AEM6.5.12: Block OPTIONS method call in an AEM Author and Publish Instance | Community
Skip to main content
M
MujeebUrRehman
March 2, 2023
Solved

AEM6.5.12: Block OPTIONS method call in an AEM Author and Publish Instance

  • March 2, 2023
  • 3 replies
  • 1304 views

Hi Team,

 

Our AEM Author and Publish instance is allowing OPTIONS method calls and we need to disable that. Can you please help with this, repeating we need to disable on Author and Publish Instance, we already did it with the dispatcher, but couldn't find any way to disable it on instances (Publish & Author). We put the options method in filter.methods in referrer filter but it seems not working. 

 

Thanks

Mujeeb

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Pawan-Gupta

Hello,

 

AEM servers doesn't allow to disable OPTIONS method call by default and i think there is already reply to access to custom way.

 

Curious to understand the reason behind making such request?? because you already have dispatcher to secure the traffic. also refer https://stackoverflow.com/questions/29954037/why-is-an-options-request-sent-and-can-i-disable-it which describe really well the flow.

 

Thanks!!

3 replies

Kiran_Vedantam
Community Advisor
Kiran_VedantamCommunity Advisor
Community Advisor
March 2, 2023

Hi @mujeeburrehman 

 

Similar query is answered here: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-block-http-options-request-in-aem/m-p/363827

 

Hope it helps!

Thanks,
Kiran Vedantam.

    Jagadeesh_Prakash
    Community Advisor
    Jagadeesh_PrakashCommunity Advisor
    Community Advisor
    March 2, 2023

    @mujeeburrehman  Seems we don't have any OOTB feature to disable the HTTP Methods. We can do by using a servlet filter to check the incoming request and reject any requests with the Options

     

    Servlet filter :

    import javax.servlet.*;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    import java.io.IOException;

    public class DisableOptionsFilter implements Filter {
       public void init(FilterConfig config) throws ServletException {}

       public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {
          if (((HttpServletRequest) request).getMethod().equalsIgnoreCase("OPTIONS")) {
             ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN);
          } else {
             chain.doFilter(request, response);
          }
       }

       public void destroy() {}
    }

    And below is the OSGi

     

    import org.osgi.service.component.annotations.Component;

    import javax.servlet.Filter;

    @Component(
          service = Filter.class,
          property = {
                "sling.filter.scope=REQUEST",
                "sling.filter.pattern=(/.*)(\\.(html|json|xml))?($|/.*)"
          }
    )
    public class DisableOptionsFilterConfig extends DisableOptionsFilter {}

     

      Pawan-Gupta
      Pawan-GuptaAccepted solution
      Level 8
      March 3, 2023

      Hello,

       

      AEM servers doesn't allow to disable OPTIONS method call by default and i think there is already reply to access to custom way.

       

      Curious to understand the reason behind making such request?? because you already have dispatcher to secure the traffic. also refer https://stackoverflow.com/questions/29954037/why-is-an-options-request-sent-and-can-i-disable-it which describe really well the flow.

       

      Thanks!!

        Terms & ConditionsAccessibility statement

        Loading footer...