache Sling
Build Your Own CMS with Apache Sling
 
Node.js vs Play Framework
Node.js vs Play FrameworkNode.js vs Play Framework
Node.js vs Play Framework
 
RESTful web apps with Apache Sling - 2013 version
RESTful web apps with Apache Sling - 2013 versionRESTful web apps with Apache Sling - 2013 version
RESTful web apps with Apache Sling - 2013 version
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
Spring Boot & WebSocket
Spring Boot & WebSocketSpring Boot & WebSocket
Spring Boot & WebSocket
 
CodeIgniter PHP MVC Framework
CodeIgniter PHP MVC FrameworkCodeIgniter PHP MVC Framework
CodeIgniter PHP MVC Framework
 
Here Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPressHere Be Dragons - Debugging WordPress
Here Be Dragons - Debugging WordPress
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
 
Selenium Tips & Tricks - StarWest 2015
Selenium Tips & Tricks - StarWest 2015Selenium Tips & Tricks - StarWest 2015
Selenium Tips & Tricks - StarWest 2015
 
Moving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway MeetupMoving a Windows environment to the cloud - DevOps Galway Meetup
Moving a Windows environment to the cloud - DevOps Galway Meetup
 
Session on Launching Selenium Grid and Running tests using docker compose and...
Session on Launching Selenium Grid and Running tests using docker compose and...Session on Launching Selenium Grid and Running tests using docker compose and...
Session on Launching Selenium Grid and Running tests using docker compose and...
 

Similar to Configuring CQ Security

Behind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessBehind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessMaxim Gaponov
 
Selenium RC, Selenium WebDriver and HP LoadRunner
Selenium RC, Selenium WebDriver and HP LoadRunnerSelenium RC, Selenium WebDriver and HP LoadRunner
Selenium RC, Selenium WebDriver and HP LoadRunnerMurageppa-QA
 
Extending Kubernetes with Operators
Extending Kubernetes with OperatorsExtending Kubernetes with Operators
Extending Kubernetes with Operatorspeychevi
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
 
Private Apps in the Public Cloud - DevConTLV March 2016
Private Apps in the Public Cloud - DevConTLV March 2016Private Apps in the Public Cloud - DevConTLV March 2016
Private Apps in the Public Cloud - DevConTLV March 2016Issac Goldstand
 
Yii Framework Security
Yii Framework SecurityYii Framework Security
Yii Framework SecurityIlko Kacharov
 
session and cookies.ppt
session and cookies.pptsession and cookies.ppt
session and cookies.pptJayaprasanna4
 
OCI Architect Associate (1Z0-1072-22) Exam Dumps 2023.pdf
OCI Architect Associate (1Z0-1072-22) Exam Dumps 2023.pdfOCI Architect Associate (1Z0-1072-22) Exam Dumps 2023.pdf
OCI Architect Associate (1Z0-1072-22) Exam Dumps 2023.pdfSkillCertProExams
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...WebStackAcademy
 
20160221 va interconnect_pub
20160221 va interconnect_pub20160221 va interconnect_pub
20160221 va interconnect_pubCanturk Isci
 
Coldbox developer training – session 5
Coldbox developer training – session 5Coldbox developer training – session 5
Coldbox developer training – session 5Billie Berzinskas
 
AAI-3218 Production Deployment Best Practices for WebSphere Liberty Profile
AAI-3218 Production Deployment Best Practices for WebSphere Liberty ProfileAAI-3218 Production Deployment Best Practices for WebSphere Liberty Profile
AAI-3218 Production Deployment Best Practices for WebSphere Liberty ProfileWASdev Community
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco
 
Connect + Docker + AWS = Bitbucket Pipelines
Connect + Docker + AWS = Bitbucket PipelinesConnect + Docker + AWS = Bitbucket Pipelines
Connect + Docker + AWS = Bitbucket PipelinesAtlassian
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Resultsjtmelton
 
Struts 2 - Introduction
Struts 2 - Introduction Struts 2 - Introduction
Struts 2 - Introduction Hitesh-Java
 

Similar to Configuring CQ Security (20)

Java EE Services
Java EE ServicesJava EE Services
Java EE Services
 
Behind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessBehind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by Exness
 
Selenium RC, Selenium WebDriver and HP LoadRunner
Selenium RC, Selenium WebDriver and HP LoadRunnerSelenium RC, Selenium WebDriver and HP LoadRunner
Selenium RC, Selenium WebDriver and HP LoadRunner
 
Extending Kubernetes with Operators
Extending Kubernetes with OperatorsExtending Kubernetes with Operators
Extending Kubernetes with Operators
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
 
Private Apps in the Public Cloud - DevConTLV March 2016
Private Apps in the Public Cloud - DevConTLV March 2016Private Apps in the Public Cloud - DevConTLV March 2016
Private Apps in the Public Cloud - DevConTLV March 2016
 
Yii Framework Security
Yii Framework SecurityYii Framework Security
Yii Framework Security
 
session and cookies.ppt
session and cookies.pptsession and cookies.ppt
session and cookies.ppt
 
OCI Architect Associate (1Z0-1072-22) Exam Dumps 2023.pdf
OCI Architect Associate (1Z0-1072-22) Exam Dumps 2023.pdfOCI Architect Associate (1Z0-1072-22) Exam Dumps 2023.pdf
OCI Architect Associate (1Z0-1072-22) Exam Dumps 2023.pdf
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1... Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
Web Component Development Using Servlet & JSP Technologies (EE6) - Chapter 1...
 
20160221 va interconnect_pub
20160221 va interconnect_pub20160221 va interconnect_pub
20160221 va interconnect_pub
 
Coldbox developer training – session 5
Coldbox developer training – session 5Coldbox developer training – session 5
Coldbox developer training – session 5
 
AAI-3218 Production Deployment Best Practices for WebSphere Liberty Profile
AAI-3218 Production Deployment Best Practices for WebSphere Liberty ProfileAAI-3218 Production Deployment Best Practices for WebSphere Liberty Profile
AAI-3218 Production Deployment Best Practices for WebSphere Liberty Profile
 
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation SlidesAppsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass Presentation Slides
 
Unit 2 - Data Binding.pptx
Unit 2 - Data Binding.pptxUnit 2 - Data Binding.pptx
Unit 2 - Data Binding.pptx
 
Connect + Docker + AWS = Bitbucket Pipelines
Connect + Docker + AWS = Bitbucket PipelinesConnect + Docker + AWS = Bitbucket Pipelines
Connect + Docker + AWS = Bitbucket Pipelines
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
 
Struts 2 - Introduction
Struts 2 - Introduction Struts 2 - Introduction
Struts 2 - Introduction
 

More from connectwebex

Jackrabbit OCM in practice
Jackrabbit OCM in practiceJackrabbit OCM in practice
Jackrabbit OCM in practiceconnectwebex
 
Building Creative Product Extensions with Experience Manager
Building Creative Product Extensions with Experience ManagerBuilding Creative Product Extensions with Experience Manager
Building Creative Product Extensions with Experience Managerconnectwebex
 
AEM 6 DAM - Integrations, Integrations, Integrations
AEM 6 DAM - Integrations, Integrations, IntegrationsAEM 6 DAM - Integrations, Integrations, Integrations
AEM 6 DAM - Integrations, Integrations, Integrationsconnectwebex
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?connectwebex
 
Build single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEMBuild single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEMconnectwebex
 
Presentation daniel takai
Presentation daniel takaiPresentation daniel takai
Presentation daniel takaiconnectwebex
 
Presentation thomas simlinger
Presentation thomas simlingerPresentation thomas simlinger
Presentation thomas simlingerconnectwebex
 
five Sling features you should know
five Sling features you should knowfive Sling features you should know
five Sling features you should knowconnectwebex
 
Efficient content structures and queries in CRX/CQ
Efficient content structures and queries in CRX/CQEfficient content structures and queries in CRX/CQ
Efficient content structures and queries in CRX/CQconnectwebex
 
Web, Mobile, App and Back!
Web, Mobile, App and Back!Web, Mobile, App and Back!
Web, Mobile, App and Back!connectwebex
 
Tighten your Security and Privacy
Tighten your Security and PrivacyTighten your Security and Privacy
Tighten your Security and Privacyconnectwebex
 
THE BREAK-UP - A user interface love story
THE BREAK-UP - A user interface love storyTHE BREAK-UP - A user interface love story
THE BREAK-UP - A user interface love storyconnectwebex
 
Integration Testing in AEM
Integration Testing in AEMIntegration Testing in AEM
Integration Testing in AEMconnectwebex
 
Sling Component Filters in CQ5
Sling Component Filters in CQ5 Sling Component Filters in CQ5
Sling Component Filters in CQ5 connectwebex
 
Integrating Backend Systems
Integrating Backend SystemsIntegrating Backend Systems
Integrating Backend Systemsconnectwebex
 
Auto-testing production CQ instances with Muppet
Auto-testing production CQ instances with MuppetAuto-testing production CQ instances with Muppet
Auto-testing production CQ instances with Muppetconnectwebex
 

More from connectwebex (19)

Jackrabbit OCM in practice
Jackrabbit OCM in practiceJackrabbit OCM in practice
Jackrabbit OCM in practice
 
Building Creative Product Extensions with Experience Manager
Building Creative Product Extensions with Experience ManagerBuilding Creative Product Extensions with Experience Manager
Building Creative Product Extensions with Experience Manager
 
AEM 6 DAM - Integrations, Integrations, Integrations
AEM 6 DAM - Integrations, Integrations, IntegrationsAEM 6 DAM - Integrations, Integrations, Integrations
AEM 6 DAM - Integrations, Integrations, Integrations
 
JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?JCR, Sling or AEM? Which API should I use and when?
JCR, Sling or AEM? Which API should I use and when?
 
Build single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEMBuild single page applications using AngularJS on AEM
Build single page applications using AngularJS on AEM
 
SonarQube for AEM
SonarQube for AEMSonarQube for AEM
SonarQube for AEM
 
Presentation daniel takai
Presentation daniel takaiPresentation daniel takai
Presentation daniel takai
 
Presentation thomas simlinger
Presentation thomas simlingerPresentation thomas simlinger
Presentation thomas simlinger
 
five Sling features you should know
five Sling features you should knowfive Sling features you should know
five Sling features you should know
 
Efficient content structures and queries in CRX/CQ
Efficient content structures and queries in CRX/CQEfficient content structures and queries in CRX/CQ
Efficient content structures and queries in CRX/CQ
 
Web, Mobile, App and Back!
Web, Mobile, App and Back!Web, Mobile, App and Back!
Web, Mobile, App and Back!
 
Tighten your Security and Privacy
Tighten your Security and PrivacyTighten your Security and Privacy
Tighten your Security and Privacy
 
THE BREAK-UP - A user interface love story
THE BREAK-UP - A user interface love storyTHE BREAK-UP - A user interface love story
THE BREAK-UP - A user interface love story
 
Integration Testing in AEM
Integration Testing in AEMIntegration Testing in AEM
Integration Testing in AEM
 
Sling Component Filters in CQ5
Sling Component Filters in CQ5 Sling Component Filters in CQ5
Sling Component Filters in CQ5
 
Integrating Backend Systems
Integrating Backend SystemsIntegrating Backend Systems
Integrating Backend Systems
 
Scaling CQ5
Scaling CQ5Scaling CQ5
Scaling CQ5
 
Auto-testing production CQ instances with Muppet
Auto-testing production CQ instances with MuppetAuto-testing production CQ instances with Muppet
Auto-testing production CQ instances with Muppet
 
CQ Maven Methods
CQ Maven MethodsCQ Maven Methods
CQ Maven Methods
 

Recently uploaded

Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxWorkforce Group
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANIlamathiKannappan
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLSeo
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayNZSG
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...rajveerescorts2022
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptP&CO
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Roland Driesen
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1kcpayne
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangaloreamitlee9823
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...allensay1
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...daisycvs
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876dlhescort
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756dollysharma2066
 

Recently uploaded (20)

Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMANA DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRLMONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 

Configuring CQ Security

  • 2. About Me   CQ Architect for Inside Solutions   http://inside-solutions.ch   CQ Blog: http://cqblog.inside-solutions.ch   Customer Projects with Adobe CQ   Training Material on Adobe CQ
  • 3. Agenda   Security Configuration Basics   Denial-Of-Service-Attacks   Repository Attacks   Access Control   Dispatcher Configuration
  • 4. CQ and Security Is CQ secure?   Yes! ... if done right.   CQ is very flexible, which means in customer projects a lot of good and bad things can be done.   Security out-of-the-box is OK   Must apply security checklist   http://dev.day.com/docs/en/cq/current/deploying/security_checklist.html   Improvements in every release   Improve it!   delete geometrixx content and users   restrict security configuration based on your application‘s needs   take care of access control
  • 5. Configuring For Security The following basic rules should always applied to secure a website:   Make available as little information about your system as required.   Emphasize access restriction and correct access implementation.   Filter out invalid requests as early as possible, e.g. on firewall, web server or dispatcher.
  • 6. Every Security Issue Matters Even minor flaws should be fixed because:   attacking a website often needs more than one loophole.   even a combination of small loopholes can lead to severe security issues.
  • 8. Attack Vectors   Types of Denial-of-Service attacks   brute force   exploit of system weakness that exponentially boosts the attack
  • 9. General DoS Mitigation Apply the following basic rules:   Protect CQ with a Firewall to filter invalid requests   Network protocol exploits   Detection of a limited number of servers that send vast amount of similar requests   Cache Resources   Dispatcher cache and/or CDN   Cache all content from CQ if possible.   Content that cannot be cached must be explicitly stress-tested.   Expect more than just regular load
  • 10. Selectors and DoS   Selectors are a very helpful utility in Adobe CQ, but they can be used to flood the dispatcher cache if not implemented correctly.   For a given page, the dispatcher cache treats each combination of selectors like a distinct page, therefore caching it separately.   If the number of selectors is not limited or if arbitrary selectors are allowed, an attacker is able to quickly fill up the dispatcher cache resulting in too much load on the CQ instance behind it.
  • 11. Selector Caching Example The following requests would all be cached separately by a dispatcher cache:   Random Selectors allowed :   http://localhost:4502/libs/cq/ui/widgets.cqcon.js   http://localhost:4502/libs/cq/ui/widgets.whatever.js   1.3 Mb each   Frequently used ImageServlet with random selectors:   www.images.com/image1.120x120.jpg   www.images.com/image1.150x150.jpg   www.images.com/image1.200x200.jpg   Multiple Selectors allowed:   www.images.com/image1.green.red.jpg   www.images.com/image1.red.green.jpg   www.images.com/image1.red.green.blue.jpg
  • 12. Rules for Selectors: Development The following rules should be applied in the application code:   Design components so that the allowed selectors are known.   Do not allow excessive amounts of selectors   Avoid multiple selectors on a resource except for clearly defined patterns   Use multiple selectors with a fixed ordering if possible   Requests with unknown selectors should not be accepted, but should result in an HTTP response with status other than 200.   Ideally implemented in Dispatcher filtering   Also possible to create a Servlet Filter
  • 13. Rules for Selectors: Configuration   The following rules should be configured in the dispatcher configuration:   Only allow selectors that are actually used in the application   Limit the number of selectors in a URL as low as the application accepts   Disable default selectors from CQ.   .feed.xml   .infinity.json
  • 15. Attack Vectors   Place unwanted content on website   create security holes   change application to perform further attacks   Get access to restricted information   system information such as user information can be used for social engineering
  • 16. Protect The Content   In CQ, everything is content   Content can be manipulated with POST requests    everything can be manipulated with POST requests   Only prohibited by correct ACL setup and by correct dispatcher configuration.
  • 17. Repository Attack Details POST to /content manipulates the CQ instance   Manipulate the Website   Create XSS vulnerabilities   curl --data 'redirectTarget=http://www.cqcon.eu' --user author:author http://localhost:4502/content/geometrixx/en.html/jcr:content PUT / POST to /apps can install bundles and components   Takes control of the CQ Instance   Can be used to attack internal systems in a corporate network   curl -v -u admin:admin --upload-file malicious-bundle.jar http://localhost/ apps/malicious/install/ --header "Content-Type: application/java-archive“
  • 18. Protect Information   Only allow outside access to relevant parts of the CRX repository   Disable default CQ features that expose data   json extension (also 1..9.json and infinity.json)   xml extension   feed.xml   If you need json or xml for specific URLs, only allow it for specific urls   Json data gives information about existing pages and user Ids   can reveal sensitive information such as pages that have an activatedDate   if user ids are know, brute force attacks can be successful   user ids can contain (or imply) email addresses   can be used for social engineering   /home/users.5.json
