Can the Assets HTTP API be used via public domain for Content Fragment? | Community
Skip to main content
B
baoyu_li
Level 3
June 19, 2021
Solved

Can the Assets HTTP API be used via public domain for Content Fragment?

  • June 19, 2021
  • 1 reply
  • 943 views

Hi all,

 

Is it a correct way to use Assets HTTP API via public domain for Content Fragment delivery such as below?

https://my.site.com/api/assets/myapplication/folder/cftest.json

 

If so, what kind of security configuration is required to be able to do it?

Thanks in advance.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Ritesh_Mittal

Hi @baoyu_li ,

 

It depends on business requirement whether you want to keep your Asset API for GET operation as open public API (without authentication, just think of an ecommerce application, where you want to get all data of products/catalog and you do not want to restrict with authentication ), in that case the GET calls can be just made public.

If the Assets REST API is used within an environment without specific authentication requirements, AEM’s CORS filter needs to be configured correctly.

 

In another case, when you want to have authentication in place before any CRUD operation (for PUT, POST DELETE there will/should always be authentication though) then you will put security in place. as per documentation, multiple options are possible and OAuth is proposed.

 

Check this video if it helps-

https://www.youtube.com/watch?v=Yn7ybOwfIYY

Reference-

https://experienceleague.adobe.com/docs/experience-manager-65/assets/extending/assets-api-content-fragments.html?lang=en

1 reply

Ritesh_Mittal
Community Advisor and Adobe Champion
Ritesh_MittalCommunity Advisor and Adobe ChampionAccepted solution
Community Advisor and Adobe Champion
June 19, 2021

Hi @baoyu_li ,

 

It depends on business requirement whether you want to keep your Asset API for GET operation as open public API (without authentication, just think of an ecommerce application, where you want to get all data of products/catalog and you do not want to restrict with authentication ), in that case the GET calls can be just made public.

If the Assets REST API is used within an environment without specific authentication requirements, AEM’s CORS filter needs to be configured correctly.

 

In another case, when you want to have authentication in place before any CRUD operation (for PUT, POST DELETE there will/should always be authentication though) then you will put security in place. as per documentation, multiple options are possible and OAuth is proposed.

 

Check this video if it helps-

https://www.youtube.com/watch?v=Yn7ybOwfIYY

Reference-

https://experienceleague.adobe.com/docs/experience-manager-65/assets/extending/assets-api-content-fragments.html?lang=en

    Terms & ConditionsAccessibility statement

    Loading footer...