Expand my Community achievements bar.

SOLVED

AEM servlet by resource type

Avatar

Level 6

HI Team,

 

How is aem servlet with resourcetype is more secure than aem servlet with path based.

 

Thanks in advance.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @Keerthi0555 
Sling Servlet in AEM – AEM CQ5 Tutorials

When we register a servlet using path, we must be specific what all paths are allowed as If we define something randomly, our servlet might not be function properly. Only a limited set of paths are allowed and the rest are blocked. We can add more path using Apache Sling Servlet / Script Resolver and Error Handler. Allowing more paths to execute servlet to make your application vulnerable. like below image

 

Raja_Reddy_0-1733849597994.jpeg

That’s why you should not open more doors for servlets to run until and unless it is required. You might also need to tell specific paths to your consumers, who are consuming servlet response using ajax and any change in that path could have a serious affect. This might not be the case when you use resourceType. Sling Engine will take care of permissions if you register servlet using Resource Type. Users who cannot access a particular resource will not be able to invoke the servlet.





View solution in original post

4 Replies

Avatar

Level 8

Hi @Keerthi0555 

 

You can control the access and permissions on the JCR node of the given resource for which you registered the servlet.

Avatar

Correct answer by
Community Advisor

Hi @Keerthi0555 
Sling Servlet in AEM – AEM CQ5 Tutorials

When we register a servlet using path, we must be specific what all paths are allowed as If we define something randomly, our servlet might not be function properly. Only a limited set of paths are allowed and the rest are blocked. We can add more path using Apache Sling Servlet / Script Resolver and Error Handler. Allowing more paths to execute servlet to make your application vulnerable. like below image

 

Raja_Reddy_0-1733849597994.jpeg

That’s why you should not open more doors for servlets to run until and unless it is required. You might also need to tell specific paths to your consumers, who are consuming servlet response using ajax and any change in that path could have a serious affect. This might not be the case when you use resourceType. Sling Engine will take care of permissions if you register servlet using Resource Type. Users who cannot access a particular resource will not be able to invoke the servlet.





Avatar

Level 9

Hi @Keerthi0555,

to summarize, including all the points already raised:

  1. General Security
    • Attackers cannot directly invoke resource-type servlets by guessing paths, as they must reference a valid resource of the specified type
    • Servlets that operate outside the context of specific resources, make it easier for attackers to exploit them if there are vulnerabilities in the servlet logic
  2. Control and Validation
    • Resource-type servlets inherently depend on the Sling Resource Resolution mechanism, allowing AEM to apply additional checks or restrictions based on the resource hierarchy
  3. Development Best Practices
    • Resource-type servlets align better with AEM’s component-based architecture
    • Developers ensure that only specific components can use servlets

Hope this helps,

Daniel

Avatar

Community Advisor

Thanks, @daniel-strmecki, for the excellent reply!

I also wanted to share an article I recently came across that delves into the pros and cons of registering a Sling Servlet by resourceType and path: AEM: Pros and Cons of Registering a Sling Servlet by ResourceType and Path.

I hope others find it helpful as well!

 

Thanks,

Lokesh