Adobe Experience Manager Sites & More

tushaar_srivastava · 20/01/2020

Hi,

End users are able to access jcr:content.json URL, which exposes additional metadata about the page.

jcr:content.json URL can be disabled on publisher instance.

Can you please help me to get the best way to restrict the end user to access jcr:content.json URL, and overcome from this issue at global level.

@kautuk_sahni @arunpatidar

arunpatidar · 20/01/2020

Hi,

You should always do white listing not black listing of allowed pattern. That means deny everything first and allow whatever is needed e.g.

/0001 { /type "deny" /url "*" }
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

/0401 { /type "allow" /url "/libs/granite/dispatcher/content/vanityUrls.html"}
/0410 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/myApp/*" }

.... other rules

In your case you can deny jcr:content by using one of the below rule

/0402 { /type "deny" /extension 'json' /path "*(jcr:content|_jcr_content)*" }

/0403 { /type "deny"  /extension 'json' "*_jcr_content.json*" }
/0404 { /type "deny"  /extension 'json' "*jcr:content.json*" }

Arun Patidar

Voir la solution dans l'envoi d'origine

arunpatidar · 20/01/2020

Hi,

You should always do white listing not black listing of allowed pattern. That means deny everything first and allow whatever is needed e.g.

/0001 { /type "deny" /url "*" }
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

/0401 { /type "allow" /url "/libs/granite/dispatcher/content/vanityUrls.html"}
/0410 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/myApp/*" }

.... other rules

In your case you can deny jcr:content by using one of the below rule

/0402 { /type "deny" /extension 'json' /path "*(jcr:content|_jcr_content)*" }

/0403 { /type "deny"  /extension 'json' "*_jcr_content.json*" }
/0404 { /type "deny"  /extension 'json' "*jcr:content.json*" }

Arun Patidar

tushaar_srivastava · 20/01/2020

Thank you, I am very new to this concept, could you please help me where should we keep the deny or allow url rule? in dispatcher?

arunpatidar · 21/01/2020

you need to do this inside filter section, check Configuring Access to Content section at https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/configuring/dispatcher-co...

Arun Patidar

chaganti · 03/11/2022

Hi Arun,

Thanks for your blogs.

we need one more help.

we are observing some images are giving 422 error. we are using Akamai CDN and also using Image Manager in Akamai.

when we access any image paths it is throwing 422 error. when we check the developer console. first the request is going to https and from https to http. because of changing protocol schema we are getting 422 error.

could you please help us how to resolve this in dispatcher?

arunpatidar · 03/11/2022

Can you check if there are apache/dispatcher configuration?

Adobe Experience Manager Sites & More

Disable jcr:content.json from URL on publisher instance in AEM

Arun Patidar

Arun Patidar

Arun Patidar

Arun Patidar

Formation

Documentation

Événements

Communauté

Assistance

Ressources

Compte Adobe

Adobe