GitHub - apache/sling-org-apache-sling-security: Apache Sling Security (original) (raw)

Apache Sling

Build Status Test Status Coverage Sonarcloud Status JavaDoc Maven Central Contrib License

Apache Sling Security

This module is part of the Apache Sling project.

The Apache Sling Security module provides CSRF protection through a filter checking the referrer and a content disposition filter. This OSGi bundle can be used as a standalone bundle outside of Apache Sling - in that case only the referrer check functionality is available as the content disposition filter depends on the Apache Sling Framework

Referrer Filter (CSRF Protection)

Configuring the Apache Sling Referrer Filter involves setting up an OSGi configuration to manage which referrers are allowed to access your application. Here are some of the options:

Sample Configuration

The filter can be configured through an OSGi configuration for the PID org.apache.sling.security.impl.ReferrerFilter. This is a sample configuration in JSON format:

{ "allow.empty": false, "allow.hosts": ["mysite.com", "localhost"], "allow.hosts.regexp": [], "filter.methods": ["POST", "PUT", "DELETE", "COPY", "MOVE"], "exclude.agents.regexp": [], "exclude.paths": [] }

In addition it is possible to amend the configuration by additional OSGi factory configurations for the factory PID org.apache.sling.security.impl.ReferrerFilterAmendmentImpl. This is a sample configuration in JSON format:

{ "allow.hosts": ["mysite.com", "localhost"], "allow.hosts.regexp": [], "exclude.agents.regexp": [], "exclude.paths": [] }