Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events
Learn More
SOLVED

Cloud Manager DDOS - org.apache.sling.servlets.get.DefaultGetServlet~artifact-id.cfg.json

Avatar

Level 3
Level 3
7/19/23 5:45:14 AM

Hi, 

 

I'm trying to build a Production pipeline for cloud Manager, but the "Sling default GET servlet is protected from DOS attacks" is failing. In log it's asking me to disable html and text for Sling default GET servlet. I have created a file under ui.config/src/main/content/jcr_root/apps/my-project/osgiconfig/config/org.apache.sling.servlets.get.DefaultGetServlet~my-project.cfg.json to disable html. txt and xml but the pipeline is still failing with the same error in Summary and Log. 

 

These are contents in file.

 

{
    "enable.html": "false",
    "enable.txt": "false",
    "enable.xml": "false",
    "json.maximumresults": "200"
}

 

 

I check in configMgr, html, text and xml is enabled. I thought creating this file will change the configMgr for Sling GET Servlet. Does anyone have any idea how can I change the config without ConfigMgr?

Views

646

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
7/19/23 10:36:36 AM
In response to snowwhite92

This is part of the security checklist that you should go through in a production env, you can learn more from the links I pasted below, it mentions that only JSON is critical for internal operations, so you should be good. The other renders must be disabled by extra security measures.

Esteban666_0-1689787670796.png

https://sling.apache.org/documentation/bundles/rendering-content-default-get-servlets.html 

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security-checkl...


Esteban Bustamante

View solution in original post

Views

600

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
6 Replies

Avatar

Community Advisor
Community Advisor
7/19/23 7:01:16 AM

Hi @snowwhite92 

 

Can you share the exact log of the build failure?

 

Thanks,

Kiran Vedantam

Views

632

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
7/19/23 7:03:08 AM
In response to Kiran_Vedantam

@Kiran_Vedantam here is the log. 

 

Sling Get Servlet - Failed
    WARN - The default plain text renderer is enabled.
    WARN - The default XML renderer is enabled.

 

 

Views

630

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
7/19/23 10:10:51 AM

The problem is that you are creating a new config for Apache Sling GET servlet which is wrong because it is not a factory, instead, you should configure the instance which is available by default, that being said, you just need to simply rename your config file to

org.apache.sling.servlets.get.DefaultGetServlet.cfg.json

Instead of 

org.apache.sling.servlets.get.DefaultGetServlet~my-project.cfg.json

 

Additionally, this should be already set if you are running in "Production Ready" mode.

Esteban666_0-1689786632187.png

 

 


Esteban Bustamante

Views

609

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
7/19/23 10:14:49 AM
In response to EstebanBustamante

@EstebanBustamante I have other sites running in same environment(Multitenancy). Some of the sites are old and i think they might be fetching text from backend apis. How important is it to have text and XML enabled? is there a work around to have a separate Sling GET Servlet for this project and leave the text and xml enable for other sites?  

Views

607

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
7/19/23 10:36:36 AM
In response to snowwhite92

This is part of the security checklist that you should go through in a production env, you can learn more from the links I pasted below, it mentions that only JSON is critical for internal operations, so you should be good. The other renders must be disabled by extra security measures.

Esteban666_0-1689787670796.png

https://sling.apache.org/documentation/bundles/rendering-content-default-get-servlets.html 

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security-checkl...


Esteban Bustamante

Views

601

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Employee Advisor
Employee Advisor
7/20/23 4:32:52 AM
In response to snowwhite92

No, the Sling GET Servlet configuration is global, and not site-dependent.

But "fetching text from backend APIs" as I understand it (AEM is reaching out to some other backend system) is not using the Sling GET Servlet code.

Views

574

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
AEM Cloud Service SDK Installation Solved

Views

70

Likes

0

Replies

2
Testing Cloud Manager Solved

Views

65

Likes

0

Replies

2
Is there an ability to programmatically get the same OSGI Configuration JSON available in Cloud Manager Developer Console ? Solved

Views

151

Likes

0

Replies

6
AEM Cloud Service Sites: Intermittent 403 in Auth Checker Servlet in Production

Views

146

Likes

0

Replies

6
Custom Link Response Header for pdfs is not getting set on AEM Cloud Publish Instance

Views

101

Likes

0

Replies

5