  • 19. CQ Out Of the Box Content   Out-of-the-box, CQ comes with the geometrixx applications   content   components   users   Before going into production:   Uninstall package cq-geometrixx-all   Delete all unused users   Change the password for ALL out of the box users   google for „inurl:/content/geometrixx“   >17000 hits   some of them can be accessed with author/author   author user is part of geometrixx (since CQ 5.5), but still has write access to /content
  • 21. ACL Management in CQ   Manage ACLs in User Administration
  • 22. Permissions, Actions and ACLs   CQ Actions define the right that can be assigned to a user   CQ Permissions allow or deny a user to perform an action on a resource   For each action and on each resource in the repository, a user can have either permission state Allow or Deny.   In Adobe CQ, permissions can be granted through the user administration UI.   Under the covers, these permissions are translated into JCR access control privileges stored in repository nodes.   This conversion can be quite complex depending on the permissions granted in the UI.   For many actions in the UI, specific JCR permissions are set for jcr:content nodes.
  • 23. CRX Access Control Properties   CRXDE displays for a given node the access control entries that are set specifically for the node in section Access Control List.   All policies effective on the node (but possibly inherited) are displayed in section Effective Access Control Policies.
  • 24. Adobe CQ Actions Action Description JCR Policy Properties Read The user is allowed to read the page and any child pages. allow: jcr:read Modify The user can: •  modify existing content on the page and on any child pages. •  create new paragraphs on the page or on any child page. At the JCR level, users can modify a resource by modifying its properties, locking, versioning, nt-modifications, and they have complete write permission on nodes defining a jcr:content child node, for example cq:Page, nt:file, cq:Asset. General: allow •  jcr:lockManagement •  jcr:modifyProperties •  jcr:versionManagement rep:glob=*/jcr:content*: allow •  jcr:addChildNodes •  jcr:nodeTypeManagement •  jcr:removeChildNodes •  jcr:removeNode Create The user can create a new page or child page. If modify is denied the subtrees below jcr:content are specifically excluded because the creation of jcr:content and its child nodes are considered a page modification. This only applies to nodes defining a jcr:content child node. General: allow •  jcr:addChildNodes •  jcr:nodeTypeManagement rep:glob=*/jcr:content*: deny •  jcr:addChildNodes •  jcr:nodeTypeManagement
  • 25. Adobe CQ Actions II Delete The user can: •  delete existing paragraphs from the page or any child page. •  delete a page or child page. If modify is denied any sub trees below jcr:content are specifically excluded as removing jcr:content and its child nodes is considered a page modification. This only applies to nodes defining a jcr:content child node. General: allow •  jcr:removeChildNodes •  jcr:removeNode rep:glob=*/jcr:content*: deny •  jcr:removeChildNodes •  jcr:removeNode Read ACL The user can read the access control list of the page or child pages. Allow jcr:readAccessControl Edit ACL The user can modify the access control list of the page or any child pages. Allow jcr:modifyAccessControl Replicate The user can replicate content to another environment (for example, the Publish environment). The privilege is also applied to any child pages. Allow crx:replicate
  • 26. ACL Evaluation   In JCR, access control entries are applied hierarchically: When an entry is made on a parent resource, it is also valid for all child resources.   If the same policy property is also set on one of the child nodes, that entry supersedes the entry on the parent node.   The policy is then applied for the child node and all of its children (unless they have in turn superseding entries).
  • 27. ACL Evaluation II   Permission properties on user principals always take precedence over group principals irrespective of their order in the access control list and their position in the node hierarchy.   If a user is explicitly denied jcr:read on /content and the user is member of a group with “allow jcr:read” privilege on /content/foo, the user policy has precedence and the user is denied jcr:read privilege on /content/foo   Access rights from multiple group principals are evaluated based on their order, both within the hierarchy and within a single access control list.
  • 28. Impersonate Functionality   Allows one user to impersonate another user   Right to impersonate can be configured in user adaministration   When impersonating another user, all actions in Adobe CQ are effectively executed with that user.   An entry is made in the audit log when the impersonation starts and ends   Other log files (such as the access log) hold no information about the fact that impersonation has occurred on the events.   Repository attributes such as jcr:createdBy will contain the name of the impersonated user.
