Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
Register!
SOLVED

Disable jcr:content.json from URL on publisher instance in AEM

Avatar

Level 6
Level 6
1/20/20 1:01:42 AM

Hi,

End users are able to access jcr:content.json URL, which exposes additional metadata about the page.
jcr:content.json URL can be disabled on publisher instance.
 
Can you please help me to get the best way to restrict the end user to access jcr:content.json URL, and overcome from this issue at global level.
 

Views

4.3K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
1/20/20 1:48:51 AM

Hi,

You should always do white listing not black listing of allowed pattern. That means deny everything first and allow whatever is needed e.g.

/0001 { /type "deny" /url "*" }
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

/0401 { /type "allow" /url "/libs/granite/dispatcher/content/vanityUrls.html"}
/0410 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/myApp/*" }

.... other rules

 

 

In your case you can deny jcr:content by using one of the below rule

/0402 { /type "deny" /extension 'json' /path "*(jcr:content|_jcr_content)*" }

/0403 { /type "deny"  /extension 'json' "*_jcr_content.json*" }
/0404 { /type "deny"  /extension 'json' "*jcr:content.json*" }
 

 



Arun Patidar

View solution in original post

Views

4.3K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
1/20/20 1:48:51 AM

Hi,

You should always do white listing not black listing of allowed pattern. That means deny everything first and allow whatever is needed e.g.

/0001 { /type "deny" /url "*" }
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

/0401 { /type "allow" /url "/libs/granite/dispatcher/content/vanityUrls.html"}
/0410 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/myApp/*" }

.... other rules

 

 

In your case you can deny jcr:content by using one of the below rule

/0402 { /type "deny" /extension 'json' /path "*(jcr:content|_jcr_content)*" }

/0403 { /type "deny"  /extension 'json' "*_jcr_content.json*" }
/0404 { /type "deny"  /extension 'json' "*jcr:content.json*" }
 

 



Arun Patidar

Views

4.3K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 6
Level 6
1/20/20 9:42:46 PM
In response to arunpatidar
Thank you, I am very new to this concept, could you please help me where should we keep the deny or allow url rule? in dispatcher?

Views

4.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
11/3/22 12:45:09 AM
In response to arunpatidar

Hi Arun,

 

Thanks for your blogs.

 

we need one more help.

we are observing some images are giving 422 error. we are using Akamai CDN and also using Image Manager in Akamai.

 

when we access any image paths it is throwing 422 error. when we check the developer console. first the request is going to https and from https to http. because of changing protocol schema we are getting 422 error.

 

could you please help us how to resolve this in dispatcher?

 

 

Views

1.3K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
11/3/22 6:41:07 AM
In response to chaganti

Can you check if there are apache/dispatcher configuration?



Arun Patidar

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate