Secure by Default Web Applications with Apache Sling

•

0 likes•801 views

The document summarizes a presentation about securing web applications using Apache Sling. The presentation covers an introduction to Apache Sling, a demo of an application, threat modeling of the application's assets and risks, how Apache Sling addresses security through natural access controls and injection-safe APIs, a demo of the secure application, and conclusions about building securely by default and Apache Sling's extensibility.

Technology

http://robert.muntea.nu @rombert
Secure by Default Web Applications With Apache Sling
Secure by Default Web Applications With Apache Sling
Robert Munteanu, Adobe Systems
Bucharest Technology Week 2016

http://robert.muntea.nu @rombert
Who I am

$DAYJOB

Adobe Experience
Manager
 Apache Sling
 Apache Jackrabbit
 Apache Felix

Open Source

Apache Sling

MantisBT

Mylyn Connector for
MantisBT

Mylyn Connector for Review
Board

http://robert.muntea.nu @rombert
Purpose of the talk
Scope
Cost Schedule

http://robert.muntea.nu @rombert
Agenda
●
Apache Sling
●
Demo application review
●
Threat model
●
Security with Apache Sling
●
Demo
●
Conclusion
●
Q&A

http://robert.muntea.nu @rombert
Apache Sling – Brief History
2007
Incubation
2009
TLP
2015
Version 8
200x
Pre-Apache

http://robert.muntea.nu @rombert
Apache Sling – Code Statistics

http://robert.muntea.nu @rombert
Apache Sling – Contributor activity

http://robert.muntea.nu @rombert
Apache Sling – Value proposition
●
Content-oriented
●
RESTful
●
Lightweight
●
Integrated authentication and authorization
●
OSGi-powered
●
Scripting inside
●
Easily deployable

http://robert.muntea.nu @rombert
Apache Sling – Content-Oriented
Blog posts
Images
Users and Groups

http://robert.muntea.nu @rombert
Apache Sling – Content-Oriented
Server-side templates and
scripts
Configurations

http://robert.muntea.nu @rombert
Apache Sling – RESTful
$ http localhost:8080/content/↵
blog/posts/hello_world.html
json
xml
txt
pdf
php3

http://robert.muntea.nu @rombert
Apache Sling – RESTful

http://robert.muntea.nu @rombert
Apache Sling – Persistence via JCR

http://robert.muntea.nu @rombert
Apache Sling – Topologies
Standalone High Availability

http://robert.muntea.nu @rombert
Demo App – main page

http://robert.muntea.nu @rombert
Demo App – Article Page

http://robert.muntea.nu @rombert
Demo App – Submitting comments

http://robert.muntea.nu @rombert
Threat modelling
“Threat modeling is an engineering technique you
can use to help you identify threats, attacks,
vulnerabilities, and countermeasures that could
affect your application”
Threat Modeling Web Applications on MSDN

http://robert.muntea.nu @rombert
Threat Modelling - Assets

http://robert.muntea.nu @rombert
Threat Modelling - Assets
●
Availability
●
Content
●
User Credentials
●
Ability to execute code on server
●
Ability to execute code in the browser context

http://robert.muntea.nu @rombert
Threat Modelling - Trust Levels

http://robert.muntea.nu @rombert
Threat Modelling - Trust Levels
1. Anonymous
2. Author
3. Administrator

http://robert.muntea.nu @rombert
Threat Modelling - Threats
OWASP

http://robert.muntea.nu @rombert
Threat Modelling - Threats
1. Denial of Service
2. Defacement / Deletion
3. Leaking credentials
4. SQL/Shell Injection
5. Stored/Reflected XSS

http://robert.muntea.nu @rombert
Threat Modelling - Mitigation

http://robert.muntea.nu @rombert
Apache Sling Security – Natural layering of ACEs

http://robert.muntea.nu @rombert
Apache Sling Security – Security applied at the lowest level
$ http --auth bob:bob
localhost:8080/content/blog/posts/n
ew_blog_post 'jcr:title=New post'

http://robert.muntea.nu @rombert
Apache Sling Security – Injection-safe APIs
Children of
/content/blog/posts

http://robert.muntea.nu @rombert
Apache Sling Security – Injection-safe APIs
Children of
/content/blog/comments/
hello_world

http://robert.muntea.nu @rombert
Demo Application – Actual demo!!!!1oneone

http://robert.muntea.nu @rombert
Conclusions – Security
●
Aim to be “Secure by Default”
●
Build a threat model for your application
●
Look for components that eliminate problems
altogether

http://robert.muntea.nu @rombert
Conclusions – Apache Sling
●
Simple to be “Secure by Default”
●
Eventing, Thread Pooling, Job Management,
Caching
●
Scripting: Groovy, Scala, JSP, Sightly, Java, Ruby,
Thymeleaf
●
Flexible resource rendering with resource types
●
Very extensible due to being internally powered by
OSGi – most extension points available to clients

http://robert.muntea.nu @rombert
Resources
●
Apache Sling – https://sling.apache.org
●
Apache Jackrabbit
●
https://jackrabbit.apache.org
●
http://jackrabbit.apache.org/oak/
●
OWASP - https://www.owasp.org
●
https://www.owasp.org/index.php/OWASP_Top_Ten
_Cheat_Sheet
●
https://www.owasp.org/index.php/Application_Thre
at_Modeling

What's hot

Introduction To ICT Security Audit OWASP Day Malaysia 2011

Linuxmalaysia Malaysia

All Aboard The Stateful Train

SmartLogic

Beat the Tsunami with a WAVE

Patrick Dunphy

In the ”Internet of Things” (IoT) vision the physical world blends with virtual one, while machine-to-machine interaction improve our daily life. Clearly, how these virtual objects are exposed to us is critical, so that their user interface must be designed to support the easiness of usage that is driven by the users’ needs, which is different from what machines requires. These two requirements must be solved, and an integrated solution should emerge, if we want to bring the IoT to the 50 billions network that is predicted to became in the next years.

Exposing M2M to the REST of us

Matteo Collina

Collaborative communication

Icinga

Android component programming

Nhan Cao

Riak at Posterous

capotej

The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...

DroidConTLV

Building Web APIs with Elixir

Tom Davies

Live Coverage at The New York Times

Scott Taylor

Varying vagrant vagrants

Duong Ngo Thai

Man in the Binder - Michael Shalyt & Idan Revivo, CheckPoint

DroidConTLV

Flutter For Web: An Intro

Fahad Murtaza

The year is 2019 and New York City has a very large public wifi and cellular network on the subway platforms and stations, however, it's all manually configured and maintained. This means we have carte blanche control over what and how we automate it. This talks aims to describe what it takes to bring automation to a network with over 15,000 devices and millions of daily users, including all of the pitfalls that came with it.

AnsibleFest 2019 - Greenfielding Network and Systems Automation in a Large an...

Logan Best

Building Web Apps in Ratpack

Daniel Woods

BarCamp CR 2014 - Python para web

barcampcr

Ratpack Web Framework

Daniel Woods

Laravel PHP, the PHP Framework For Web Artisans is one of the most popular PHP frameworks out there and used by millions of PHP programmers. This presentation was done during the Bahrain Web Tech Laravel workshop the 2nd of May 2017. It was intended as a general introduction and demo. But also for fellow developers to get together and exchange ideas on Laravel, strut their stuff, find partnerships. Link to the demo details in a blogpost was added and here once more: https://goo.gl/UnsVuH

Laravel workshop

Jasper Frumau

Realtime MVC with Sails.js

Serdar Dogruyol

What's hot (19)

Introduction To ICT Security Audit OWASP Day Malaysia 2011

All Aboard The Stateful Train

Beat the Tsunami with a WAVE

Exposing M2M to the REST of us

Collaborative communication

Android component programming

Riak at Posterous

The Rounds Project: Growing from thousands to millions - Berry Ventura & Yoah...

Building Web APIs with Elixir

Live Coverage at The New York Times

Varying vagrant vagrants

Man in the Binder - Michael Shalyt & Idan Revivo, CheckPoint

Flutter For Web: An Intro

AnsibleFest 2019 - Greenfielding Network and Systems Automation in a Large an...

Building Web Apps in Ratpack

BarCamp CR 2014 - Python para web

Ratpack Web Framework

Laravel workshop

Realtime MVC with Sails.js

Similar to Secure by Default Web Applications with Apache Sling

Tdd Primer

Robert Munteanu

Technology First 16th Annual Ohio Information Security Conference OISC 2019 #OISC19 The OWASP Top 10 & AppSec Primer By Matt Scheurer (@c3rkah) Dayton, Ohio Date: 03/13/2019 Abstract: Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP). Bio: Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).

OISC 2019 - The OWASP Top 10 & AppSec Primer

ThreatReel Podcast

AppSec & OWASP Top 10 Primer By Matt Scheurer (@c3rkah) Cincinnati, Ohio Date: 03/21/2019 Momentum Developer Conference Sharonville Convention Center #momentumdevcon Abstract: Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP). Bio: Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).

AppSec & OWASP Top 10 Primer

ThreatReel Podcast

Demystify Information Security & Threats for Data-Driven Platforms With Cheta...

Chetan Khatri

With exponential growth of internet usage and impact it has for our lives nowadays the importance of security becomes extremely more and more valuable, especially if we take into account number of users with closed to zero experience in IT and with limited knowledge in security. That means we’re as engineers who create modern applications should take responsibility to make them more robust and secure. In this talk I’m going to explore security topic for broader developers audience and share simple but yet useful strategies, tactics and techniques to help to make applications we create more secure.

Web Security... Level Up

Izzet Mustafaiev

By now you’ve bought into the idea of using APIs to integrate cloud, mobile devices and the enterprise. But are building safe APIs? One insecure API can increase your organization’s risk profile exponentially. Securing APIs is not like securing the web—a point lost on many developers coming from a web-centric background. Learn what good practices to put in place and the common security anti-patterns you must avoid to ensure your company’s APIs are reliable, safe and secure. You will learn: • The top ways hackers exploit APIs in the wild • Common identity pitfalls and how to avoid them • Why OAuth scopes are essential to master • How to keep web developers from bringing bad habits with them

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...

CA API Management

sts-scanner_tutorial

tutorialsruby

sts-scanner_tutorial

tutorialsruby

When performing security assessments or participating in bug bounties, there is generally a methodology you follow when assessing source-code or performing dynamic analysis. This involves using tools, reviewing results and understanding what you should be testing for. Reviewing modern web applications can be quite challenging, and this talk will go into details on how we can automate the boring (but necessary parts) and how to set a roadmap of what should be focused on when dealing with modern JavaScript applications.

Manual JavaScript Analysis Is A Bug

Lewis Ardern

TriplePlay-WebAppPenTestingTools

Yury Chemerkin

Ruby on Rails Penetration Testing

3S Labs

The 3 Top Techniques for Web Security Testing Using a Proxy

TEST Huddle

OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem

OWASP

Don't screw it up! How to build durable API

Alessandro Cinelli (cirpo)

AppSec & OWASP Primer By Matt Scheurer (@c3rkah) Cincinnati, Ohio Date: 09/17/2019 Cincinnati Tri-State (ISC)2 Chapter September Meeting Abstract: Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP). Bio: Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG), an Ambassador for Bugcrowd, and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.

ISC2: AppSec & OWASP Primer

ThreatReel Podcast

DMA - Stupid Cyber Criminal Tricks

ThreatReel Podcast

Web security

kareem zock

Frontend Monoliths: Run if you can!

Jonas Bandi

Computer security

Mohamed Abdo

These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the Ohio Information Security Forum (OISF) Anniversary Conference on 07/14/2018 in Dayton, Ohio. Title: Active Defense - Helping threat actors hack themselves! Abstract: Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data. The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.

OISF Aniversary: Active Defense - Helping threat actors hack themselves!

ThreatReel Podcast

Similar to Secure by Default Web Applications with Apache Sling (20)

Tdd Primer

OISC 2019 - The OWASP Top 10 & AppSec Primer

AppSec & OWASP Top 10 Primer

Demystify Information Security & Threats for Data-Driven Platforms With Cheta...

Web Security... Level Up

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...

sts-scanner_tutorial

Manual JavaScript Analysis Is A Bug

TriplePlay-WebAppPenTestingTools

Ruby on Rails Penetration Testing

The 3 Top Techniques for Web Security Testing Using a Proxy

OWASP Poland Day 2018 - Andrzej Dyjak - Zero Trust Theorem

Don't screw it up! How to build durable API

ISC2: AppSec & OWASP Primer

DMA - Stupid Cyber Criminal Tricks

Web security

Frontend Monoliths: Run if you can!

Computer security

OISF Aniversary: Active Defense - Helping threat actors hack themselves!

