Adobe Experience Manager Sites & More

Mahesh_Gunaje · 3/20/24

Hello Team,

I wanted to know the difference between these configurations.

Adobe Granite Cross-Origin Resource Sharing Policy, Apache Sling Referrer Filter

Thanks

TarunKumar · 3/20/24

Referrer-header configurations:

This is to allow the trusted servers, AEM has a referrer filter that can be configured.
In config manager, we have a configuration called “Apache Sling Referrer Filter“. This has below configs

which http methods should be filtered
whether an empty referrer header is allowed
a white list of servers to be allowed in addition to the server host.

Adobe Granite Cross Origin Resource Sharing Policy:
Adobe Experience Manager’s Cross-Origin Resource Sharing (CORS) facilitates non-AEM web properties to make client-side calls to AEM, both authenticated and unauthenticated, to fetch content or directly interact with AEM.

In addition to these two, one can implement Cross origin request sharing by using JSONP calls/ manipulating Access-Control-Allow-Origin in request header.

AEM 6.3 has introduced Cross-Origin Resource sharing configuration that allows authenticated and unauthenticated client side calls. This has configuration for allowed methods (POST,GET,DELETE.etc.,)

Thanks
Tarun

View solution in original post

TarunKumar · 3/20/24

HI @Mahesh_Gunaje ,

Referrer-header configurations:

This is to allow the trusted servers, AEM has a referrer filter that can be configured.
In config manager, we have a configuration called “Apache Sling Referrer Filter“. This has below configs

which http methods should be filtered
whether an empty referrer header is allowed
a white list of servers to be allowed in addition to the server host.

Adobe Granite Cross Origin Resource Sharing Policy:
Adobe Experience Manager’s Cross-Origin Resource Sharing (CORS) facilitates non-AEM web properties to make client-side calls to AEM, both authenticated and unauthenticated, to fetch content or directly interact with AEM.

In addition to these two, one can implement Cross origin request sharing by using JSONP calls/ manipulating Access-Control-Allow-Origin in request header.

AEM 6.3 has introduced Cross-Origin Resource sharing configuration that allows authenticated and unauthenticated client side calls. This has configuration for allowed methods (POST,GET,DELETE.etc.,)

Thanks
Tarun

Mahesh_Gunaje · 3/20/24

Hi @TarunKumar

I am bit confused.

Apache Sling Referrer Filter Configuration.

which http methods should be filtered: I can see POST, PUT, DELETE methods. So, what this does?

For example: Using Assets Http API, I have created API for GET, Post methods. So that www.restapp.com can consume my Post, GET calls to do some stuff.

So, I need to do below mentioned steps:

1: Go to Adobe Granite Cross-Origin Resource Sharing Policy configuration.

Mention: www.restapp.com under "Allowed Origins" section. Allowed methods: GET, POST.

Query is : Do I need to add any configuration for Apache Sling Referrer Filter??

Next time, I will allow www.angularapp.com to access my same GET, POST api. In this case, I need to add once more entry for Adobe Granite Cross-Origin Resource Sharing Policy configuration.

Whats the role of "Allow Hosts" under: Apache Sling Referrer Filter

Mahesh_Gunaje · 3/21/24

Hey @TarunKumar

One more query. Consider this scenario:

I have created ASSET http API. Its GET method only. Now, 3rd party Spring boot application will use my GET API from their java logic. Now, what minimum configuration, I need to do? I assume CORS setting is not required. Since, 3rd party application uses backend java logic to hit my API.