[AEM Dispatcher] 404 for Servlet with Custom Selector – Dispatcher Logs Show actionblocked
Hi everyone,
I'm facing a 404 issue with a custom Sling Servlet and the AEM Dispatcher. The servlet works for one placement of the component but returns a 404 for another, even though they share the exact same resource type.
Environment:
AEM as a Cloud Service
Servlet registered via @SlingServletResourceTypes with selectors = "customselector", extensions = "json"
Dispatcher module with a standard filter.any configuration
Scenario:
The servlet is registered for the resource type path/components/componentname and handles requests with the selector customselector and extension json (e.g., ...componentname.customselector.json).
Placement A (Works): The component is placed inside an Experience Fragment (XF) used in the site header.
Request URL: /content/experience-fragments/.../componentname.customselector.json
Response: 200 OK
Placement B (Fails): The exact same component (same sling:resourceType) is placed inline on a standard content page.
Request URL:
/content/path/us/en/pagepath/_jcr_content/root/container/componentname.customselector.json?tags=...
Response: 404 Not Found
Dispatcher Log Entry: [actionblocked] develop.domain.com
Note: Both components are on the same AEM Publish environment. The only difference is their physical location in the JCR tree (under /content/experience-fragments/ vs. under /content/path/).
Dispatcher Rules Context:
I have a universal deny rule at the top of my filter.any file:
/0001 { /type "deny" /url "*" }
I also have other working allow rules for JSON endpoints placed near the bottom, for example:
/10200 { /type "allow" /method "GET" /path "/content/path/*" /selectors "anotherselector" /extension "json" }
This rule works perfectly for its intended URLs.
if i add this anotherselector in the browser instead of customselector with my page content path then getting 400 not 404
if i change my selector name from the file then getting 404 for both placements
What I Tried (Failed):
To fix the 404 for Placement B, I added a specific allow rule at the bottom of the file (near the other working rules):
Option 1 (Exact path for this specific placement):
apache
/10600 {
/type "allow"
/method "GET"
/path "/content/path/us/en/pagepath/_jcr_content/root/container/componentname"
/selectors "customselector"
/extension "json"
}
Option 2 (Generic approach, mirroring the working /102 rule, which I prefer for maintainability):
apache
/10601{
/type "allow"
/method "GET"
/path "/content/path/*"
/selectors "customselector"
/extension "json"
}
After applying Option 2 and reloading the dispatcher, Placement B now returns a 200 OK.
Questions for the Community:
Is my understanding of the Dispatcher path-matching behavior correct (that selectors/extensions are stripped from the /path attribute during filter evaluation)?
Are there any security implications with using the generic allow rule (/content/path/*) for this specific selector, or is it acceptable as long as the selector (customselector) is unique and unlikely to be exploited?
I hope this detailed breakdown helps anyone else facing similar issues with Dispatcher and custom selectors. Any feedback on best practices would be greatly appreciated!
Thanks!