AEM Security - .json Extension | Community
Skip to main content
BrettBirschbach
Adobe Champion
BrettBirschbachAdobe Champion
Adobe Champion
July 30, 2019
Solved

AEM Security - .json Extension

  • July 30, 2019
  • 11 replies
  • 10994 views

In AEM we generally block all `page.infinity.json` and `page.N.json` requests, as it allows content grabbing and reveals internal node structure including usernames or anything else that might be considered "internal". However, page.json requests (no selector) seem to also render their JSON contents, and this is a lot harder to block unless we generically block the .json extension, requiring all valid JSON URLs to be whitelisted.

Is there a way to safely block JSON rendering to close this vulnerability?  Or do we just have to accept that anyone can freely grab your internal node structure and private content such as usernames?  The idea of blocking `.json` ubiquitously, opening up for only a whitelisted set of URLs is tempting to see as an easy solution, but that makes servlets based on resource types rather than static URLs infeasible.

NOTE: I understand that JSON rendering by sling can be turned off in "Apache Sling GET Servlet" in OSGi, but then that breaks other OOTB functionalities related to personalization where calls to `/home/users/X/XXXXXXXXX.infinity.json` based on the current user are used.

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by vipins5188

    Hi Brett,

    You can write custom sling filter servlet to stop execution of such request. For example pageinfo.json calls "/libs/wcm/core/content/pageinfo.json" request.

    /**
     * Simple servlet filter component that blocks requests for page information.
     */
    @SlingFilter(generateComponent = false, generateService = true, order = -500, scope = SlingFilterScope.REQUEST)

    @Properties({ @Property(name = "sling.filter.pattern", value = "/libs/wcm/core/content/pageinfo.json") })

    @Component(immediate = true, metatype = false)

    public class XYZFilter implements Filter {

    }

    Override doFilter method and add your custom logic to block request based on http referer or your internal/external environment host name.

    Hope this helps.

    Thanks,

    Vipin

    11 replies

    Show previous replies
    BrettBirschbach
    Adobe Champion
    BrettBirschbachAdobe ChampionAuthor
    Adobe Champion
    August 1, 2019

    Ok, sounds good, thanks!

      Terms & ConditionsAccessibility statement

      Loading footer...