Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Can the Assets HTTP API be used via public domain for Content Fragment?

baoyu_li
Level 2
Level 2

Hi all,

 

Is it a correct way to use Assets HTTP API via public domain for Content Fragment delivery such as below?

https://my.site.com/api/assets/myapplication/folder/cftest.json

 

If so, what kind of security configuration is required to be able to do it?

Thanks in advance.

1 Accepted Solution
Ritesh_Mittal
Correct answer by
Community Advisor
Community Advisor

Hi @baoyu_li ,

 

It depends on business requirement whether you want to keep your Asset API for GET operation as open public API (without authentication, just think of an ecommerce application, where you want to get all data of products/catalog and you do not want to restrict with authentication ), in that case the GET calls can be just made public.

If the Assets REST API is used within an environment without specific authentication requirements, AEM’s CORS filter needs to be configured correctly.

 

In another case, when you want to have authentication in place before any CRUD operation (for PUT, POST DELETE there will/should always be authentication though) then you will put security in place. as per documentation, multiple options are possible and OAuth is proposed.

 

Check this video if it helps-

https://www.youtube.com/watch?v=Yn7ybOwfIYY

Reference-

https://experienceleague.adobe.com/docs/experience-manager-65/assets/extending/assets-api-content-fr...

View solution in original post

1 Reply
Ritesh_Mittal
Correct answer by
Community Advisor
Community Advisor

Hi @baoyu_li ,

 

It depends on business requirement whether you want to keep your Asset API for GET operation as open public API (without authentication, just think of an ecommerce application, where you want to get all data of products/catalog and you do not want to restrict with authentication ), in that case the GET calls can be just made public.

If the Assets REST API is used within an environment without specific authentication requirements, AEM’s CORS filter needs to be configured correctly.

 

In another case, when you want to have authentication in place before any CRUD operation (for PUT, POST DELETE there will/should always be authentication though) then you will put security in place. as per documentation, multiple options are possible and OAuth is proposed.

 

Check this video if it helps-

https://www.youtube.com/watch?v=Yn7ybOwfIYY

Reference-

https://experienceleague.adobe.com/docs/experience-manager-65/assets/extending/assets-api-content-fr...

View solution in original post