AEM 6.3 | Apache Sling Content Disposition Filter | Hosting Static HTML in JCR

Avatar

Avatar
Validate 1
Level 2
neerajg29767140
Level 2

Likes

8 likes

Total Posts

13 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
View profile

Avatar
Validate 1
Level 2
neerajg29767140
Level 2

Likes

8 likes

Total Posts

13 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
View profile
neerajg29767140
Level 2

08-12-2017

In AEM 6.2 and 6.3, when we attempt to hit the static content such as (/content/site/static-page.html), it is treated as a binary download and does the same for all other file types(pdf,css, js, images) where response header shows Content-Disposition as an attachment.


In previous versions of AEM (6.1 and below), com.day.cq.dam.core.impl.servlet.SafeBinaryGetServlet was there to control response header to render page instead of download. However from 6.2, this component is  deprecated and the reason is Apache Sling Content Disposition Filter(org.apache.sling.security.impl.ContentDispositionFilter) took precedence and an intended change made in product from AEM 6.2 onward and was introduced as part of Sling Security Fix.


Here we have steps to render static pages:


Apache Sling Content Disposition Filter Configuration where static files needs to be added to meet requirements.



Configuration can be reverted back to render static pages without adding it manually in OSGI by uncheck the checkbox(Enable Content Disposition for all paths) and the file would directly open in the browser instead of getting downloaded.


This is how static content can be hosted in JCR and renders in page.


References:


https://forums.adobe.com/thread/2325852

https://forums.adobe.com/thread/2326458

Replies

Avatar

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,134 likes

Total Posts

3,161 posts

Correct reply

1,079 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,134 likes

Total Posts

3,161 posts

Correct reply

1,079 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile
Jörg_Hoh
Employee

08-12-2017

There is a reason why this has been implemented that way in the product. It's security.

Of course you can turn it of. You are turning off a security feature of the product. Can you answer the question "are you sure what you are doing, are you aware of consequences and do you accept any negative outcome" with YES? Then go on.

Jörg

Avatar

Avatar
Validate 1
Level 2
neerajg29767140
Level 2

Likes

8 likes

Total Posts

13 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
View profile

Avatar
Validate 1
Level 2
neerajg29767140
Level 2

Likes

8 likes

Total Posts

13 posts

Correct reply

0 solutions
Top badges earned
Validate 1
Boost 5
Boost 3
Boost 1
View profile
neerajg29767140
Level 2

08-12-2017

I have not asked this as a question, instead posted this in forum.

FYI,
We are using this as a security feature only.

Avatar

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,134 likes

Total Posts

3,161 posts

Correct reply

1,079 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,134 likes

Total Posts

3,161 posts

Correct reply

1,079 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile
Jörg_Hoh
Employee

09-12-2017

I just wanted to add this as a comment to your tutorial, how to turn this security feature off.

Just in case someone reads it and thinks that this is a good idea without being aware of the consequences 🙂

Jörg

Avatar

Avatar
Level 1
bayani-portier
Level 1

Likes

0 likes

Total Posts

1 post

Correct reply

0 solutions
View profile

Avatar
Level 1
bayani-portier
Level 1

Likes

0 likes

Total Posts

1 post

Correct reply

0 solutions
View profile
bayani-portier
Level 1

01-05-2018

Definitely agreed around a security risk, and should be done on the dispatcher level.

Of course it needs to be documented and treated accordingly with controls.

If you are internal facing with a directory, is there a possibility to disable the filter using a wildcard for a subdirectory, or do you need to explicitly name files?

Avatar

Avatar
Give Back
Level 1
Ramakrishna_Kap
Level 1

Likes

0 likes

Total Posts

5 posts

Correct reply

0 solutions
Top badges earned
Give Back
Validate 1
View profile

Avatar
Give Back
Level 1
Ramakrishna_Kap
Level 1

Likes

0 likes

Total Posts

5 posts

Correct reply

0 solutions
Top badges earned
Give Back
Validate 1
View profile
Ramakrishna_Kap
Level 1

15-05-2018

Hi All,

We have the similar issue. We are trying to download the PDf/docx from a AEM community page using File Library component. Wheneven we click on download it shows joson output instead of downloading actual file. It works fine in local host. This is something to do with Dispatcher setting. We have the following filter.  It is still not helping. can someone through a light on this?

<FilesMatch "\.(?i:pdf)|(?i:docx)$">

    ForceType application/octet-stream

    Header set Content-Disposition attachment

</FilesMatch>

Thanks in advance.

-Ramakrishna

Avatar

Avatar
Ignite 1
Level 2
Riju-Mahna
Level 2

Likes

8 likes

Total Posts

31 posts

Correct reply

0 solutions
Top badges earned
Ignite 1
Validate 10
Validate 1
Give Back 5
Give Back 3
View profile

Avatar
Ignite 1
Level 2
Riju-Mahna
Level 2

Likes

8 likes

Total Posts

31 posts

Correct reply

0 solutions
Top badges earned
Ignite 1
Validate 10
Validate 1
Give Back 5
Give Back 3
View profile
Riju-Mahna
Level 2

26-02-2020

I came across this old thread. Not sure if you still have this issue with files (I had this issue with PDF's)

Its solved in https://experienceleaguecommunities.adobe.com/t5/Adobe-Experience-Manager/PDF-from-dispatchers-shoul...

 

I used the "LocationMatch" in httpd.conf and it worked for me.