Category Archives: CMS

AEM Security: How to secure the AEM application?

Overview

There is a set security practice followed by every development team in Adobe experience manager ( i.e AEM) CMS technology. And, Most of these are pretty straightforward suggested by the Adobe as best practices however there are many other security issues which have equal importance.

So, Let’s begin to know how to secure your application by putting right rules in your AEM environment.

All other recommendations from the open web application security project(i.e OWASP) should be applied. Below recommendations are very specific to AEM technology & AEM infrastructure.

There are many problems which are unknown to the AEM Solution provider & putting the whole thing at risk. I would like to state one of the examples here to showcase the security problems in AEM.

Use below Google Query to find out if your author instance is indexed by the google or not. I have used a very basic query in google. Try it, you would surprise to see how many author instances which are open to exploits. You might be wondering how to login in those authors. That is fairly easy once you know who has authored the pages.

Google Query: inurl:aemauthor

AEM Author Security:

First & foremost, Make sure your AEM author instance isn’t searchable by the search engine & It is not accessible outside of Intranet without VPN. Follow some author security guidelines below:

  • Keep robots.txt for all your domains including the authoring environment. make sure Google does not index author domain.
  • Enable HTTPS in AEM Author.
  • Changing Admin password in every AEM instance (i.e server).
  • Create groups for assigning access & follow the least privilege principle. Basically, Instead of denying on many hierarchies just allow what individual group needs.
  • Create a separate replication user to use in replication agent configuration. Admin should not be used for replicating anywhere.
  • Limit the number of users in admin groups.
  • Web dev, CRX explorer & CRXDE in prod author should be disabled or should be limited to certain users.

AEM Publish Security

Same as AEM author, publish instances should not be accessible to an outside of the intranet & connections to web servers, author etc should be internal connections. The most important thing to handle in publish security is to handle requests inputs & use proper request sessions. Serving requests with admin session or privileged user is a big problem. 

Assume some data you have to read & anonymous user does not have permission to that then avoid using admin session. Have a dedicated user for that to read/write the content for certain requests. Follow other guidelines respect with AEM Publish security:

  • Anonymous permissions should be checked & make sure not every directory accessible to the anonymous user. Even in etc design, There should be proper permission setup in cloud services etc.
  • Apache Sling Referrer Filter must be configured to handle unwanted publish requests.
  • The cross-site forgery framework should be enabled to filter requests.
  • All default tools (Crx explorer, Crxde, WebDev) etc should be disabled.
  • No one should be able to access publish server directly. Also should not be able to install packages directly.

Dispatcher security

When anyone thinks of AEM security, most of us just think of rules & filters in dispatcher.any configuration file. But, There are many more use cases where things are not pretty if you have not taken care of security:

  • Do not have dispatcher flush agent configured from AEM author. And if it is enabled then have https call for flushing cache. Otherwise, author flush agent exposes to your web server IP & credentials.
  • Limit the request headers information. Request headers are passed in every request to AEM publish based on dispatcher configuration.
  • Do not allow cross-origin requests. Set the SAME origin header at the web server level.
  • Proper input validation should be done in POST Requests & dispatcher filter should allow only certain POST requests.
  • Caching of selectors & URL extensions should be defined. Not every selector or extension should be cacheable. DOS or DDOS attacks are very easy to do in AEM application.
  • Website URL’s should not expose internal directories.

Final thought

We have to secure the infrastructure & security of important environments. Once you have security author, publish & proper dispatcher configuration, you would have a better chance to protect your application. Application security is another aspect follow the below links for Adobe recommendation.

CyberSecurity: Hackers complaint about other hackers sites

There is a competition going on between hackers & how one beat another. Google has notice this that there are many request coming to block one site & remove from searches.

The cyber-gangs are claiming pirate games sites are using digital rights management (DRM) breaking tools which allow them to circumvent technologies designed for restricting the use of proprietary hardware and copyrighted works.

Digital rights management (DRM) is a systematic approach to copyright protection for digital media. The purpose of DRM is to prevent unauthorized redistribution of digital media and restrict the ways consumers can copy content they’ve purchased.

Normally when Google gets a copyrights complaint it will delist the site but still allow the site’s owner to contest the removal through a process defined in Section 512 of the DMCA, but when Google receives complaints about the DRM-breaking tools they remove the accused site and offer no appeal process.

What Is a DMCA Notice? And Can it Help Me?

