Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Difference between Cross-Origin Resource Sharing Policy, Apache Sling Referrer Filter

Avatar

Level 8

Hello Team,

 

I wanted to know the difference between these configurations.

 

Adobe Granite Cross-Origin Resource Sharing Policy, Apache Sling Referrer Filter

 

Thanks

 

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

HI @Mahesh_Gunaje ,

Referrer-header configurations:

This is to allow the trusted servers, AEM has a referrer filter that can be configured.
In config manager, we have a configuration called “Apache Sling Referrer Filter“. This has below configs

  • which http methods should be filtered
  • whether an empty referrer header is allowed
  • a white list of servers to be allowed in addition to the server host.

Adobe Granite Cross Origin Resource Sharing Policy:
Adobe Experience Manager’s Cross-Origin Resource Sharing (CORS) facilitates non-AEM web properties to make client-side calls to AEM, both authenticated and unauthenticated, to fetch content or directly interact with AEM.

In addition to these two, one can implement Cross origin request sharing by using JSONP calls/ manipulating Access-Control-Allow-Origin in request header.

AEM 6.3 has introduced Cross-Origin Resource sharing configuration that allows authenticated and unauthenticated client side calls. This has configuration for allowed methods (POST,GET,DELETE.etc.,)


Thanks
Tarun

View solution in original post

4 Replies

Avatar

Correct answer by
Community Advisor

HI @Mahesh_Gunaje ,

Referrer-header configurations:

This is to allow the trusted servers, AEM has a referrer filter that can be configured.
In config manager, we have a configuration called “Apache Sling Referrer Filter“. This has below configs

  • which http methods should be filtered
  • whether an empty referrer header is allowed
  • a white list of servers to be allowed in addition to the server host.

Adobe Granite Cross Origin Resource Sharing Policy:
Adobe Experience Manager’s Cross-Origin Resource Sharing (CORS) facilitates non-AEM web properties to make client-side calls to AEM, both authenticated and unauthenticated, to fetch content or directly interact with AEM.

In addition to these two, one can implement Cross origin request sharing by using JSONP calls/ manipulating Access-Control-Allow-Origin in request header.

AEM 6.3 has introduced Cross-Origin Resource sharing configuration that allows authenticated and unauthenticated client side calls. This has configuration for allowed methods (POST,GET,DELETE.etc.,)


Thanks
Tarun

Avatar

Level 8

Hi @TarunKumar 

 

I am bit confused.

Apache Sling Referrer Filter Configuration.

which http methods should be filtered: I can see POST, PUT, DELETE methods. So, what this does?

For example: Using Assets Http API, I have created API for GET, Post methods. So that www.restapp.com can consume my Post, GET calls to do some stuff.

So, I need to do below mentioned steps:

1: Go to Adobe Granite Cross-Origin Resource Sharing Policy configuration.

Mention: www.restapp.com under "Allowed Origins" section. Allowed methods: GET, POST.

Query is : Do I need to add any configuration for Apache Sling Referrer Filter??

Next time, I will allow www.angularapp.com to access my same GET, POST api. In this case, I need to add once more entry for Adobe Granite Cross-Origin Resource Sharing Policy configuration.

Whats the role of  "Allow Hosts" under: Apache Sling Referrer Filter

Avatar

Level 8

Hey @TarunKumar 

 

One more query. Consider this scenario:

I have created ASSET http API. Its GET method only. Now, 3rd party Spring boot application will use my GET API from their java logic. Now, what minimum configuration, I need to do? I assume CORS setting is not required. Since, 3rd party application uses backend java logic to hit my API.