Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events
SOLVED

Need clarification in filter sections in Dispatcher

Avatar

Level 2

Hi All 

I have few queries in filter sections in dispatcher ..Could you please anyone help on this ?

1. Why is it recommended to configure filter sections in the dispatcher to start with 'deny all' and then allow only what is desired?

2. What complications might arise if we do not follow the recommended practice of starting filter sections in the dispatcher with 'deny all' and then allowing only what is desired?

 

Thanks

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

It's important to understand why it's recommended to configure filter sections starting with 'deny all' and then allow only what is desired.

1. Recommended Practice: 'Deny All' Approach:

  • The 'deny all' approach involves configuring the dispatcher filters to block all requests by default and then explicitly allow only the necessary resources or URLs.
  • This practice follows the principle of least privilege, which is a fundamental security concept. It ensures that only authorized and necessary resources are accessible, reducing the attack surface and minimizing security risks.

2. Complications of Not Following Recommended Practice:If the recommended practice of starting filter sections with 'deny all' is not followed, several complications may arise:

  • Security Vulnerabilities: Without proper filtering, unauthorized access to sensitive resources or URLs may be possible. This can lead to security vulnerabilities, such as unauthorized data access, injection attacks, or privilege escalation.
  • Resource Exhaustion: Allowing unrestricted access to resources can lead to resource exhaustion, such as server overload or bandwidth consumption. This can impact the performance and availability of the AEM application.
  • Data Exposure: Failure to restrict access can result in the exposure of sensitive data or configuration information. This could include user credentials, internal URLs, or other confidential information, leading to potential data breaches.
  • Compliance Risks: Not adhering to security best practices, such as the principle of least privilege, may result in compliance violations. Depending on the industry and regulatory requirements, this could lead to legal implications and penalties.
  • Maintenance Challenges: Without proper filtering, it becomes challenging to maintain and manage the security of the AEM application. Over time, the complexity of managing access controls may increase, making it harder to identify and mitigate security risks.

In summary, configuring filter sections in the dispatcher to start with 'deny all' and then allow only what is desired is a best practice that helps enhance security, reduce risks, and maintain the integrity of the AEM application. Not following this practice can lead to various complications, including security vulnerabilities, resource exhaustion, data exposure, compliance risks, and maintenance challenges.



Arun Patidar

View solution in original post

5 Replies

Avatar

Level 5

@KannanCh2 

Deny all rule is recommended because it prevents access to sensitive areas of AEM repository.

This will prevent sensitive information leakage from AEM repository. This approach enhances security and minimizes vulnerabilities.

 

 

Avatar

Correct answer by
Community Advisor

It's important to understand why it's recommended to configure filter sections starting with 'deny all' and then allow only what is desired.

1. Recommended Practice: 'Deny All' Approach:

  • The 'deny all' approach involves configuring the dispatcher filters to block all requests by default and then explicitly allow only the necessary resources or URLs.
  • This practice follows the principle of least privilege, which is a fundamental security concept. It ensures that only authorized and necessary resources are accessible, reducing the attack surface and minimizing security risks.

2. Complications of Not Following Recommended Practice:If the recommended practice of starting filter sections with 'deny all' is not followed, several complications may arise:

  • Security Vulnerabilities: Without proper filtering, unauthorized access to sensitive resources or URLs may be possible. This can lead to security vulnerabilities, such as unauthorized data access, injection attacks, or privilege escalation.
  • Resource Exhaustion: Allowing unrestricted access to resources can lead to resource exhaustion, such as server overload or bandwidth consumption. This can impact the performance and availability of the AEM application.
  • Data Exposure: Failure to restrict access can result in the exposure of sensitive data or configuration information. This could include user credentials, internal URLs, or other confidential information, leading to potential data breaches.
  • Compliance Risks: Not adhering to security best practices, such as the principle of least privilege, may result in compliance violations. Depending on the industry and regulatory requirements, this could lead to legal implications and penalties.
  • Maintenance Challenges: Without proper filtering, it becomes challenging to maintain and manage the security of the AEM application. Over time, the complexity of managing access controls may increase, making it harder to identify and mitigate security risks.

In summary, configuring filter sections in the dispatcher to start with 'deny all' and then allow only what is desired is a best practice that helps enhance security, reduce risks, and maintain the integrity of the AEM application. Not following this practice can lead to various complications, including security vulnerabilities, resource exhaustion, data exposure, compliance risks, and maintenance challenges.



Arun Patidar

Avatar

Level 2

@KannanCh2 
1) Question 1 - Deny all and allow only necessary  is a standard whitelisting technique followed to enhance security and for better filter performance

2) Question 2 - If you don't follow the deny all and allow necessary approach then you will end up with this code smell  https://github.com/adobe/aem-dispatcher-optimizer-tool/blob/main/docs/Rules.md#dot---the-dispatcher-...

Avatar

Community Advisor

Hi @KannanCh2 

Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.