Adobe Experience Manager Sites & More

snowwhite92 · 7/19/23

Hi,

I'm trying to build a Production pipeline for cloud Manager, but the "Sling default GET servlet is protected from DOS attacks" is failing. In log it's asking me to disable html and text for Sling default GET servlet. I have created a file under ui.config/src/main/content/jcr_root/apps/my-project/osgiconfig/config/org.apache.sling.servlets.get.DefaultGetServlet~my-project.cfg.json to disable html. txt and xml but the pipeline is still failing with the same error in Summary and Log.

These are contents in file.

{
    "enable.html": "false",
    "enable.txt": "false",
    "enable.xml": "false",
    "json.maximumresults": "200"
}

I check in configMgr, html, text and xml is enabled. I thought creating this file will change the configMgr for Sling GET Servlet. Does anyone have any idea how can I change the config without ConfigMgr?

EstebanBustamante · 7/19/23

This is part of the security checklist that you should go through in a production env, you can learn more from the links I pasted below, it mentions that only JSON is critical for internal operations, so you should be good. The other renders must be disabled by extra security measures.

https://sling.apache.org/documentation/bundles/rendering-content-default-get-servlets.html

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security-checkl...

Esteban Bustamante

View solution in original post

Kiran_Vedantam · 7/19/23

Hi @snowwhite92

Can you share the exact log of the build failure?

Thanks,

Kiran Vedantam

snowwhite92 · 7/19/23

@Kiran_Vedantam here is the log.

Sling Get Servlet - Failed
    WARN - The default plain text renderer is enabled.
    WARN - The default XML renderer is enabled.

EstebanBustamante · 7/19/23

The problem is that you are creating a new config for Apache Sling GET servlet which is wrong because it is not a factory, instead, you should configure the instance which is available by default, that being said, you just need to simply rename your config file to

org.apache.sling.servlets.get.DefaultGetServlet.cfg.json

Instead of

org.apache.sling.servlets.get.DefaultGetServlet~my-project.cfg.json

Additionally, this should be already set if you are running in "Production Ready" mode.

Esteban Bustamante

snowwhite92 · 7/19/23

@EstebanBustamante I have other sites running in same environment(Multitenancy). Some of the sites are old and i think they might be fetching text from backend apis. How important is it to have text and XML enabled? is there a work around to have a separate Sling GET Servlet for this project and leave the text and xml enable for other sites?

EstebanBustamante · 7/19/23

This is part of the security checklist that you should go through in a production env, you can learn more from the links I pasted below, it mentions that only JSON is critical for internal operations, so you should be good. The other renders must be disabled by extra security measures.

https://sling.apache.org/documentation/bundles/rendering-content-default-get-servlets.html

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security-checkl...