AEM servlet by resource type | Community
Skip to main content
Keerthi0555
Keerthi0555
December 10, 2024
Solved

AEM servlet by resource type

  • December 10, 2024
  • 3 replies
  • 848 views

HI Team,

 

How is aem servlet with resourcetype is more secure than aem servlet with path based.

 

Thanks in advance.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Raja_Reddy

Hi @keerthi0555 
Sling Servlet in AEM – AEM CQ5 Tutorials

When we register a servlet using path, we must be specific what all paths are allowed as If we define something randomly, our servlet might not be function properly. Only a limited set of paths are allowed and the rest are blocked. We can add more path using Apache Sling Servlet / Script Resolver and Error Handler. Allowing more paths to execute servlet to make your application vulnerable. like below image

 

That’s why you should not open more doors for servlets to run until and unless it is required. You might also need to tell specific paths to your consumers, who are consuming servlet response using ajax and any change in that path could have a serious affect. This might not be the case when you use resourceType. Sling Engine will take care of permissions if you register servlet using Resource Type. Users who cannot access a particular resource will not be able to invoke the servlet.



3 replies

Tethich
Community Advisor
TethichCommunity Advisor
Community Advisor
December 10, 2024

Hi @keerthi0555 

 

You can control the access and permissions on the JCR node of the given resource for which you registered the servlet.

    Raja_Reddy
    Community Advisor
    Raja_ReddyCommunity AdvisorAccepted solution
    Community Advisor
    December 10, 2024

    Hi @keerthi0555 
    Sling Servlet in AEM – AEM CQ5 Tutorials

    When we register a servlet using path, we must be specific what all paths are allowed as If we define something randomly, our servlet might not be function properly. Only a limited set of paths are allowed and the rest are blocked. We can add more path using Apache Sling Servlet / Script Resolver and Error Handler. Allowing more paths to execute servlet to make your application vulnerable. like below image

     

    That’s why you should not open more doors for servlets to run until and unless it is required. You might also need to tell specific paths to your consumers, who are consuming servlet response using ajax and any change in that path could have a serious affect. This might not be the case when you use resourceType. Sling Engine will take care of permissions if you register servlet using Resource Type. Users who cannot access a particular resource will not be able to invoke the servlet.



      daniel-strmecki
      Community Advisor and Adobe Champion
      daniel-strmeckiCommunity Advisor and Adobe Champion
      Community Advisor and Adobe Champion
      December 10, 2024

      Hi @Keerthi0555,

      to summarize, including all the points already raised:

      1. General Security
        • Attackers cannot directly invoke resource-type servlets by guessing paths, as they must reference a valid resource of the specified type
        • Servlets that operate outside the context of specific resources, make it easier for attackers to exploit them if there are vulnerabilities in the servlet logic
      2. Control and Validation
        • Resource-type servlets inherently depend on the Sling Resource Resolution mechanism, allowing AEM to apply additional checks or restrictions based on the resource hierarchy
      3. Development Best Practices
        • Resource-type servlets align better with AEM’s component-based architecture
        • Developers ensure that only specific components can use servlets

      Hope this helps,

      Daniel

        Lokesh_Vajrala
        Community Advisor
        Lokesh_VajralaCommunity Advisor
        Community Advisor
        December 12, 2024

        Thanks, @daniel-strmecki, for the excellent reply!

        I also wanted to share an article I recently came across that delves into the pros and cons of registering a Sling Servlet by resourceType and path: AEM: Pros and Cons of Registering a Sling Servlet by ResourceType and Path.

        I hope others find it helpful as well!

         

        Thanks,

        Lokesh

          Terms & ConditionsAccessibility statement

          Loading footer...