Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Disable jcr:content.json from URL on publisher instance in AEM

Avatar

Avatar
Validate 10
Level 2
tushaar_srivastava
Level 2

Likes

8 likes

Total Posts

92 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 3
Ignite 1
Give Back 5
View profile

Avatar
Validate 10
Level 2
tushaar_srivastava
Level 2

Likes

8 likes

Total Posts

92 posts

Correct Reply

0 solutions
Top badges earned
Validate 10
Validate 1
Ignite 3
Ignite 1
Give Back 5
View profile
tushaar_srivastava
Level 2

20-01-2020

Hi,

End users are able to access jcr:content.json URL, which exposes additional metadata about the page.
jcr:content.json URL can be disabled on publisher instance.
 
Can you please help me to get the best way to restrict the end user to access jcr:content.json URL, and overcome from this issue at global level.
 
AEM publisher AEM6.3.0 disable url

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,358 likes

Total Posts

3,228 posts

Correct Reply

918 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,358 likes

Total Posts

3,228 posts

Correct Reply

918 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

20-01-2020

Hi,

You should always do white listing not black listing of allowed pattern. That means deny everything first and allow whatever is needed e.g.

/0001 { /type "deny" /url "*" }
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

/0401 { /type "allow" /url "/libs/granite/dispatcher/content/vanityUrls.html"}
/0410 { /type "allow" /extension '(css|eot|gif|ico|jpeg|jpg|js|gif|pdf|png|svg|swf|ttf|woff|woff2|html)' /path "/content/myApp/*" }

.... other rules

 

 

In your case you can deny jcr:content by using one of the below rule

/0402 { /type "deny" /extension 'json' /path "*(jcr:content|_jcr_content)*" }

/0403 { /type "deny"  /extension 'json' "*_jcr_content.json*" }
/0404 { /type "deny"  /extension 'json' "*jcr:content.json*" }
 

 

Answers (0)