Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Disable jcr:content.json from URL on publisher instance in AEM

Avatar

Level 6

Hi,

End users are able to access jcr:content.json URL, which exposes additional metadata about the page.
jcr:content.json URL can be disabled on publisher instance.
 
Can you please help me to get the best way to restrict the end user to access jcr:content.json URL, and overcome from this issue at global level.
 
1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi,

You should always do white listing not black listing of allowed pattern. That means deny everything first and allow whatever is needed e.g.

/0001 { /type "deny" /url "*" }
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

/0401 { /type "allow" /url "/libs/granite/dispatcher/content/vanityUrls.html"}
/0410 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/myApp/*" }

.... other rules

 

 

In your case you can deny jcr:content by using one of the below rule

/0402 { /type "deny" /extension 'json' /path "*(jcr:content|_jcr_content)*" }

/0403 { /type "deny"  /extension 'json' "*_jcr_content.json*" }
/0404 { /type "deny"  /extension 'json' "*jcr:content.json*" }
 

 



Arun Patidar

View solution in original post

5 Replies

Avatar

Correct answer by
Community Advisor

Hi,

You should always do white listing not black listing of allowed pattern. That means deny everything first and allow whatever is needed e.g.

/0001 { /type "deny" /url "*" }
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

/0401 { /type "allow" /url "/libs/granite/dispatcher/content/vanityUrls.html"}
/0410 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/myApp/*" }

.... other rules

 

 

In your case you can deny jcr:content by using one of the below rule

/0402 { /type "deny" /extension 'json' /path "*(jcr:content|_jcr_content)*" }

/0403 { /type "deny"  /extension 'json' "*_jcr_content.json*" }
/0404 { /type "deny"  /extension 'json' "*jcr:content.json*" }
 

 



Arun Patidar

Avatar

Level 6
Thank you, I am very new to this concept, could you please help me where should we keep the deny or allow url rule? in dispatcher?

Avatar

Level 1

Hi Arun,

 

Thanks for your blogs.

 

we need one more help.

we are observing some images are giving 422 error. we are using Akamai CDN and also using Image Manager in Akamai.

 

when we access any image paths it is throwing 422 error. when we check the developer console. first the request is going to https and from https to http. because of changing protocol schema we are getting 422 error.

 

could you please help us how to resolve this in dispatcher?

 

 

Avatar

Community Advisor

Can you check if there are apache/dispatcher configuration?



Arun Patidar