Right way to expose an endpoint/servlet from AEM author to 3rd party? | Community
Skip to main content
R
Rajumuddana
Level 4
September 20, 2024

Right way to expose an endpoint/servlet from AEM author to 3rd party?

  • September 20, 2024
  • 5 replies
  • 2067 views

Hi All,

 

I have a use case where 3rd party system(webhook) make a POST call to AEM author and post it’s payload.

In this case, I need to expose an endpoint(servlet) from AEM author.

To do so, I did virtualise that endpoint through APIGW, whitelisted 3rd party system IP and shared my endpoint with 3rd party system.

Here the issue comes is, the requests from 3rd party is not accepted by AEM because of its authentication, to address this I’m passing ‘basic authentication header’ or ‘alias’ from APIGW to AEM Author.

But, one my leads mentioned that this is not right approach.

 

@aanchalsikka , @shashi_mulugu , @veena_vikraman 

 

Can anyone suggest better way?

 

Thanks,

Raju.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

5 replies

MukeshYadav_
Community Advisor
MukeshYadav_Community Advisor
Community Advisor
September 20, 2024

Hi,

One approach can be exposing the servlet endpoint.

Security check can be at env level  by whitelisting only certain IP of third party(or use Mutual TLS

Apart from that at dispatcher level only defined set of method whether get or post should be allowed

We can sanitise payload in servlet with jsoup

Make sure to user service user with minimum required access like narrow down certain path and operations

Thanks

 

    daniel-strmecki
    Community Advisor and Adobe Champion
    daniel-strmeckiCommunity Advisor and Adobe Champion
    Community Advisor and Adobe Champion
    September 20, 2024

    Hello,

    you didn't mention what version of AEM are you using. In case you are on AEMaaCS please refer to this documentation: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/developing/generating-access-tokens-for-server-side-apis

     

    Good luck,

    Daniel

      R
      RajumuddanaAuthor
      Level 4
      September 23, 2024

      Hi @daniel-strmecki ,

       

      Thanks for your replay.

      I'm using AEM 6.5.17.

       

      Thanks,

      Raju.

        B_Sravan
        Community Advisor
        B_SravanCommunity Advisor
        Community Advisor
        September 22, 2024

        Hi @rajumuddana ,

        Exposing an endpoint in AEM Author for a third-party system to make POST calls can be tricky, especially with authentication concerns. Your lead might be raising concerns about security and best practices. Here are a few points to consider:

        1. Authentication Mechanism: If you are using Basic Authentication, ensure that the credentials are securely managed. It's also good practice to use HTTPS to encrypt the transmission.

        2. Token-Based Authentication: Instead of Basic Authentication, consider using a more secure method like OAuth or JWT. This way, you can generate tokens for the third-party system that can be validated by AEM.

        3. IP Whitelisting: While whitelisting the IP of the third-party system is a good practice, it should be part of a broader security strategy.

        4. Endpoint Validation: Implement additional validation on the AEM side to ensure that the incoming requests are genuinely from the expected third-party service. This could include checking specific headers, payload structures, or signatures.

        5. Access Control: Ensure that the endpoint only allows the required operations (e.g., POST) and that appropriate permissions are in place.

        6. Logging and Monitoring: Set up logging and monitoring for incoming requests to track usage and identify potential issues.

        for AEMaaCS: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/developing/generating-access-tokens-for-server-side-apis check this documentation.

        - Sravan

          R
          RajumuddanaAuthor
          Level 4
          September 24, 2024

          Hi @b_sravan ,

           

          Thanks for your response.

          Token-Based Authentication- this is not supported by my 3rd party, since this communication is one way (3rd party --POST--> AEM). Thats why they suggested to use HMAC validation to make sure the request/payload is genuine.

          But, at AEM end instead of 'Basic authentication' (enriching the Headers in APIGW), shall i make endpoint/servlet accessed by 'Anonymous' User? or else, what is the best way to authenticate in this case?

           

          Thanks,

          Raju.

           

            Umesh_Thakur
            Community Advisor
            Umesh_ThakurCommunity Advisor
            Community Advisor
            September 23, 2024

            I am not sure about your use case to use AEM for expose something, but I am sure certainly this is not a way to do this specially in case of POST call.
            My be after knowing your use case I will suggest some way in achieving your task done.

            By the way people are using SlingServlet for the same purpose my be this could help you but be informed that will have its own cost for your instance.

            Hope this helps

            Umesh Thakur

              kautuk_sahni
              Community Manager
              kautuk_sahniCommunity Manager
              Community Manager
              September 25, 2024

              @rajumuddana Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

              Kautuk Sahni
              R
              RajumuddanaAuthor
              Level 4
              September 26, 2024

              Hi @kautuk_sahni ,

               

              I did not find the solution yet.

               

              Thanks,

              Raju.

              Terms & ConditionsAccessibility statement

              Loading footer...