More from Robert Munteanu

A product that works is not done, as there are many facets to consider - availability, scalability, security. Of those, security is probably the most costly to get wrong. This talk will build a threat model for a sample web application, showcasing a structured approach to securing your web application. Various vulnerabilities are shown and mitigated, based on current best practices. We take special care to show to eliminate entire classes of vulnerabilities, rather than tackling problems one by one. The code samples will be built on top of Apache Sling, but previous knowledge of Sling is not required. Talk delivered at BaselOne 2023

Secure by Default Web Applications

Robert Munteanu

Sling is an established web application framework, with a multitude of core features and extensions. It has a very productive inner loop, with OSGi bundle deployment, JCR content editing and live configuration updates. The less-told story is how an application should be assembled, configured, deployed, and monitored. In this talk we will present the main approaches for bootstrapping, deploying, updating, and monitoring Sling-based applications, based on Open Source tools and libraries. The participants will gain a better understanding of the options available for managing their own Sling-based application and will be able to minimise the effort needed to manage such an application.

Sling Applications - A DevOps perspective

Robert Munteanu

Java agents are a little-known but extremely powerful part of the Java ecosystem. Agents are able to transform existing classes at runtime, allowing scenarios such as logging and monitoring, hot reload or gathering code coverage. However, their usage presents a number of pitfalls as well. In this talk we will present the steps of writing a java agent from scratch, indicate various common mistakes and pain points and draw conclusions on best practices. Special care will be taken to discuss how running in an OSGi environment affects Java agents and how we can best approach integration testing in a modular environment. After this talk participants will have a better understanding of the Java instrumentation API, how it fits in with OSGi runtimes and about should / should not be done with it.

Will it blend? Java agents and OSGi

Robert Munteanu

AEM as a Cloud Service is using the same battle-tested core of Sling, Felix and Jackrabbit Oak that you are used to. Many of the large-scale architectural changes, such as container-based deployments, separation of code and content, horizontal and vertical scaling, etc, are made possible by a host of reimplementations of APIs exposed by the open-source projects that serve as the foundation of AEM. In this talk we will explore a number of such extensions and their implications, such as Oak's principal-based authorization, getting up and running with the composite node store, or indexing in a separation of content and apps scenario. After this talk participants will have a better understanding of various under-the-hood changes present in AEM as a Cloud Service and their practical implications for AEM development. They will also be able to set up their own tweaked Sling instance so they can experiment with such a setup.

Escape the defaults - Configure Sling like AEM as a Cloud Service

Robert Munteanu

Microservices were born out of a need to enable modularity at a technical and business level. With their mass adoption tehnical patterns and solution have started to emerge, and management using Kubernetes is one of the most encountered. Monitoring application state becomes tedious when using approaches designed for individual servers and deployments. Prometheus and Grafana are cloud-native solutions that make monitoring of Kubernetes deployments a simple and very fruitful task. After this talk participants will understand how to instrument their applications, gather metrics and act on high-level aggregate information.

Crash course in Kubernetes monitoring

Robert Munteanu

Java agents are a little-known but extremely powerful part of the Java ecosystem. Agents are able to transform existing classes at runtime, allowing scenarios such as logging and monitoring, hot reload or gathering code coverage. However, their usage presents a number of pitfalls as well. In this talk we will present the steps of writing a java agent from scratch, indicate various common mistakes and pain points and draw conclusions on best practices. After this talk participants will have a better understanding of the Java instrumentation API and about should / should not be done with it.

Java agents for fun and (not so much) profit

Robert Munteanu

Will it blend? Java agents and OSGi

Robert Munteanu

Kubernetes is quickly becoming the de facto deployment platform for container runtimes. New applications can be written with containers in mind, but existing applications are not always aligned to the new best practices. In this talk we will present how an existing application can be deployed on a Kubernetes platform, exploring various patterns such as scaling out, centralised logging and monitoring, content distribution and persistence. After this talk participants will gain a better understanding about how existing applications can be molded into a cloud-native ones with reasonable effort.

Cloud-native legacy applications

Robert Munteanu

Kubernetes is quickly becoming the de facto deployment platform for container runtimes. Sling provides a quick out-of-the box experience using the Starter jar, but this kind of setup is not always easy to deploy in containers. In this talk we will present how a Sling application can be deployed on a Kubernetes platform, exploring various patterns such as scaling out, centralised logging and monitoring, content distribution and persistence. After this talk participants will gain a better understanding about how Sling can be molded into a cloud-native applications without sacrificing the features that make Sling a strong development platform.

Cloud-Native Sling

Robert Munteanu

Adobe Experience Manager as the biggest enterprise application built on the Apache Sling stack over the years was built with a monolithic product perspective. Taming the growth over time and tackling upcoming challenges led to a situation were a transition towards a modular product, where large features can be gracefully removed at runtime, becomes unavoidable. With this talk we want to provide insights on how Adobe uses the available technologies in the stack, extends the stack and transforms the own practices to cut the product in loosely coupled modules with minimal impact on existing consumers. We will be identifying patterns on OSGi, content and scripting side to eliminate and prevent hard wiring and highlight pending challenges and our thoughts on how to resolve that. Last but not least we will share our experience on how such a transition impacts our engineering flow and quality assurance practices.

From Monolith to Modules - breaking apart a one size fits all product into mo...

Robert Munteanu

The Sling developer tooling consists of many projects: Eclipse plug-ins, Maven archetypes and Maven plug-ins are the most widely known. This talk will showcase the results of an initiative to make the Sling IDE tooling less reliant on Eclipse and more usable in other environments. After this talk participants will have a better overview of the various developer tools available for Apache Sling and will be able to choose the tools that make them more productive, irrespective of the IDE they use.

What's new in the Sling developer tooling?

Robert Munteanu

Microservices are quickly becoming one of the preferred deployment models in the software industry. Much has been said about the runtime impact of microservices, but less about how they impact the development process. This talk will discuss the details of moving from a single monolithic codebase to multiple repositories in terms of the development process. We will present the impact of modularisation on source control, continuous integration, code reviews, IDEs and public discussion on chat/email. After this talk attendees will have a better understanding on the impact of the development process of modular development.

Scaling up development of a modular code base

Robert Munteanu

OSGi offers developers excellent tools for creating modular applications. We have come to have a good understanding of the runtime impact of modularity, but less has been spoken of the impact of modularity on the development process. This talk will discuss the details of moving a large OSGi project from a single monolithic codebase to multiple repositories in terms of the development process. We will present the impact of modularisation on source control, continuous integration, code reviews, IDEs and public discussion on chat/email. After this talk attendees will have a better understanding of the way they can improve their development process when dealing with OSGi or other kinds of modular applications.

Scaling up development of a modular code base

Robert Munteanu

Microservices are quickly becoming one of the preferred deployment models in the software industry. Much has been said about the runtime impact of microservices, but less about how they impact the development process. This talk will discuss the details of moving from a single monolithic codebase to multiple repositories in terms of the development process. We will present the impact of modularisation on source control, continous integration, code reviews, IDEs and public discussion on chat/email. After this talk attendees will have a better understanding on the impact of the development process of modular development.

Scaling up development of a modular code base

Robert Munteanu

In this session we'll show how the Composite Node Store, a new Oak feature, can be used together with Docker to perform blue-green deployments. This kind of setup allows to dynamically change a part of the repository (containing the application code), while leaving the content part untouched. The presentation and the demo will be based on the AEM, but the concepts and tools are generally applicable to all Sling-based applications. The building blocks we'll present can be used to develop other mechanisms for zero-downtime deployments.

Zero downtime deployments for Sling application using Docker

Robert Munteanu

Microservices are quickly becoming one of the preferred deployment models in the software industry. Much has been said about the runtime impact of microservices, but less about how they impact the development process. This talk will discuss the details of moving from a single monolithic codebase to multiple repositories in terms of the development process. We will present the impact of modularisation on source control, continous integration, code reviews, IDEs and public discussion on chat/email. After this talk attendees will have a better understanding on the impact of the development process of modular development.

Scaling up development of a modular code base

Robert Munteanu

Slide IDE Tooling (adaptTo 2016)

Robert Munteanu

Apache Sling is an innovative web framework built on top of the Java Content Repository (JCR), that uses OSGi for its component model and fosters RESTful application design. This presentation will showcase how the Apache Sling framework can be used to build a unified REST-based middleware for multiple data sources, such as MongoDB, Apache Cassandra, Apache Jackrabbit Oak or classical relational databases. In doing so it will present the benefits that come from a single Resource API over multiple data stores, both at the library level and at the HTTP boundary.

Apache Sling as an OSGi-powered REST middleware

Robert Munteanu

The Apache Sling project has built a number of testing tools which aid in testing applications that are built on top of this framework - REST-based, assembled using OSGi and backed by JCR. We will review how those testing tools fit in with domain-agnostic testing tools such as JUnit and Mockito and what the benefits and pitfalls are when building your own domain-specific tools. Similar techniques apply to projects not using the same technology stack, so the discussion will bring value to all projects which can benefit from domain-specific testing tools.

Building domain-specific testing tools : lessons learned from the Apache Slin...

Robert Munteanu

Developing a Sling application is only half the story - or perhaps even less. Automated testing is of great importance for insuring code quality and reducing regression risk. Sling presents an interesting challenge, as its technology stack does not get as much attention as more mainstream ones. As such, we had the pleasure of developing our own patterns and testing tools, while integrating the foundations that already existed. This presentation will walk through the various available tools and show how they can be used to cover a Sling-based application.

So how do I test my Sling application?

Robert Munteanu

More from Robert Munteanu (20)

Secure by Default Web Applications

Sling Applications - A DevOps perspective

Will it blend? Java agents and OSGi

Escape the defaults - Configure Sling like AEM as a Cloud Service

Crash course in Kubernetes monitoring

Java agents for fun and (not so much) profit

Will it blend? Java agents and OSGi

Cloud-native legacy applications

Cloud-Native Sling

From Monolith to Modules - breaking apart a one size fits all product into mo...

What's new in the Sling developer tooling?

Scaling up development of a modular code base

Zero downtime deployments for Sling application using Docker

Scaling up development of a modular code base

Slide IDE Tooling (adaptTo 2016)

Apache Sling as an OSGi-powered REST middleware

Building domain-specific testing tools : lessons learned from the Apache Slin...

So how do I test my Sling application?

Recently uploaded

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Exploring Multimodal Embeddings with Milvus

Zilliz

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

In this keynote, Asanka Abeysinghe, CTO,WSO2 will explore the shift towards platformless technology ecosystems and their importance in driving digital adaptability and innovation. We will discuss strategies for leveraging decentralized architectures and integrating diverse technologies, with a focus on building resilient, flexible, and future-ready IT infrastructures. We will also highlight WSO2's roadmap, emphasizing our commitment to supporting this transformative journey with our evolving product suite.

Platformless Horizons for Digital Adaptability

WSO2

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Recently uploaded (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

[BuildWithAI] Introduction to Gemini.pdf

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Exploring Multimodal Embeddings with Milvus

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

presentation ICT roal in 21st century education

FWD Group - Insurer Innovation Award 2024

Vector Search -An Introduction in Oracle Database 23ai.pptx

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

AWS Community Day CPH - Three problems of Terraform

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Six Myths about Ontologies: The Basics of Formal Ontology

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Platformless Horizons for Digital Adaptability

Boost Fertility New Invention Ups Success Rates.pdf

Secure by Default Web Applications with Apache Sling

1. http://robert.muntea.nu @rombert Secure by Default Web Applications With Apache Sling Secure by Default Web Applications With Apache Sling Robert Munteanu, Adobe Systems Bucharest Technology Week 2016

2. http://robert.muntea.nu @rombert Who I am  $DAYJOB  Adobe Experience Manager  Apache Sling  Apache Jackrabbit  Apache Felix  Open Source  Apache Sling  MantisBT  Mylyn Connector for MantisBT  Mylyn Connector for Review Board

3. http://robert.muntea.nu @rombert Purpose of the talk Scope Cost Schedule

4. http://robert.muntea.nu @rombert Purpose of the talk Scope Cost Schedule

5. http://robert.muntea.nu @rombert Purpose of the talk Scope Cost Schedule

6. http://robert.muntea.nu @rombert Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A

7. http://robert.muntea.nu @rombert Apache Sling – Brief History 2007 Incubation 2009 TLP 2015 Version 8 200x Pre-Apache

8. http://robert.muntea.nu @rombert Apache Sling – Code Statistics

9. http://robert.muntea.nu @rombert Apache Sling – Contributor activity

10. http://robert.muntea.nu @rombert Apache Sling – Value proposition ● Content-oriented ● RESTful ● Lightweight ● Integrated authentication and authorization ● OSGi-powered ● Scripting inside ● Easily deployable

11. http://robert.muntea.nu @rombert Apache Sling – Content-Oriented Blog posts Images Users and Groups

12. http://robert.muntea.nu @rombert Apache Sling – Content-Oriented Server-side templates and scripts Configurations

13. http://robert.muntea.nu @rombert Apache Sling – RESTful $ http localhost:8080/content/↵ blog/posts/hello_world.html json xml txt pdf php3

14. http://robert.muntea.nu @rombert Apache Sling – RESTful

15. http://robert.muntea.nu @rombert Apache Sling – Persistence via JCR

16. http://robert.muntea.nu @rombert Apache Sling – Topologies Standalone High Availability

17. http://robert.muntea.nu @rombert Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A

18. http://robert.muntea.nu @rombert Demo App – main page

19. http://robert.muntea.nu @rombert Demo App – Article Page

20. http://robert.muntea.nu @rombert Demo App – Submitting comments

21. http://robert.muntea.nu @rombert Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A

22. http://robert.muntea.nu @rombert Threat modelling “Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application” Threat Modeling Web Applications on MSDN

23. http://robert.muntea.nu @rombert Threat Modelling - Assets

24. http://robert.muntea.nu @rombert Threat Modelling - Assets ● Availability ● Content ● User Credentials ● Ability to execute code on server ● Ability to execute code in the browser context

25. http://robert.muntea.nu @rombert Threat Modelling - Trust Levels

26. http://robert.muntea.nu @rombert Threat Modelling - Trust Levels 1. Anonymous 2. Author 3. Administrator

27. http://robert.muntea.nu @rombert Threat Modelling - Threats OWASP

28. http://robert.muntea.nu @rombert Threat Modelling - Threats 1. Denial of Service 2. Defacement / Deletion 3. Leaking credentials 4. SQL/Shell Injection 5. Stored/Reflected XSS

29. http://robert.muntea.nu @rombert Threat Modelling - Mitigation

30. http://robert.muntea.nu @rombert Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A

31. http://robert.muntea.nu @rombert Apache Sling Security – Natural layering of ACEs

32. http://robert.muntea.nu @rombert Apache Sling Security – Security applied at the lowest level $ http --auth bob:bob localhost:8080/content/blog/posts/n ew_blog_post 'jcr:title=New post'

33. http://robert.muntea.nu @rombert Apache Sling Security – Context-aware templating language <div class="comment clearfix"> <img class="avatar img-rounded pull-left" src="${resource.valueMap['authorAvatar']}"/> <h3>${resource.valueMap['jcr:title']}</h3> <p>$ {resource.valueMap['jcr:description']}</p> </div>

34. http://robert.muntea.nu @rombert Apache Sling Security – Injection-safe APIs Children of /content/blog/posts

35. http://robert.muntea.nu @rombert Apache Sling Security – Injection-safe APIs Children of /content/blog/comments/ hello_world

36. http://robert.muntea.nu @rombert Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A

37. http://robert.muntea.nu @rombert Demo Application – Actual demo!!!!1oneone

38. http://robert.muntea.nu @rombert Conclusions – Security ● Aim to be “Secure by Default” ● Build a threat model for your application ● Look for components that eliminate problems altogether

39. http://robert.muntea.nu @rombert Conclusions – Apache Sling ● Simple to be “Secure by Default” ● Eventing, Thread Pooling, Job Management, Caching ● Scripting: Groovy, Scala, JSP, Sightly, Java, Ruby, Thymeleaf ● Flexible resource rendering with resource types ● Very extensible due to being internally powered by OSGi – most extension points available to clients

40. http://robert.muntea.nu @rombert Resources ● Apache Sling – https://sling.apache.org ● Apache Jackrabbit ● https://jackrabbit.apache.org ● http://jackrabbit.apache.org/oak/ ● OWASP - https://www.owasp.org ● https://www.owasp.org/index.php/OWASP_Top_Ten _Cheat_Sheet ● https://www.owasp.org/index.php/Application_Thre at_Modeling

Secure by Default Web Applications with Apache Sling

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Secure by Default Web Applications with Apache Sling

Similar to Secure by Default Web Applications with Apache Sling (20)

More from Robert Munteanu

More from Robert Munteanu (20)

Recently uploaded

Recently uploaded (20)

Secure by Default Web Applications with Apache Sling