  • 29. Programmatic Access Control   Adobe CQ provides services and interfaces to manage users and permissions programmatically.   Key classes:   UserManager (org.apache.jackrabbit.api.security.user)   AccessControlManager (javax.jcr.security)   Session (javax.jcr)   UserProperties(com.adobe.granite.security.user)   Replaces deprecated Profile API
  • 30. ACL Best Practices   Use groups to assign permissions rather than users   You have many more users than groups, so groups simplify the structure.   Groups help provide an overview over all accounts.   Inheritance is simpler with groups.   Users come and go. Groups are long-term.   Always use Allow statements to specify the access rights of the group principal (wherever possible). Avoid using a Deny statement.   Keep it simple
  • 31. ACL Best Practices II   We have seen that ACLs are based on content hierarchy and child nodes inherit permissions.   As a consequence, security and access requirements should be a main driver when designing the content structure:   Managing access should be easy   Enforcing access control should come for free   Avoid copying content to containers such as /var/* for temporary operations or backup purposes.   Verify a proper permission setup.
  • 33. Dispatcher Filtering Rules The /filter directive in file dispatcher.any allows specifying the resources that are served by the dispatcher module. For a given resource, the directives in section /filter are evaluated from bottom up and the first matching rule is applied. Filter directives have the following format: /0001  {  /type  "deny"    /glob  "*"  }     0001 is the unique id of the filter directive.   The type of an entry can be either allow or deny,   The glob property allows to specify a pattern to which the directive applies.   The glob expression is evaluated against the request line of the HTTP Request, such as:      GET  /content/geometrixx-­‐outdoors/en.html  HTTP.1.1  
  • 34. Dispatcher Whitelist Approach To implement the recommended whitelist approach, the first directive denies all resources: /filter              {              #  Deny  everything  first  and  then  allow  specific  entries              /0001  {  /type  "deny"    /glob  "*"  }   Based on that first directive, selected resources are allowed in more fine- grained directives. The following example allows all requests to /content and all GET requests to css files: /0023  {  /type  "allow"  /glob  "*  /content*"  }                  #  Enable  specific  mime  types  in  non-­‐public  content  directories              /0041  {  /type  "allow"  /glob  "GET  *.css  *"      }    #  enable  css  
  • 35. Dispatcher Configuration   Exact configuration is driven by your application‘s needs   Adapt the dispatcher.any to allow as little as required by your application.
  • 36. Recommended Dispatcher Filtering Rules   Adobe CQ provides dispatcher.any files for publish and author instances as part of the dispatcher module   The following rules are recommended for all CQ publish instances unless there are substantial requirements from your application to omit them: /1001  {  /type  "deny"  /glob  "*  *.xml*"  }   /1002  {  /type  "deny"  /glob  "GET  *.*[0-­‐9].json*"  }   /1003  {  /type  "deny"  /glob  "GET  *.infinity*.json  *"  }   /1004  {  /type  "deny"  /glob  "GET  *.feed.*"  }   /1005  {  /type  "deny"  /glob  "GET  *.query.*"  }   /1006  {  /type  "deny"  /glob  "*.*?*"  }     Particularly ensure:   Deny ALL access to /libs, /apps, /var and /home   Allow only GET requests to /etc
  • 37. Selectors in Dispatcher Configuration To prevent DoS attacks that fill the dispatcher cache using excessive selectors, selectors can be generally disallowed. The selectors used in the application can then be explicitly allowed.   The following example shows how only selector cqcon.html is enabled:            /0101  {  /type  "deny"  /glob  "*  /*.*.*  *"}              /0102  {  /type  "allow"  /glob  "*  /content*.cqcon.html*"}  
  • 38. Selectors in Dispatcher Configuration II The following configuration is slightly less restrictive:  /0101  {  /type  "deny"  /glob  "*  /*.*.*.*  *"}   Here, one (arbitrary) selector is allowed. Still, if the application does not validate the selectors sent and sends responses with HTTP status 200, unlimited cache entries can be created.
  • 39. CQ environments without End User Login   If a website does not have functionality that is based on the login of an end user, it is recommended to disable all means of getting authenticated session on the CQ dispatcher. For this, the following two rules can be implemented:  /1010  {  /type  "deny"  /glob  "*  *sling:authRequestLogin*"}      /1011  {  /type  "deny"  /glob  "*  *j_security_check*"}         In addition, HTTP headers authorization and proxy-authorization should not be included in the /clientheaders section of file dispatcher.any.
  • 40. Dispatcher Filter Rules Ordering 1.  Deny all 2.  Allow repository sections you need. 3.  Deny selectors / GET parameters. 4.  Allow special selectors /GET parameters for specific paths as used in your application. 5.  In the end, ensure that the things that must be closed are closed.
  • 41. Summary Key Points for every CQ installation:   Uninstall Geometrixx content and users   Change default user’s passwords   Emphasize correct Access Control   Tighten dispatcher configuration
  • 43. Thank You CQ Blog: http://cqblog.inside-solutions.ch