Why is OOTB currentuser.json API called so many times on AEM Publisher? | Community
Skip to main content
daniel-strmecki
Community Advisor and Adobe Champion
daniel-strmeckiCommunity Advisor and Adobe Champion
Community Advisor and Adobe Champion
September 26, 2024
Solved

Why is OOTB currentuser.json API called so many times on AEM Publisher?

  • September 26, 2024
  • 2 replies
  • 990 views

Hello,

I've created a Splunk report that counts all requests to AEM Publisher with the same path. I've noticed in the report that we are getting 28k+ requests towards "/libs/granite/security/currentuser.json" daily.

I would like to understand why is that so, and if this is expected OOTB behaviour? In our codebase we are not calling this API, so it must be something OOTB. But then again, why would we fetch current user info on publisher if we don't have login funcionalities. We are on the latest version of AEMaaCS.

 

Thanks for the help,

Daniel

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by h_kataria

It is second most hit request on our publish based on your query.
Another thing, I checked and this is not whitelisted directly on our application dispatcher i.e <project_domain>/libs/granite/security/currentuser.json doesn't work, but is only allowed in publish filters so https://publish-xxxx-xxxx.adobeaemcloud.com/libs/granite/security/currentuser.json still works, and nothing seems to be breaking so far.
Hope this helps.  

2 replies

h_kataria
Community Advisor
h_katariaCommunity Advisor
Community Advisor
September 26, 2024

It is listed in dispatcher security checklist https://experienceleague.adobe.com/en/docs/experience-manager-dispatcher/using/getting-started/security-checklist#prevent-denial-of-service-dos-attacks so I would assume that this is needed for some internal functionality probably contexthub or CUG. 
I checked in our Splunk logs and we also have "HEAD" requests for the same. So, I would assume this is expected and should be fine.

daniel-strmecki
Community Advisor and Adobe Champion
daniel-strmeckiCommunity Advisor and Adobe ChampionAuthor
Community Advisor and Adobe Champion
September 26, 2024

Thanks for the hint @h_kataria, I also see that Dispatcher logs contain user info.

I still don't really understand why this is needed, but looks like to it is expected behaviour.

Here is the Spunk query if you can please confirm that this is expected to be one of the requests with the highest number of calls on AEM Publisher.

index=`your_index` sourcetype=aemrequest aem_env_type=prod aem_tier=publish aem_env_id=`your_env_id` earliest=-2d@d latest=@d | eval Period = if(_time > relative_time(now(),"-1d@d"), "Yesterday","Day Before Yesterday") | stats count(eval(Period="Yesterday")) as "Yesterday" count(eval(Period="Day Before Yesterday")) as "Day Before Yesterday" by path | rename path AS "Request Path" | sort -Yesterday | head 20

 

h_kataria
Community Advisor
h_katariaCommunity AdvisorAccepted solution
Community Advisor
September 27, 2024

It is second most hit request on our publish based on your query.
Another thing, I checked and this is not whitelisted directly on our application dispatcher i.e <project_domain>/libs/granite/security/currentuser.json doesn't work, but is only allowed in publish filters so https://publish-xxxx-xxxx.adobeaemcloud.com/libs/granite/security/currentuser.json still works, and nothing seems to be breaking so far.
Hope this helps.  

joerghoh
Adobe Employee
joerghohAdobe Employee
Adobe Employee
September 29, 2024

I think that this AEM CS.

 

This request is done by the monitoring, and therefor an internal implementation detail of AEM CS.

Terms & ConditionsAccessibility statement

Loading footer...