Expand my Community achievements bar.

SOLVED

Dispatcher- publisher System/console is giving 500 error.

Avatar

Level 2

Hi -

I am trying to restrict system/console url in the publisher by applying the filter in the dispatcher something as below

/0001 { /type "deny" /glob "*" }

/0204 { /type "deny" /url "/system/*" }

But still, I am getting 500 error instead of the 404. Anybody have any idea what I am missing?

Configuring Dispatcher

1 Accepted Solution

Avatar

Correct answer by
Level 2

Ideally the deny everything rule should work. Below is a sample filters.any which works fine to deny access to any request to /system/*.

# Deny everything first and then allow specific entries

/0001 { /type "deny" /glob "*" }

# Open consoles

#     /0011 { /type "allow" /url "/admin/*"  }  # allow servlet engine admin

#     /0012 { /type "allow" /url "/crx/*"    }  # allow content repository

#     /0013 { /type "allow" /url "/system/*" }  # allow OSGi console

# Allow non-public content directories

#     /0021 { /type "allow" /url "/apps/*"   }  # allow apps access

#     /0022 { /type "allow" /url "/bin/*"    }

/0023 { /type "allow" /url "/content*" }  # disable this rule to allow mapped content only

#     /0024 { /type "allow" /url "/libs/*"   }

#     /0025 { /type "deny"  /url "/libs/shindig/proxy*" } # if you enable /libs close access to proxy

#     /0026 { /type "allow" /url "/home/*"   }

#     /0027 { /type "allow" /url "/tmp/*"    }

#     /0028 { /type "allow" /url "/var/*"    }

# Enable extensions in non-public content directories, using a regular expression

/0041

  {

  /type "allow"

  /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?|ttf|txt)'

  }

# Enable features

/0062 { /type "allow" /url "/libs/cq/personalization/*"  }  # enable personalization

#CSRF Token:

/0088 { /type "allow" /path "/libs/granite/csrf/token" /method "GET" /extension "json" }

/0099 { /type "allow" /path "/libs/dam/viewers/*" /method "GET"}

Also in rewrite .conf add the path of 404 page like below

ErrorDocument 404 ${AEM_CONTENT_ROOT_PATH}/error/404.html

ErrorDocument 500 ${AEM_CONTENT_ROOT_PATH}/error/500.html

View solution in original post

3 Replies

Avatar

Level 10

Check if you can access the same url on publish directly w/o any error?

Could you share your dispatcher.any filter section?

Avatar

Level 2

Higauravb41175071 -

I tried to access publish domain with system/console and it is giving 500 error. Ideal case it should return 404.

Here is the content of the filter section file(please see highlighted below:

/0200 { /type "allow" /method "GET" /url "/bin/external*"   }

          /0201 { /type "allow" /url "/etc/designs/*" }

          /0202 { /type "allow" /url "/etc/dam/*" }

          /0203 { /type "allow" /url "/content/*" }

        /0204 { /type "deny" /url "/system/*" }

          /0205 { /type "allow" /url "/useradmin/*" }

          /0206 { /type "allow" /url "/crx/*" }

          /0207 { /type "allow" /url "/lib/*" }

          /0208 { /type "allow" /url "/bin/*" }

          /0209 { /type "allow" /url "/dotcom/*" }

          /0210 { /type "allow" /url "/etc/acs-commons/lists*" }

          /0212 { /type "allow" /method "POST" /url "/lp/*"}

          /0213 { /type "allow" /url "/system/sling/logout*"}

/0214 { /type "allow" /url "/etc.clientlibs/*" }

/0215 { /type "allow" /url "/libs/granite/csrf/token.json" }

        /0217 {/type "allow" /url "/apps/onup/counter/external*"}

/0220 { /type "allow" /url "/etc/cloudsettings*" }

       /0221 { /type "allow" /url "/etc/segmentation*" }

Avatar

Correct answer by
Level 2

Ideally the deny everything rule should work. Below is a sample filters.any which works fine to deny access to any request to /system/*.

# Deny everything first and then allow specific entries

/0001 { /type "deny" /glob "*" }

# Open consoles

#     /0011 { /type "allow" /url "/admin/*"  }  # allow servlet engine admin

#     /0012 { /type "allow" /url "/crx/*"    }  # allow content repository

#     /0013 { /type "allow" /url "/system/*" }  # allow OSGi console

# Allow non-public content directories

#     /0021 { /type "allow" /url "/apps/*"   }  # allow apps access

#     /0022 { /type "allow" /url "/bin/*"    }

/0023 { /type "allow" /url "/content*" }  # disable this rule to allow mapped content only

#     /0024 { /type "allow" /url "/libs/*"   }

#     /0025 { /type "deny"  /url "/libs/shindig/proxy*" } # if you enable /libs close access to proxy

#     /0026 { /type "allow" /url "/home/*"   }

#     /0027 { /type "allow" /url "/tmp/*"    }

#     /0028 { /type "allow" /url "/var/*"    }

# Enable extensions in non-public content directories, using a regular expression

/0041

  {

  /type "allow"

  /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?|ttf|txt)'

  }

# Enable features

/0062 { /type "allow" /url "/libs/cq/personalization/*"  }  # enable personalization

#CSRF Token:

/0088 { /type "allow" /path "/libs/granite/csrf/token" /method "GET" /extension "json" }

/0099 { /type "allow" /path "/libs/dam/viewers/*" /method "GET"}

Also in rewrite .conf add the path of 404 page like below

ErrorDocument 404 ${AEM_CONTENT_ROOT_PATH}/error/404.html

ErrorDocument 500 ${AEM_CONTENT_ROOT_PATH}/error/500.html