AEM 6.5 Sonar Cloud Scan- Do not use Sling servlet paths to register servlet | Community
Skip to main content
N
NitroHazeDev
Level 9
March 25, 2022
Solved

AEM 6.5 Sonar Cloud Scan- Do not use Sling servlet paths to register servlet

  • March 25, 2022
  • 2 replies
  • 5585 views

All,

 

Anyone knows how we can easily resolve the issue "Do not use Sling servlet paths to register servlet" without major changes.This was identified in the code scan.

Does using "sling.servlet.paths.strict" mode help?

I have like 24 servlets 

 

https://experienceleague.adobe.com/docs/experience-manager-cloud-manager/using/how-to-use/custom-code-quality-rules.html?lang=en#do-not-use-sling-servlet-paths-to-register-servlets 

 

Regards,

 

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by BrettBirschbach

In cases where a servlet is actually tied to a web component on your websites, you can change your servlet to be configured with `sling.servlet.resourceTypes=<resource type of your component>` and then change your front end calls to instead be a URL directly to the component.  When your servlet is tied to your component, this is generally advisable, because in a multi-site situation this ensures the path of the request includes the root path of the current site, which allows your service to ensure it's response is contextual to the site.

 

That said, if you truly have servlets that need to answer on static paths, I think what you can probably do is effectively achieve the same thing as above by adding some `nt:unstructured` nodes to your JCR that have a declared `sling:resourceType` that you can then reference in your servlets (same way as if they were real components).

 

As an example, say you have a servlet with path /api/myservice right now.  In your jcr add:
/content (default AEM folder for content)

-> /api (type: nt:unstructured)

->-> /myservice (type: nt:unstructured, sling:resourceType: "/servlets/abc")

 

And then in your Servlet, instead of configuring:

`sling.servlet.paths="/api/myservice"`

you have

`sling.servlet.resourceTypes="/servlets/abc"`

 

This then allows ACL's to be set on the `/content/api/myservice` node to govern access to your servlet, if desired.

 

NOTE that you'd need to call AEM with the full path `/content/api/mysevice.json` for example, which you can alter in your dispatcher configs (e.g. shorten to /api/myservice) for external use.

 

Maybe not everything you need, but LMK if this helps.

 

2 replies

BrettBirschbach
Adobe Champion
BrettBirschbachAdobe ChampionAccepted solution
Adobe Champion
March 25, 2022

In cases where a servlet is actually tied to a web component on your websites, you can change your servlet to be configured with `sling.servlet.resourceTypes=<resource type of your component>` and then change your front end calls to instead be a URL directly to the component.  When your servlet is tied to your component, this is generally advisable, because in a multi-site situation this ensures the path of the request includes the root path of the current site, which allows your service to ensure it's response is contextual to the site.

 

That said, if you truly have servlets that need to answer on static paths, I think what you can probably do is effectively achieve the same thing as above by adding some `nt:unstructured` nodes to your JCR that have a declared `sling:resourceType` that you can then reference in your servlets (same way as if they were real components).

 

As an example, say you have a servlet with path /api/myservice right now.  In your jcr add:
/content (default AEM folder for content)

-> /api (type: nt:unstructured)

->-> /myservice (type: nt:unstructured, sling:resourceType: "/servlets/abc")

 

And then in your Servlet, instead of configuring:

`sling.servlet.paths="/api/myservice"`

you have

`sling.servlet.resourceTypes="/servlets/abc"`

 

This then allows ACL's to be set on the `/content/api/myservice` node to govern access to your servlet, if desired.

 

NOTE that you'd need to call AEM with the full path `/content/api/mysevice.json` for example, which you can alter in your dispatcher configs (e.g. shorten to /api/myservice) for external use.

 

Maybe not everything you need, but LMK if this helps.

 

    N
    NitroHazeDevAuthor
    Level 9
    March 25, 2022

    Thanks Brett,  Kindly assist with below.
    1. Is creating a node under /content or elsewhere wise?
    2. Any permissions that need to be provided (ACLs)- Re read the comment that acls will need to be provided to the /content/api node for servlet to be accessed
    3. The dispatcher currently has allow to /api/myservice, what do you propose we add in there to allow? just /content/api/*? to the filters
    4. Does proceeding with "sling.servlet.paths.strict" help resolve the sonar issue you think?https://sling.apache.org/documentation/the-sling-engine/servlets.html#caveats-when-binding-servlets-by-path 

    5. Anything wrt method "POST"/"GET" to watch out for? I plan to use this with method POST as well

     

    Marked the answer right cause it helped me implement a clean solution..Thank you once again @brettbirschbach 

      sreenu539
      sreenu539
      Level 7
      February 28, 2024

      1) No, you dont need a sling mapping.  I was just suggesting it in case you had outside applications calling your URLs that you didnt want to update to a new URL with /content in front of it.

      2) This is similar to the sling mapping solution, and works just fine.  Generally my teams have preferred to use sling mappings rather than mess with JcrResourceResolverFactoryImpl since that service is so core to AEM that any time it needs to be updated it effectively restarts the entire set of services on AEM and thus results in increased downtime/deployment time.

      3) Fundamentally I dont think there's any increased security issues with GET since it's already possible to make GET requests to web pages and such on your website.  For POST I would ensure you're allowing only the exact paths that you know accept POST requests, to eliminate any chance of hitting the default AEM servlet that answers POST requests by trying to create a node.  This is similar to allowing POSTs for form submissions, except in that case you probably key off of a selector to allow any form post regardless of URL.


      Hi @brettbirschbach 

       

      I am trying to do simple sling post based on path and getting an error , would you be able to take a look once

      https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/post-sling-servlet-exceptions/td-p/656044 

       

      On other note: when you say

      "change your front end calls to instead be a URL directly to the component."  how would you get the resource url given jcr resource resolver mappings in place to shorten rendered urls in a hrefs, wouldn't this expose /content path without shortening in javascript ajax call.

       

      Thanks again for your help.

        kautuk_sahni
        Community Manager
        kautuk_sahniCommunity Manager
        Community Manager
        May 30, 2022

        @nitrohazedev 

        [Webinar | AEM GEMs] Looking under the hood - Cloud Manager 2022 | Register: https://adobe.ly/3t4jfgp  & Ask Questions related to this Webinar: https://adobe.ly/3O0rdzd 

        Date &Time: Wednesday, June 15, 2022 - 8 am PDT OR 5 pm CET OR 8.30 pm IST
        Speakers: Remus Stratulat & Shankari Panchapakesan

        Share this within your Organisation and with your AEM peers!!

        Kautuk Sahni
          Terms & ConditionsAccessibility statement

          Loading footer...