{"id":21726969,"url":"https://github.com/wttech/secureaem","last_synced_at":"2025-04-12T23:34:16.999Z","repository":{"id":7154517,"uuid":"8453431","full_name":"wttech/SecureAEM","owner":"wttech","description":null,"archived":false,"fork":false,"pushed_at":"2022-07-06T20:33:40.000Z","size":16498,"stargazers_count":39,"open_issues_count":20,"forks_count":17,"subscribers_count":58,"default_branch":"master","last_synced_at":"2023-06-30T02:12:14.684Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wttech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-02-27T10:09:31.000Z","updated_at":"2022-12-21T16:56:44.000Z","dependencies_parsed_at":"2022-07-13T12:40:51.071Z","dependency_job_id":null,"html_url":"https://github.com/wttech/SecureAEM","commit_stats":null,"previous_names":["cognifide/securecq"],"tags_count":2,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wttech%2FSecureAEM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wttech%2FSecureAEM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wttech%2FSecureAEM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wttech%2FSecureAEM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wttech","download_url":"https://codeload.github.com/wttech/SecureAEM/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226438817,"owners_count":17625107,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-26T03:42:35.866Z","updated_at":"2024-11-26T03:42:36.478Z","avatar_url":"https://github.com/wttech.png","language":"Java","readme":"# Secure AEM\n\n## Introduction\n\nSecure AEM is a tool which can be used to find the most popular security problems in your AEM instance. It tests both instances (author, publish) and also the dispatcher, as some resources should be restricted in the cache configuration. It checks:\n\n* if the default passwords are changed,\n* if there are no unnecessary protocols enabled after being published,\n* if the the administrator console access is disabled,\n* if content-grabbing selectors are restricted on the dispatcher,\n* etc.\n\nEach test contains a description and the *More info* link which references the external site to additional information about a given security flaw.\n\nYou may also be interested in the blog post on [Secure AEM](http://www.cognifide.com/blogs/cq/keep-your-cms-safe-with-secure-cq/).\n\n## Requirements\n\n* AEM 6.1, 6.2, 6.3, 6.4, 6.5 SP1\n\n## Installation\n\nYou'll need Maven 3.x. If your author instance is running on `localhost:4502` and credentials to it are `admin:admin` then run:\n\n        mvn clean package crx:install\n\nOtherwise you may enter address and credentials explicitly:\n\n        mvn clean package crx:install -Dinstance.url=http://localhost:4502 -Dinstance.username=YOUR_USERNAME -Dinstance.password=YOUR_PASSWORD\n\n## Configuration\n\nAfter installation, go to the AEM *Tools* page and choose *Secure AEM* from the list on the left. The application tries to find author, publish and dispatcher URLs automatically, but you may want to confirm that they have been recognized correctly. In order to do that click *Edit* on the Settings bar and optionally correct addresses. That's it. Wait for a moment until the tests are done and check the results.\n\n## CLI version\n\nSometimes you may want to check remote AEM instance. *Secure AEM* may be compiled in the standalone mode and used from the CLI, without any additional dependencies. In order to build application this way, enter:\n\n        mvn clean package -Pcli\n\nJAR package will be available as `target/secure-aem-VERSION-cli.jar`.\n\n### Usage\n\nUsage is simple:\n\n    java -jar secure-aem-VERSION.jar [-a AUTHOR_URL] [-aCredentials AUTHOR_LOGIN:AUTHOR_PASSWORD] [-p PUBLISH_URL] [-pCredentials PUBLISH_LOGIN:PUBLISH_PASSWORD] [-d DISPATCHER_URL]\n    \nEnter at least one URL to test given instance, eg.:\n\n    java -jar secure-aem-VERSION.jar -a http://localhost:4502 -aCredentials admin:admin\n    \nto invoke author tests on the localhost or\n\n    java -jar secure-aem-VERSION.jar -a 192.168.35.105:4502 -aCredentials admin:admin -p 192.168.35.105:4503  -pCredentials admin:admin-d 192.168.35.105\n    \nto invoke author, publish and dispatcher-related tests. You may skip the starting `http://`, *SecureAEM* uses HTTP protocol by default.\n\nBy default *SecureAEM* runs full test set defined in:\n\n    resources/test_suite.properties\n    \nto override it use maven -suite parameter\n\n    java -jar secure-aem-VERSION.jar -a http://localhost:4502 -aCredentials admin:admin -suite /home/myComputer/test_suite.properties\n\n## Writing own tests\n\n### Test page\n\nTest case is a standard AEM page under `/etc/secureaem` parent. It contains some test metadata as title, severity, info URL, which can be edited using test page template. Click on the test name to show the page. Besides that, test page contains one `testComponent`. It's `sling:resourceType` defines the test type (eg. `cognifide/secureaem/components/pageContent` will check if some page contains some string) and the rest of attributes is the test configuration. Example:\n\n    \u003ctestComponent\n        jcr:primaryType=\"nt:unstructured\"\n        enabled=\"true\"\n        sling:resourceType=\"cognifide/secureaem/components/pageContent\"\n        paths=\"[/libs/shindig/proxy]\"\n        content=\"[INVALID_PARAMETER]\"/\u003e\n\n### Test types\n\nEach test type consists of AEM component and Java class.\n\n#### Components\n\nTest types are standard AEM components, inherited from `cognifide/secureaem/components/abstractTest`. Components are linked to Java test class (extending `AbstractClass`) with `testClass` property. Sample test component:\n\n    \u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n    \u003cjcr:root xmlns:sling=\"http://sling.apache.org/jcr/sling/1.0\" xmlns:cq=\"http://www.day.com/jcr/cq/1.0\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\"\n        jcr:primaryType=\"cq:Component\"\n        sling:resourceSuperType=\"cognifide/secureaem/components/abstractTest\"\n        testClass=\"com.cognifide.securecq.tests.PathsTest\"/\u003e\n\nYou may as also override `dialog.xml` (to provide some user configuration for the component) and `metadata.jsp` (to display these settings on the test page).\n\n#### Java classes\n\nEach test class extends `AbstractTest` and implements some of the interfaces: `AuthorTest`, `PublishTest`, `DispatcherTest` to mark for which URLs it should be invoked. There is only one method to implement:\n\n\t/**\n\t * Perform test.\n\t * \n\t * @param url URL of the instance to test.\n\t * @param instanceName Name of the instance (eg. author, publish or dispatcher).\n\t * @return true if the test succeeded\n\t * @throws Exception If you throw an exception, test result will be set to \"Exception\". You may throw\n\t * special {@link InvalidConfigurationException} with message if the test configuration isn't set\n\t * correctly.\n\t */\n\tprotected abstract boolean doTest(String url, String instanceName) throws Exception;\n\nIn the test implementation you may invoke two methods:\n\n\tprotected void addInfoMessage(String message, Object... params)\n\t\n\tprotected void addErrorMessage(String message, Object... params)\n\t\nto add more detailed info about the result.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwttech%2Fsecureaem","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwttech%2Fsecureaem","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwttech%2Fsecureaem/lists"}