disallow post calls to the dam for unauthenticated users | Community
Skip to main content
C
chandanaa9
Level 2
July 24, 2023
Solved

disallow post calls to the dam for unauthenticated users

  • July 24, 2023
  • 3 replies
  • 1005 views

Hi ,  i want to see if there are any defaults to disallow post calls to the dam for unauthenticated users or even a way to override the generic error message like "org.apache.sling.api.PersistenceException error message:Resource at content/dam/example .json is not modifiable" , where the sensitive information like path is disclosed and i want to override that with much more custom generic error message.  any suggestion on how i could do that?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Nishant-Singh

@chandanaa9 

 

To achieve your goal of overriding the generic error message and disallowing POST calls to the DAM for unauthenticated users, you can use a Sling filter with a defined scope.

Here's how you can approach it:

  1. Create a Sling Filter: First, create a Java class that implements the javax.servlet.Filter interface. This class will contain the logic to intercept requests and responses. The filter should be registered as a service using the @Component annotation with specific properties to define its scope and ordering.

  2. Define the Scope: The scope of your filter should target the specific paths you want to handle. In your case, you want to handle requests to the DAM and potentially other paths. For example, you can define the scope with the sling.filter.scope property set to REQUEST and use sling.filter.pattern to specify a path pattern to match DAM-related requests.

  3. Handle Unauthenticated Users: In the filter, check if the user making the request is authenticated or not. If the user is unauthenticated and the request is a POST request to the DAM, you can return a custom error response with an appropriate HTTP status code (e.g., 401 Unauthorized) and a generic error message.

  4. Override Error Messages: If an exception occurs during the processing of the request and the exception contains sensitive information like paths, catch it in the filter and override the error message with your custom generic error message. This way, you prevent exposing sensitive information to the client.

 

import org.apache.sling.api.SlingHttpServletRequest; import org.apache.sling.api.SlingHttpServletResponse; import org.apache.sling.api.servlets.SlingSafeMethodsServlet; import org.osgi.service.component.annotations.Component; import org.osgi.service.component.annotations.Reference; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import java.io.IOException; @Component(service = Filter.class, property = { "sling.filter.scope=REQUEST", "sling.filter.pattern=/content/dam/*" // Define the pattern to match DAM requests }) public class CustomErrorFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // Check authentication status of the user (implement your authentication logic here) if (isUserAuthenticated(request)) { chain.doFilter(request, response); } else { // Handle unauthenticated users trying to POST to the DAM if (request instanceof SlingHttpServletRequest) { SlingHttpServletRequest slingRequest = (SlingHttpServletRequest) request; if ("POST".equals(slingRequest.getMethod()) && slingRequest.getRequestPathInfo().getResourcePath().startsWith("/content/dam/")) { // Return a custom error response for unauthenticated users ((SlingHttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED, "You must be authenticated to perform this action."); return; } } } // Continue with the request processing chain.doFilter(request, response); } private boolean isUserAuthenticated(ServletRequest request) { // Implement your authentication logic here // Return true if the user is authenticated, false otherwise // You can use request.getSession(false) to check the session for authentication state // You may also consider using a framework like Apache Sling's AuthResolver or AEM's Authentication Sudo Support // to handle authentication checks. return false; } @Override public void init(FilterConfig filterConfig) throws ServletException { // Initialization code if needed } @Override public void destroy() { // Cleanup code if needed } }

 

3 replies

DPrakashRaj
Community Advisor
DPrakashRajCommunity Advisor
Community Advisor
July 25, 2023

You can only allow the get call to /content/dam folder by dispatcher filter rules not sure on unauthentic user

    Nishant-Singh
    Adobe Employee
    Nishant-SinghAdobe EmployeeAccepted solution
    Adobe Employee
    July 25, 2023

    @chandanaa9 

     

    To achieve your goal of overriding the generic error message and disallowing POST calls to the DAM for unauthenticated users, you can use a Sling filter with a defined scope.

    Here's how you can approach it:

    1. Create a Sling Filter: First, create a Java class that implements the javax.servlet.Filter interface. This class will contain the logic to intercept requests and responses. The filter should be registered as a service using the @Component annotation with specific properties to define its scope and ordering.

    2. Define the Scope: The scope of your filter should target the specific paths you want to handle. In your case, you want to handle requests to the DAM and potentially other paths. For example, you can define the scope with the sling.filter.scope property set to REQUEST and use sling.filter.pattern to specify a path pattern to match DAM-related requests.

    3. Handle Unauthenticated Users: In the filter, check if the user making the request is authenticated or not. If the user is unauthenticated and the request is a POST request to the DAM, you can return a custom error response with an appropriate HTTP status code (e.g., 401 Unauthorized) and a generic error message.

    4. Override Error Messages: If an exception occurs during the processing of the request and the exception contains sensitive information like paths, catch it in the filter and override the error message with your custom generic error message. This way, you prevent exposing sensitive information to the client.

     

    import org.apache.sling.api.SlingHttpServletRequest; import org.apache.sling.api.SlingHttpServletResponse; import org.apache.sling.api.servlets.SlingSafeMethodsServlet; import org.osgi.service.component.annotations.Component; import org.osgi.service.component.annotations.Reference; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import java.io.IOException; @Component(service = Filter.class, property = { "sling.filter.scope=REQUEST", "sling.filter.pattern=/content/dam/*" // Define the pattern to match DAM requests }) public class CustomErrorFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // Check authentication status of the user (implement your authentication logic here) if (isUserAuthenticated(request)) { chain.doFilter(request, response); } else { // Handle unauthenticated users trying to POST to the DAM if (request instanceof SlingHttpServletRequest) { SlingHttpServletRequest slingRequest = (SlingHttpServletRequest) request; if ("POST".equals(slingRequest.getMethod()) && slingRequest.getRequestPathInfo().getResourcePath().startsWith("/content/dam/")) { // Return a custom error response for unauthenticated users ((SlingHttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED, "You must be authenticated to perform this action."); return; } } } // Continue with the request processing chain.doFilter(request, response); } private boolean isUserAuthenticated(ServletRequest request) { // Implement your authentication logic here // Return true if the user is authenticated, false otherwise // You can use request.getSession(false) to check the session for authentication state // You may also consider using a framework like Apache Sling's AuthResolver or AEM's Authentication Sudo Support // to handle authentication checks. return false; } @Override public void init(FilterConfig filterConfig) throws ServletException { // Initialization code if needed } @Override public void destroy() { // Cleanup code if needed } }

     

      joerghoh
      Adobe Employee
      joerghohAdobe Employee
      Adobe Employee
      July 28, 2023

      You cannot "disallow" (prevent) the POST calls, but by a proper permission setup you can enforce that anonymous users cannot perform any changes (and such a setup is default on both AEM publish and author).

       

      Changing the error message is not directly possible, and AFAIK it is hardwired into the Sling Post Servlet. Overriding it with a custom filter might work.

        Terms & ConditionsAccessibility statement

        Loading footer...