Adobe Experience Manager Sites & More

tushaar_srivastava · 1/20/20

Hi,

End users are able to access jcr:content.json URL, which exposes additional metadata about the page.

jcr:content.json URL can be disabled on publisher instance.

Can you please help me to get the best way to restrict the end user to access jcr:content.json URL, and overcome from this issue at global level.

@kautuk_sahni @arunpatidar

arunpatidar · 1/20/20

Hi,

You should always do white listing not black listing of allowed pattern. That means deny everything first and allow whatever is needed e.g.

/0001 { /type "deny" /url "*" }
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

/0401 { /type "allow" /url "/libs/granite/dispatcher/content/vanityUrls.html"}
/0410 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/myApp/*" }

.... other rules

In your case you can deny jcr:content by using one of the below rule

/0402 { /type "deny" /extension 'json' /path "*(jcr:content|_jcr_content)*" }

/0403 { /type "deny"  /extension 'json' "*_jcr_content.json*" }
/0404 { /type "deny"  /extension 'json' "*jcr:content.json*" }

Arun Patidar

View solution in original post

arunpatidar · 1/20/20

Hi,

You should always do white listing not black listing of allowed pattern. That means deny everything first and allow whatever is needed e.g.

/0001 { /type "deny" /url "*" }
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

/0401 { /type "allow" /url "/libs/granite/dispatcher/content/vanityUrls.html"}
/0410 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/myApp/*" }

.... other rules

In your case you can deny jcr:content by using one of the below rule

/0402 { /type "deny" /extension 'json' /path "*(jcr:content|_jcr_content)*" }

/0403 { /type "deny"  /extension 'json' "*_jcr_content.json*" }
/0404 { /type "deny"  /extension 'json' "*jcr:content.json*" }

Arun Patidar

tushaar_srivastava · 1/20/20

Thank you, I am very new to this concept, could you please help me where should we keep the deny or allow url rule? in dispatcher?

arunpatidar · 1/21/20

you need to do this inside filter section, check Configuring Access to Content section at https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/configuring/dispatcher-co...

Arun Patidar

chaganti · 11/3/22

Hi Arun,

Thanks for your blogs.

we need one more help.

we are observing some images are giving 422 error. we are using Akamai CDN and also using Image Manager in Akamai.

when we access any image paths it is throwing 422 error. when we check the developer console. first the request is going to https and from https to http. because of changing protocol schema we are getting 422 error.

could you please help us how to resolve this in dispatcher?

arunpatidar · 11/3/22

Can you check if there are apache/dispatcher configuration?

Adobe Experience Manager Sites & More

Disable jcr:content.json from URL on publisher instance in AEM

Arun Patidar

Arun Patidar

Arun Patidar

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe