Hi,
I'm trying to build a Production pipeline for cloud Manager, but the "Sling default GET servlet is protected from DOS attacks" is failing. In log it's asking me to disable html and text for Sling default GET servlet. I have created a file under ui.config/src/main/content/jcr_root/apps/my-project/osgiconfig/config/org.apache.sling.servlets.get.DefaultGetServlet~my-project.cfg.json to disable html. txt and xml but the pipeline is still failing with the same error in Summary and Log.
These are contents in file.
{
"enable.html": "false",
"enable.txt": "false",
"enable.xml": "false",
"json.maximumresults": "200"
}
I check in configMgr, html, text and xml is enabled. I thought creating this file will change the configMgr for Sling GET Servlet. Does anyone have any idea how can I change the config without ConfigMgr?
Solved! Go to Solution.
Views
Replies
Total Likes
This is part of the security checklist that you should go through in a production env, you can learn more from the links I pasted below, it mentions that only JSON is critical for internal operations, so you should be good. The other renders must be disabled by extra security measures.
https://sling.apache.org/documentation/bundles/rendering-content-default-get-servlets.html
@Kiran_Vedantam here is the log.
Sling Get Servlet - Failed
WARN - The default plain text renderer is enabled.
WARN - The default XML renderer is enabled.
The problem is that you are creating a new config for Apache Sling GET servlet which is wrong because it is not a factory, instead, you should configure the instance which is available by default, that being said, you just need to simply rename your config file to
org.apache.sling.servlets.get.DefaultGetServlet.cfg.json
Instead of
org.apache.sling.servlets.get.DefaultGetServlet~my-project.cfg.json
Additionally, this should be already set if you are running in "Production Ready" mode.
@EstebanBustamante I have other sites running in same environment(Multitenancy). Some of the sites are old and i think they might be fetching text from backend apis. How important is it to have text and XML enabled? is there a work around to have a separate Sling GET Servlet for this project and leave the text and xml enable for other sites?
This is part of the security checklist that you should go through in a production env, you can learn more from the links I pasted below, it mentions that only JSON is critical for internal operations, so you should be good. The other renders must be disabled by extra security measures.
https://sling.apache.org/documentation/bundles/rendering-content-default-get-servlets.html
No, the Sling GET Servlet configuration is global, and not site-dependent.
But "fetching text from backend APIs" as I understand it (AEM is reaching out to some other backend system) is not using the Sling GET Servlet code.