Monday, 27 July 2015

Secure Apache from Clickjacking

In this post, I will explain an important Apache2 configuration, this configuration is used to stop clickjacking. I got to know about clickjacking when I was working with security checklist in AEM.
Q1. What is clickjacking?
Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link to another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. If it is still not clear to you then I am attaching a video URL that will explain it in a much better way.
Q2. How to stop clickjacking in the AEM using Apache2 Server?
There is a header configuration named as X-Frame-Options, using this configuration, you can stop the clickjacking.
Q3. What is the syntax of this configuration?
Header set X-Frame-Options: “sameorigin

Q4. Where do we find this configuration?
In Apache2.4 you have a security.conf file in conf-available directory. In this file, search for X-Frame-Options, it is already present there but commented by default. Now you have two options.
  1.  this setting and restart your Apache2 server. 
  2. Copy and paste this setting inApache2.conf, uncomment it, and restart your Apache server.
In my case, I copied and pasted this setting in apche2.conf file, uncommented it and restarted my Apche2 server.

Q5. Apache Server is throwing error when restarting after this configuration?
It may be possible that you will get an error  at the time of starting the Apache2 server, after adding this configuration, the reason is, this configuration requires mod_headers.so module enabled, which is by default disabled. So enable  module and your Apache server will start running successfully.

Q6. How to enable Headers.mod in Apache2 server?
For enabling this module you have a headers.load file present in mods-available directory in your Apache2 server. In my case, it is present at /etc/apche2/mods-available. Just do one thing, create a softlink in your mods-enabled folder. If you are an Ubuntu user execute this command-
Now you will see this soft link in your mods-enabled folder. Restart your Apache2 Server.
Q7. How to check whether it’s working or not?
After restarting your Apache2 server, just hit a non cached page via Apache2 Server. Open debugger and check the response header. You will  see X-Frame-Options header field, as shown below

If you get this option on your page it means your configuration is working.


Happy Coding
Namah Shivay

Sunday, 5 July 2015

AEM Templates in Details

In this post, I will explain most useful properties of templates or you can say most useful features provided by templates. Most of AEM developers familiar with these properties but don't know how to use them. In this post I will explain all of these properties in details.

Agenda
  1. Allowed Paths Property (allowedPaths)
  2. Allowed Templates Property (cq:allowedTemplates)
  3. Allowed Parents Property (allowedParents)
  4. Allowed Children Property (allowedChildren)
Use of these Properties

"All of these properties are used to hide and show different templates at different page hierarchies at the time of page creation. For example - some templates are visible only under /content directory some are visible for page creation under /content/geometrixx hierarchy some are visible under /content/geometrixx/en hierarchy and some are visible at every level of page hierarchy."

Note : - These properties are very important part in AEM component developer certification exam. So let's play with these properties.

allowedPaths
1). This property is a template level property so must be defined at template node.
2). Type of this property is string array.
3). It's value will be the path under which this template will be visible for page creation in siteadmin. 

i.e. for showing a template under /content directory we have to add this property with a value of /content(/.*)?. This is a regex string represents that this template is visible under each and every page in /content directory.

If you change it's value as /content/geometrixx/en/? then this template will be visible under /content/geometrixx/en page not under it's child pages. i.e. this template will not be visible under /content/geometrixx/en/toolbar page.

So for base template you must define this allowedPaths property as /content(/.*)?, So that this template is visible for page creation.

Note :- This property is required only for the top level page creation. If you don't provide this property then this template will not be visible in siteadmin. This property is also required if you don't add cq:allowedTemplates property at top level page jcr:content node. 
If you provide cq:allowedTemplates property at top level page then for all child templates, you don't need to add allowedPaths property. This property will be explained in details in this post.

For explaining these properties my Project structure is -

At homepage node, I have added a property named as allowedPaths with a value /content/?  so that this template will be visible in siteadmin page creation dialog.
Now add one more property named as cq:allowedTemplates on jcr:content node of this template. 
I will explain this property after creating a page. Value of this property as /apps/blog/templates/.*


This will look like -












Now go to siteadmin and create a new page using this template.

Note : - allowedPaths property is required only for the template using that you are going to create your website top level page. For ex. /content/geometrixx , /content/geometrixx-outdoors etc pages.

cq:allowedTemplates 
1). This property is a page level property, so must be defined on the jcr:content node of the template. 
2). Type of this property is string array.
3). It's value will be the path of templates those will be visible for page creation under current page in siteadmin.
This property provides the restrictions on all templates those will be visible under the page created using this template. For example -
I have added this property on my homepage template with a value of /apps/blog/template/.* , it means that under the page created using homepage template, only those templates will be visible those are present in /apps/blog/template directory. 
If you define a particular template path then only that particular template will be displayed for ex. if the value of this property is  /apps/blog/template/templateRes then only this template will be visible.

You can think it as, first AEM check cq:allowedTemplates property and select a template group that can be displayed under the page created using this template.
Then AEM check for allowedPaths property of these selected template group and check that path present in this property matches with the path of page, yes or not, if yes then this template will be displayed else not. In short -


allowedParents
1). This property is a template level property so must be defined at template node. 
2). Type of this property is string array.
3). It's value will be the path of templates those can behave as the parent of this template at the time of page creation in siteadmin.

This property is used to add another level of restriction i.e. if your templates satisfies both of above defined criteria or they are not present or defined empty then this property will be checked.
If this property exists then AEM will check the value of this property. This property can have the path of the templates that can behave as parent of this template.











now the criteria for showing a template becomes - 

cq:allowedTemplates (Parent Page) + allowedPaths (Parent  Template) + allowedParents (Child Template) = template to be displayed.





allowedChildren
1). This property is a template level property so must be defined at template node.
2). Type of this property is string array.
3). It's value will be the path of the templates those are allowed or visible for page creation under this template in siteadmin. 

This is a template level property. In my case, I have added this property at my homepage template.
If above defined properties and this property are not empty then a new level of restrictions will be added for showing templates in siteadmin.





So you can say the final template list will be shown on the basic of this criteria 
cq:allowedTemplates (Parent Page) + allowedPaths (Parent  Template) + allowedParents (Child Template) + allowedChildren (Parent Template) = template to be displayed.



I tried my level best for making clear these propeties and I have pushed the code related to this POC on my git repository and If I am not clear at any point, you can contact me. All details are listed below. Your views are welcome.


github repository link

Happy Coding
Namah Shivay