Expand my Community achievements bar.

SOLVED

Cloud Manager DDOS - org.apache.sling.servlets.get.DefaultGetServlet~artifact-id.cfg.json

Avatar

Level 3

Hi, 

 

I'm trying to build a Production pipeline for cloud Manager, but the "Sling default GET servlet is protected from DOS attacks" is failing. In log it's asking me to disable html and text for Sling default GET servlet. I have created a file under ui.config/src/main/content/jcr_root/apps/my-project/osgiconfig/config/org.apache.sling.servlets.get.DefaultGetServlet~my-project.cfg.json to disable html. txt and xml but the pipeline is still failing with the same error in Summary and Log. 

 

These are contents in file.

 

{
    "enable.html": "false",
    "enable.txt": "false",
    "enable.xml": "false",
    "json.maximumresults": "200"
}

 

 

I check in configMgr, html, text and xml is enabled. I thought creating this file will change the configMgr for Sling GET Servlet. Does anyone have any idea how can I change the config without ConfigMgr?

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

This is part of the security checklist that you should go through in a production env, you can learn more from the links I pasted below, it mentions that only JSON is critical for internal operations, so you should be good. The other renders must be disabled by extra security measures.

Esteban666_0-1689787670796.png

https://sling.apache.org/documentation/bundles/rendering-content-default-get-servlets.html 

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security-checkl...



Esteban Bustamante

View solution in original post

6 Replies

Avatar

Community Advisor

Hi @snowwhite92 

 

Can you share the exact log of the build failure?

 

Thanks,

Kiran Vedantam

Avatar

Level 3

@Kiran_Vedantam here is the log. 

 

Sling Get Servlet - Failed
    WARN - The default plain text renderer is enabled.
    WARN - The default XML renderer is enabled.

 

 

Avatar

Community Advisor

The problem is that you are creating a new config for Apache Sling GET servlet which is wrong because it is not a factory, instead, you should configure the instance which is available by default, that being said, you just need to simply rename your config file to

org.apache.sling.servlets.get.DefaultGetServlet.cfg.json

Instead of 

org.apache.sling.servlets.get.DefaultGetServlet~my-project.cfg.json

 

Additionally, this should be already set if you are running in "Production Ready" mode.

Esteban666_0-1689786632187.png

 

 



Esteban Bustamante

Avatar

Level 3

@EstebanBustamante I have other sites running in same environment(Multitenancy). Some of the sites are old and i think they might be fetching text from backend apis. How important is it to have text and XML enabled? is there a work around to have a separate Sling GET Servlet for this project and leave the text and xml enable for other sites?  

Avatar

Correct answer by
Community Advisor

This is part of the security checklist that you should go through in a production env, you can learn more from the links I pasted below, it mentions that only JSON is critical for internal operations, so you should be good. The other renders must be disabled by extra security measures.

Esteban666_0-1689787670796.png

https://sling.apache.org/documentation/bundles/rendering-content-default-get-servlets.html 

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security-checkl...



Esteban Bustamante

Avatar

Employee Advisor

No, the Sling GET Servlet configuration is global, and not site-dependent.

But "fetching text from backend APIs" as I understand it (AEM is reaching out to some other backend system) is not using the Sling GET Servlet code.