Expand my Community achievements bar.

SOLVED

Configuration issue in dispatcher.any

Avatar

Level 2
Level 2
10/19/16 1:27:17 AM

Hi everyone,

I created a servlet with following annotation.

sling.servlet.methods=POST

sling.servlet.paths= /bin/myservlet

It works on author and publish instance, but while when I access the servlet from web server, the access to /bin/* is denied, it is because the default configuration comment on the /bin/* directory.

# /0022 { /type "allow" /url  "/bin/*" }  

As checked from online document (see below link), it says there can be security impact to remove #, could you please advise what could the security impact be? can I open it in production servers?

Thanks in advance.

EXAMPLE /FILTER SECTION

 

https://docs.adobe.com/docs/en/dispatcher/disp-config.html

Views

1.3K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/19/16 1:20:58 PM

Hi,

the reason behind the rule to disallow access to /bin is that there are some servlets bound to /bin (like /bin/wcmcommand) which are solely used on author but not on publish. These are commands which are not bound to selectors or resourcetypes, as they provide rather generic services.

Unless you provide such generic services (you probably don't) don't bind such servlets to a path, but rather to a resourcetype or an selector. See my blog post [1] for some more details.

Jörg

[1] https://cqdump.wordpress.com/2015/03/23/aem-coding-best-practice-servlets/

View solution in original post

Views

825

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Community Advisor
Community Advisor
10/19/16 12:36:35 PM

james_xu wrote...

Hi everyone,

I created a servlet with following annotation.

sling.servlet.methods=POST

sling.servlet.paths= /bin/myservlet

It works on author and publish instance, but while when I access the servlet from web server, the access to /bin/* is denied, it is because the default configuration comment on the /bin/* directory.

# /0022 { /type "allow" /url  "/bin/*" }  

As checked from online document (see below link), it says there can be security impact to remove #, could you please advise what could the security impact be? can I open it in production servers?

Thanks in advance.

EXAMPLE /FILTER SECTION

 

https://docs.adobe.com/docs/en/dispatcher/disp-config.html

 

Use selectors/extensions instead of paths in your servlet. 

Views

915

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/19/16 1:20:58 PM

Hi,

the reason behind the rule to disallow access to /bin is that there are some servlets bound to /bin (like /bin/wcmcommand) which are solely used on author but not on publish. These are commands which are not bound to selectors or resourcetypes, as they provide rather generic services.

Unless you provide such generic services (you probably don't) don't bind such servlets to a path, but rather to a resourcetype or an selector. See my blog post [1] for some more details.

Jörg

[1] https://cqdump.wordpress.com/2015/03/23/aem-coding-best-practice-servlets/

Views

826

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply