Configuration issue in dispatcher.any | Community
Skip to main content
J
james_xu
Level 2
October 19, 2016
Solved

Configuration issue in dispatcher.any

  • October 19, 2016
  • 2 replies
  • 1605 views

Hi everyone,

I created a servlet with following annotation.

sling.servlet.methods=POST

sling.servlet.paths= /bin/myservlet

It works on author and publish instance, but while when I access the servlet from web server, the access to /bin/* is denied, it is because the default configuration comment on the /bin/* directory.

# /0022 { /type "allow" /url  "/bin/*" }  

As checked from online document (see below link), it says there can be security impact to remove #, could you please advise what could the security impact be? can I open it in production servers?

Thanks in advance.

EXAMPLE /FILTER SECTION

 

https://docs.adobe.com/docs/en/dispatcher/disp-config.html

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by joerghoh

Hi,

the reason behind the rule to disallow access to /bin is that there are some servlets bound to /bin (like /bin/wcmcommand) which are solely used on author but not on publish. These are commands which are not bound to selectors or resourcetypes, as they provide rather generic services.

Unless you provide such generic services (you probably don't) don't bind such servlets to a path, but rather to a resourcetype or an selector. See my blog post [1] for some more details.

Jörg

[1] https://cqdump.wordpress.com/2015/03/23/aem-coding-best-practice-servlets/

2 replies

Singaiah_Chintalapudi
Singaiah_Chintalapudi
Level 7
October 19, 2016

james_xu wrote...

Hi everyone,

I created a servlet with following annotation.

sling.servlet.methods=POST

sling.servlet.paths= /bin/myservlet

It works on author and publish instance, but while when I access the servlet from web server, the access to /bin/* is denied, it is because the default configuration comment on the /bin/* directory.

# /0022 { /type "allow" /url  "/bin/*" }  

As checked from online document (see below link), it says there can be security impact to remove #, could you please advise what could the security impact be? can I open it in production servers?

Thanks in advance.

EXAMPLE /FILTER SECTION

 

https://docs.adobe.com/docs/en/dispatcher/disp-config.html

 

Use selectors/extensions instead of paths in your servlet. 

joerghoh
Adobe Employee
joerghohAdobe EmployeeAccepted solution
Adobe Employee
October 19, 2016

Hi,

the reason behind the rule to disallow access to /bin is that there are some servlets bound to /bin (like /bin/wcmcommand) which are solely used on author but not on publish. These are commands which are not bound to selectors or resourcetypes, as they provide rather generic services.

Unless you provide such generic services (you probably don't) don't bind such servlets to a path, but rather to a resourcetype or an selector. See my blog post [1] for some more details.

Jörg

[1] https://cqdump.wordpress.com/2015/03/23/aem-coding-best-practice-servlets/

Terms & ConditionsAccessibility statement

Loading footer...