Since the internet began, people have uploaded over a billion gigabytes of digital content. That includes music, movies, games, and much more. What protects content creators when someone violates copyright laws and posts their work online without their consent? In the United States, it is the DMCA. Provisions of the DMCA protect content creators and owners from copyright violators by providing a process anyone can use to have legally protected work removed from a website.

Android Security: Google fixes RCE vulnerabilities in Dec release

Abstract

The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Reference is here for the full details & fix vulnerabilities.

https://source.android.com/security/bulletin/2018-12-01

AEM Solution: How to create an AEM Custom global object?

Overview

As an AEM developer, you know that there are a set of global objects available in AEM at the view layer. Whether you can use JSP or New template framework (HTL). Most commons global objects are currentPage, current resource, current design object etc.

These set of objects are initialized by the AEM application by default & available to use them in every component.

Do you really need custom object?

With given architecture of AEM & Sling framework to resolve the resource, there is a situation when you need your own custom object to be available across the application components. Just like global objects.

Let’s consider a multi-brand site where you need some brand-specific information, Objects or JSON etc should be available at each brand application level. It means object should be available at every component.

General Solution

General practice is that have a common bean/Use class gets initialized at each component level. Performance wise, initializing a bean at every component level, isn’t that bad. Because most of the content gets cached. However, It is an issue when you have got that information/object through service. You can’t make a web service from every component. You could still do that if you are an architect & developer has an alternative solution. So let’s see an alternative solution.

Alternative Solution

An alternative solution is pretty simple. Just like any other AEM global objects, keep your custom object available at every component by default. No initialization of any objects. Make sense? let’s see the following steps to create global custom objects.

  • Create a new class with an appropriate name (hard to find the appropriate name but try it). 
  • Make sure new class is registered as Component in OSGI Console.
  • Sling Framework provides an interface BindingValuesProvider. Implement this interface. This interface provides addBindings(Bindings bindings) method.
  • Bindings parameter works like a map. You need to put key & value in it. For instance, bindings.put(“myObject”, “valueOfCustomObject”);
  • Now, “myObject” can be used as a global variable anywhere in the components.

Sample src Code

# CustomGlobalObject
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.scripting.api.BindingsValuesProvider;
import javax.script.Bindings;
@Component
@Service
public class CustomGlobalObject implements BindingsValuesProvider {
    @Reference
    IMyService iMyService;
    @Override
    public void addBindings(Bindings bindings) {
        bindings.put("mylist", iMyService.getGlobalObject());
    }
}
#Service Interface
import java.util.List;
public interface IMyService {
    List getGlobalObject();
}
#Service Interface implementation

import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Service;
import java.util.ArrayList;
import java.util.List;
@Component
@Service
public class MyService implements IMyService{
    @Override
    public List<String> getGlobalObject() {
        List list = new ArrayList();
        list.add("a"); list.add("b"); list.add("c");
        return list;
    }
}
# Entry in Sightly HTML component
Custom object: ${mylist}
#Output
Custom object: a,b,c

Final Thought: 

There could be other good solutions to solve the problem which I described in this post. Would love to hear others ideas. Don’t hesitate to share your thoughts in the comment section. For any doubt or question, leave a comment. will do our best to answer your questions. Thanks in advance.

References

AEM Solution: How to get OSGI Service object in POJO?

Overview

In AEM, OSGI Container supports dependency injection which means one OSGi service can be injected into another service using @Reference annotation. Dependency injection design is a well-known design pattern.   In this post, would like to explain what are the ways to get a reference of OSGi Service? 

Problems/Scenarios

As you know, In some case you are not able to get the object using @Reference annotation. Basically, OSGI container does not allow you to inject NON-OSGI classes (POJO) into another class. 

This happens when you have a class which is not registered as OSGI Component & Service. In such cases, You are left with the following option. Get the service object through a parameter to our class or get the service object through Sling request object. In Sightly model, referencing of services are possible now.

Solutions

Here is the example how to get service object through Sling request object.

// Fetching service reference from request object.
public class Example{
 public ServiceObject YouServiceReference(SlingHttpRequest request){
      final SlingBindings bindings = (SlingBindings) request.getAttribute(SlingBindings.class.getName());
      SlingScriptHelper slingScriptHelper = bindings.getSling();
     YouServiceReference service = slingScriptHelper.getService(YouServiceReference.class);
        return service
   }
}
#Wiht Sightly POJO
public class Example extends WCMUsePojo{
 public ServiceObject YouServiceReference(SlingHttpRequest request){
      return getSlingScriptHelper.getService(YouServiceReference.class);
   }
}