what's the use of "/libs/cq/security/userinfo.json"? Is there a way to limit/restrict access to this path? | Community
Skip to main content
jayv25585659
jayv25585659
Level 8
February 14, 2023
Solved

what's the use of "/libs/cq/security/userinfo.json"? Is there a way to limit/restrict access to this path?

  • February 14, 2023
  • 3 replies
  • 3133 views

This page (The Dispatcher Security Checklist | Adobe Experience Manager) mentions that this path needs to be opened.

Any ideas what's the json for? I know it returns user information.

 

I am trying to find a way to prevent "hackers" from brute-forcing their way into the admin password via this URL.

 

Thank you.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by DEBAL_DAS

I have checked the userinfo.json response in my project.

On prod author as we do have SSO, I could see certain information about myself (logged-in user) while accessing /libs/cq/security/userinfo.json.

 

On prod publish we aren't supposed to login so, I can see anonymous while accessing /libs/cq/security/userinfo.json.

3 replies

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
February 14, 2023

This can be blocked, 

This api is used to get user info which you don't need in publish for the end user.

Arun Patidar
    Ritesh_Mittal
    Community Advisor and Adobe Champion
    Ritesh_MittalCommunity Advisor and Adobe Champion
    Community Advisor and Adobe Champion
    February 14, 2023

    Hi @jayv25585659 ,

     

    There is nothing to worry on this because it will only give information related to current logged-in user. Hence, only admin can see admin's details post login.

     

    You can try login to AEM using different accounts and notice the JSON.

     

    For publish side, the end user will only access through site domain and I am sure there you would already have mapping to right content pages and error handling so nothing to worry. Are you able to access the URL on publish, which gives user info?

     

    Hope it helps!

     

    Thanks,

    Ritesh Mittal

      jayv25585659
      jayv25585659Author
      Level 8
      February 14, 2023

      using this endpoint, someone can guess (unlimited requests) the admin password to the publisher?

      this command works: curl -v https://admin:admin@www.my-host.com

        joerghoh
        Adobe Employee
        joerghohAdobe Employee
        Adobe Employee
        February 18, 2023

        you probably can use some httpd magic to prevent the use of basic auth in requests. 
        (On the AEM side you could also disable basic auth, but that could break some of your automation scripts.)

          DEBAL_DAS
          DEBAL_DASAccepted solution
          New Member
          February 14, 2023

          I have checked the userinfo.json response in my project.

          On prod author as we do have SSO, I could see certain information about myself (logged-in user) while accessing /libs/cq/security/userinfo.json.

           

          On prod publish we aren't supposed to login so, I can see anonymous while accessing /libs/cq/security/userinfo.json.

          Debal Das, Senior AEM Consultant
            Terms & ConditionsAccessibility statement

            Loading footer...