Expand my Community achievements bar.

AEM servlet by resource type

Avatar

Level 6
Level 6
12/10/24 7:39:59 AM

HI Team,

 

How is aem servlet with resourcetype is more secure than aem servlet with path based.

 

Thanks in advance.

Views

99

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
3 Replies

Avatar

Level 7
Level 7
12/10/24 8:08:00 AM

Hi @Keerthi0555 

 

You can control the access and permissions on the JCR node of the given resource for which you registered the servlet.

Views

89

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
12/10/24 8:54:35 AM

Hi @Keerthi0555 
Sling Servlet in AEM – AEM CQ5 Tutorials

When we register a servlet using path, we must be specific what all paths are allowed as If we define something randomly, our servlet might not be function properly. Only a limited set of paths are allowed and the rest are blocked. We can add more path using Apache Sling Servlet / Script Resolver and Error Handler. Allowing more paths to execute servlet to make your application vulnerable. like below image

 

Raja_Reddy_0-1733849597994.jpeg

That’s why you should not open more doors for servlets to run until and unless it is required. You might also need to tell specific paths to your consumers, who are consuming servlet response using ajax and any change in that path could have a serious affect. This might not be the case when you use resourceType. Sling Engine will take care of permissions if you register servlet using Resource Type. Users who cannot access a particular resource will not be able to invoke the servlet.





Views

78

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 9
Level 9
12/10/24 1:02:36 PM

Hi @Keerthi0555,

to summarize, including all the points already raised:

  1. General Security
    • Attackers cannot directly invoke resource-type servlets by guessing paths, as they must reference a valid resource of the specified type
    • Servlets that operate outside the context of specific resources, make it easier for attackers to exploit them if there are vulnerabilities in the servlet logic
  2. Control and Validation
    • Resource-type servlets inherently depend on the Sling Resource Resolution mechanism, allowing AEM to apply additional checks or restrictions based on the resource hierarchy
  3. Development Best Practices
    • Resource-type servlets align better with AEM’s component-based architecture
    • Developers ensure that only specific components can use servlets

Hope this helps,

Daniel

Views

45

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
AEM links with more than one # are delete by editor Solved

Views

145

Likes

0

Replies

4
Any suggestions for dynamically appending AEM GraphQL query variables ?

Views

10

Likes

0

Replies

0
How to Hide the "Share Link" Button in AEM Assets View?

Views

57

Like

1

Replies

0
Getting started with AEM universal Editor for markdown and XML files

Views

130

Likes

0

Replies

4
AEM 6.5 author login using OAuth2.0

Views

137

Likes

0

Replies

4