Adobe Experience Manager Sites & More

sharms13 · 12/7/22

Hi All,

We are in process of implementing the Content fragment Asset API, hence want to know the rule to be applied in dispatcher to only allow /asset/api json.

At present we have set a rule as

{ /type "allow" /extension '(json)' /method "GET" /url "/asset/api/*.json" }

is this valid or any other rule need to be set.

Please suggest.

Thanks

Shikha

Avinash_Gupta_ · 12/8/22

You can restrict the other page content selectors like infinity, tidy using the below dispatcher filter rule:

# Deny content grabbing for greedy queries and prevent un-intended self DOS attacks
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

View solution in original post

krati_garg · 12/7/22

@sharms13 I believe you will have to configure Sling Referrer Filter

Please see the process below, this also has dispatcher rules defined:

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/headless/deployment...

and may be CORS Policy

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/headless/deployment...

Avinash_Gupta_ · 12/7/22

Hi @sharms13

I think the above dispatcher rule should be /api/assets

{ /type "allow" /extension '(json)' /method "GET" /url "/api/assets*.json" }

Since you are only making the Get request to fetch the content fragment as json, don't think that you need to do any other additional configuration. Sling Referrer Filter & CORS would not be needed.

sharms13 · 12/8/22

Thanks AvinashGupta01.

But in addition to this I want to restrict the other page content selectors like infinity, tidy , -1 etc json.

Can you please suggest a rule which can be applied to restricted other selector.

Avinash_Gupta_ · 12/8/22

You can restrict the other page content selectors like infinity, tidy using the below dispatcher filter rule:

# Deny content grabbing for greedy queries and prevent un-intended self DOS attacks
/0017 { /type "deny" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy|sysview|docview|query|[0-9-]+|jcr:content)' /extension '(json|xml|html|feed)' }

tushaar_srivastava · 12/11/22

Hi @sharms13

# Rule for Content Fragment Asset API

<VirtualHost *:80>

    ServerName dispatcher.example.com

    # Dispatcher Config
    DispatcherConfig conf/dispatcher.any

    # Dispatcher Logs
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    CustomLog logs/dispatcher.log combined

    # Deny Access to Hidden Files
    <FilesMatch "\.(?!css$|js$|jpg$|gif$|png$|ico$|html$|htm$|txt$|json$|map$|svg$).*$">
        Require all denied
    </FilesMatch>

    # Content Fragment Asset API
    <Location /libs/dam/cf/asset>
        SetHandler dispatcher-handler
        SetEnvIf Request_URI ".*" no-gzip
    </Location>

    # Dispatcher Pass Through
    <Location />
        SetHandler dispatcher-handler
    </Location>

</VirtualHost>

Hope this will help

Adobe Experience Manager Sites & More

Dispatcher Rule for Content Fragment Asset API

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe