Need clarification in filter sections in Dispatcher | Community
Skip to main content
K
KannanCh2
Level 2
March 27, 2024
Solved

Need clarification in filter sections in Dispatcher

  • March 27, 2024
  • 4 replies
  • 1140 views

Hi All 

I have few queries in filter sections in dispatcher ..Could you please anyone help on this ?

1. Why is it recommended to configure filter sections in the dispatcher to start with 'deny all' and then allow only what is desired?

2. What complications might arise if we do not follow the recommended practice of starting filter sections in the dispatcher with 'deny all' and then allowing only what is desired?

 

Thanks

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by arunpatidar

It's important to understand why it's recommended to configure filter sections starting with 'deny all' and then allow only what is desired.

1. Recommended Practice: 'Deny All' Approach:

  • The 'deny all' approach involves configuring the dispatcher filters to block all requests by default and then explicitly allow only the necessary resources or URLs.
  • This practice follows the principle of least privilege, which is a fundamental security concept. It ensures that only authorized and necessary resources are accessible, reducing the attack surface and minimizing security risks.

2. Complications of Not Following Recommended Practice:If the recommended practice of starting filter sections with 'deny all' is not followed, several complications may arise:

  • Security Vulnerabilities: Without proper filtering, unauthorized access to sensitive resources or URLs may be possible. This can lead to security vulnerabilities, such as unauthorized data access, injection attacks, or privilege escalation.
  • Resource Exhaustion: Allowing unrestricted access to resources can lead to resource exhaustion, such as server overload or bandwidth consumption. This can impact the performance and availability of the AEM application.
  • Data Exposure: Failure to restrict access can result in the exposure of sensitive data or configuration information. This could include user credentials, internal URLs, or other confidential information, leading to potential data breaches.
  • Compliance Risks: Not adhering to security best practices, such as the principle of least privilege, may result in compliance violations. Depending on the industry and regulatory requirements, this could lead to legal implications and penalties.
  • Maintenance Challenges: Without proper filtering, it becomes challenging to maintain and manage the security of the AEM application. Over time, the complexity of managing access controls may increase, making it harder to identify and mitigate security risks.

In summary, configuring filter sections in the dispatcher to start with 'deny all' and then allow only what is desired is a best practice that helps enhance security, reduce risks, and maintain the integrity of the AEM application. Not following this practice can lead to various complications, including security vulnerabilities, resource exhaustion, data exposure, compliance risks, and maintenance challenges.

4 replies

AMANATH_ULLAH
Community Advisor
AMANATH_ULLAHCommunity Advisor
Community Advisor
March 27, 2024

@kannanch2 

Deny all rule is recommended because it prevents access to sensitive areas of AEM repository.

This will prevent sensitive information leakage from AEM repository. This approach enhances security and minimizes vulnerabilities.

 

 

Amanath Ullah
    K
    KannanCh2Author
    Level 2
    March 27, 2024

    Hi @amanath_ullah 

    Thanks for reply ..I need more details on this  ..

    Thanks 

     

      arunpatidar
      Community Advisor
      arunpatidarCommunity AdvisorAccepted solution
      Community Advisor
      March 27, 2024

      It's important to understand why it's recommended to configure filter sections starting with 'deny all' and then allow only what is desired.

      1. Recommended Practice: 'Deny All' Approach:

      • The 'deny all' approach involves configuring the dispatcher filters to block all requests by default and then explicitly allow only the necessary resources or URLs.
      • This practice follows the principle of least privilege, which is a fundamental security concept. It ensures that only authorized and necessary resources are accessible, reducing the attack surface and minimizing security risks.

      2. Complications of Not Following Recommended Practice:If the recommended practice of starting filter sections with 'deny all' is not followed, several complications may arise:

      • Security Vulnerabilities: Without proper filtering, unauthorized access to sensitive resources or URLs may be possible. This can lead to security vulnerabilities, such as unauthorized data access, injection attacks, or privilege escalation.
      • Resource Exhaustion: Allowing unrestricted access to resources can lead to resource exhaustion, such as server overload or bandwidth consumption. This can impact the performance and availability of the AEM application.
      • Data Exposure: Failure to restrict access can result in the exposure of sensitive data or configuration information. This could include user credentials, internal URLs, or other confidential information, leading to potential data breaches.
      • Compliance Risks: Not adhering to security best practices, such as the principle of least privilege, may result in compliance violations. Depending on the industry and regulatory requirements, this could lead to legal implications and penalties.
      • Maintenance Challenges: Without proper filtering, it becomes challenging to maintain and manage the security of the AEM application. Over time, the complexity of managing access controls may increase, making it harder to identify and mitigate security risks.

      In summary, configuring filter sections in the dispatcher to start with 'deny all' and then allow only what is desired is a best practice that helps enhance security, reduce risks, and maintain the integrity of the AEM application. Not following this practice can lead to various complications, including security vulnerabilities, resource exhaustion, data exposure, compliance risks, and maintenance challenges.

      Arun Patidar
        sateaswa94
        sateaswa94
        Level 3
        March 27, 2024

        @kannanch2 
        1) Question 1 - Deny all and allow only necessary  is a standard whitelisting technique followed to enhance security and for better filter performance

        2) Question 2 - If you don't follow the deny all and allow necessary approach then you will end up with this code smell  https://github.com/adobe/aem-dispatcher-optimizer-tool/blob/main/docs/Rules.md#dot---the-dispatcher-publish-farm-filters-should-contain-the-default-deny-rules-from-the-6xx-version-of-the-aem-archetype

          Raja_Reddy
          Community Advisor
          Raja_ReddyCommunity Advisor
          Community Advisor
          March 28, 2024

          Hi @kannanch2 

          Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

           
            Terms & ConditionsAccessibility statement

            Loading footer...