Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Configuration issue in dispatcher.any

Avatar

Level 2
Level 2
10/19/16 1:27:17 AM

Hi everyone,

I created a servlet with following annotation.

sling.servlet.methods=POST

sling.servlet.paths= /bin/myservlet

It works on author and publish instance, but while when I access the servlet from web server, the access to /bin/* is denied, it is because the default configuration comment on the /bin/* directory.

# /0022 { /type "allow" /url  "/bin/*" }  

As checked from online document (see below link), it says there can be security impact to remove #, could you please advise what could the security impact be? can I open it in production servers?

Thanks in advance.

EXAMPLE /FILTER SECTION

 

https://docs.adobe.com/docs/en/dispatcher/disp-config.html

Views

1.4K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/19/16 1:20:58 PM

Hi,

the reason behind the rule to disallow access to /bin is that there are some servlets bound to /bin (like /bin/wcmcommand) which are solely used on author but not on publish. These are commands which are not bound to selectors or resourcetypes, as they provide rather generic services.

Unless you provide such generic services (you probably don't) don't bind such servlets to a path, but rather to a resourcetype or an selector. See my blog post [1] for some more details.

Jörg

[1] https://cqdump.wordpress.com/2015/03/23/aem-coding-best-practice-servlets/

View solution in original post

Views

941

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Community Advisor
Community Advisor
10/19/16 12:36:35 PM

james_xu wrote...

Hi everyone,

I created a servlet with following annotation.

sling.servlet.methods=POST

sling.servlet.paths= /bin/myservlet

It works on author and publish instance, but while when I access the servlet from web server, the access to /bin/* is denied, it is because the default configuration comment on the /bin/* directory.

# /0022 { /type "allow" /url  "/bin/*" }  

As checked from online document (see below link), it says there can be security impact to remove #, could you please advise what could the security impact be? can I open it in production servers?

Thanks in advance.

EXAMPLE /FILTER SECTION

 

https://docs.adobe.com/docs/en/dispatcher/disp-config.html

 

Use selectors/extensions instead of paths in your servlet. 

Views

1.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/19/16 1:20:58 PM

Hi,

the reason behind the rule to disallow access to /bin is that there are some servlets bound to /bin (like /bin/wcmcommand) which are solely used on author but not on publish. These are commands which are not bound to selectors or resourcetypes, as they provide rather generic services.

Unless you provide such generic services (you probably don't) don't bind such servlets to a path, but rather to a resourcetype or an selector. See my blog post [1] for some more details.

Jörg

[1] https://cqdump.wordpress.com/2015/03/23/aem-coding-best-practice-servlets/

Views

942

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
RTE full options not appearing in minimized view AEM 6.5 cloud Solved

Views

163

Likes

0

Replies

4
How to migrate JTW to OAuth2 and use it in the Jenkins pipeline?

Views

55

Likes

0

Replies

3
I have a component based on show-hide in AEM. can any one help on this

Views

32

Likes

0

Replies

1
HTL tags issue

Views

66

Likes

0

Replies

4
Redirection Not working specific pages in Dispatcher server

Views

87

Likes

0

Replies

1