Adobe Experience Manager Sites & More

Sai1278 · 9/22/24

Hi Adobe Team,

I am facing an issue with the servlet class below. It works as expected, but in SonarQube, I'm receiving the warning like "Do not use Sling servlet paths to register servlet"
1,2,3 servlet's

@Component(service = Servlet.class, property = {
        Constants.SERVICE_DESCRIPTION + "= information and create data",
        "sling.servlet.paths=" + "/bin/userdata", "sling.servlet.methods=" + HttpConstants.METHOD_GET })


@Component(service = { Servlet.class }, property = { "sling.servlet.paths=/bin/api/removedata",
      "sling.servlet.selectors={sampledata, removedata}", "sling.servlet.methods=GET" })
@ServiceDescription("API to remove data")

@Component(service = { Servlet.class }, property = { "sling.servlet.paths=/bin/api/uploaddata",
        "sling.servlet.methods=POST" })

Could you please provide some guidelines on how to fix this issue?

Thanks,
Sai

B_Sravan · 9/22/24

Hi @Sai1278,

The SonarQube warning you're encountering about avoiding Sling servlet paths (sling.servlet.paths) to register servlets stems from best practices in Adobe Experience Manager (AEM). The recommendation is to use sling.servlet.resourceTypes instead of hardcoded paths, as hardcoding paths can introduce security risks and complicate servlet management.

As you're dealing with data operations (which might not involve page rendering), you might wonder how to apply resourceTypes when you're not handling a page load or resource rendering.

Here's an approach to solve this:

Creating Service Nodes

You can create service nodes specifically for your data operations, for example:

/content/projectname/services/user-data
/content/projectname/services/remove
/content/projectname/services/upload-data

Each of these nodes should have a sling:resourceType property, which you can then reference in your servlet registration.

This way, you can still call your servlets based on resourceType rather than using hardcoded paths, adhering to best practices.

@component(service = Servlet.class)
@SlingServletResourceTypes(
    resourceTypes = "projectname/services/user-data",  // Define the resource type
    methods = "GET"  // Define the HTTP method
)
public class UserDataServlet extends SlingAllMethodsServlet {

This method not only follows best practices but also enhances security and maintainability.

To align with modern development practices, consider using the latest annotations to register your servlet. More details can be found here:
Registering a Servlet using Java Annotations.

- Sravan

View solution in original post

B_Sravan · 9/22/24

Hi @Sai1278,

The SonarQube warning you're encountering about avoiding Sling servlet paths (sling.servlet.paths) to register servlets stems from best practices in Adobe Experience Manager (AEM). The recommendation is to use sling.servlet.resourceTypes instead of hardcoded paths, as hardcoding paths can introduce security risks and complicate servlet management.

As you're dealing with data operations (which might not involve page rendering), you might wonder how to apply resourceTypes when you're not handling a page load or resource rendering.

Here's an approach to solve this:

Creating Service Nodes

You can create service nodes specifically for your data operations, for example:

/content/projectname/services/user-data
/content/projectname/services/remove
/content/projectname/services/upload-data

Each of these nodes should have a sling:resourceType property, which you can then reference in your servlet registration.

This way, you can still call your servlets based on resourceType rather than using hardcoded paths, adhering to best practices.

@component(service = Servlet.class)
@SlingServletResourceTypes(
    resourceTypes = "projectname/services/user-data",  // Define the resource type
    methods = "GET"  // Define the HTTP method
)
public class UserDataServlet extends SlingAllMethodsServlet {

This method not only follows best practices but also enhances security and maintainability.

To align with modern development practices, consider using the latest annotations to register your servlet. More details can be found here:
Registering a Servlet using Java Annotations.

- Sravan

SureshDhulipudi · 9/22/24

@Component(service = Servlet.class, property = {
        Constants.SERVICE_DESCRIPTION + "= information and create data",
        "sling.servlet.paths=" + "/bin/userdata", "sling.servlet.methods=" + HttpConstants.METHOD_GET })

==

@component(service = Servlet.class, property = {
Constants.SERVICE_DESCRIPTION + "= information and create data",
"sling.servlet.paths=" + "/bin/userdata", "sling.servlet.methods=" + HttpConstants.METHOD_GET })

change to resourceType like below:

@component(service = Servlet.class, property = {
Constants.SERVICE_DESCRIPTION + "= information and create data",
"sling.servlet.resourceTypes=" + "sling/servlet/default",
"sling.servlet.selectors=" + "userdata",
"sling.servlet.extension=" + "json",
"sling.servlet.methods=" + HttpConstants.METHOD_GET
})

to invoke the servlet in your sightly or javascript or Ajax call, you have to use below : your project path and resourceType and Extn example below:

url: /content/<your-project>/<projectname>.userdata.json

this will invoke the resourceType servlet.

If you have to invoke POST method servlet - you have to use or update CSRF filter configuration (Adobe Granite CSRF filter)

Adobe Experience Manager Sites & More

AEM 6.5 Sonar Do not use Sling servlet paths to register servlet

Creating Service Nodes

Creating Service Nodes

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe