etc.clientlib proxy in publish does not work for anonymous users | Community
Skip to main content
P
Pegr69
March 7, 2019
Solved

etc.clientlib proxy in publish does not work for anonymous users

  • March 7, 2019
  • 4 replies
  • 4818 views

Hi,

I have an issue with the AEM 6.4.installation,

We try to use the new etc.clientlib proxy servlet that came in AEM 6.3 in our AEM 6.4.3 installation and I have an issue with the JS and CSS files not being loaded properly, all URLs give me a 404 error if I am not logged into the publish server.

This is of course not possible in the real world.

The only way for me to get this to work is to apply an ACL jcr:read access for anonymous users to the /etc folder.

I however feel that this opens up a security issue towards AEM since it opens up the entire etc folder, even though I can control traffic to AEM via dispatcher.

Is this really the only way forward with this proxy or have I missed something in the security settings?

The documentation only says the ACLs is managed on a per location basis but I have applied anonymous access to the componentclientlib folders but that does nothing.

So I am after a clear description to how ACLs should be applied in order to get the etc.clientlib proxy to work in the publishing environment.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Pegr69

So I found the issue, but still not really sure as to why..

We had a /etc/map configuration where we hide the /content path on the publishing servers, the problem was that this caused the url to be rewritten during the call sequence to the publish server, hence /etc.clientlib gave a 404, however I do not understand why it was rewritten for anonymous users but when logged in it worked fine, still checking. When I also applied read access for the group everyone to the /etc path everything worked fine, however when doing a reboot of the server it cleared the rights for everyone during the repoinit process as described in the sling docs. Oh well, investigation ongoing..

4 replies

Gaurav-Behl
Gaurav-Behl
March 8, 2019

To me, the solution provided by Andrew Khouryis better than going with ACL route

1. Go to http://hostport/system/console/configMgr

2. Search for and open Apache Sling Authentication Service

3. Add these two entries to the sling.auth.requirements

-/etc.clientlibs

-/etc/clientlibs/granite

4. After changing the property, restart the bundle http://host:port/system/console/bundles/org.apache.sling.auth.core

source Not able to access etc.clientlibs on publish environment

P
Pegr69Author
March 8, 2019

Ok, have you tested and used this because I cannot get that to work, still 404s even after a reboot.

I am using 6.4.3.

Gaurav-Behl
Gaurav-Behl
March 8, 2019

Not sure if this would help, revert in case I'm supposed to tweak my configs & test..

This is on 6.4.3

P
Pegr69AuthorAccepted solution
April 5, 2019

So I found the issue, but still not really sure as to why..

We had a /etc/map configuration where we hide the /content path on the publishing servers, the problem was that this caused the url to be rewritten during the call sequence to the publish server, hence /etc.clientlib gave a 404, however I do not understand why it was rewritten for anonymous users but when logged in it worked fine, still checking. When I also applied read access for the group everyone to the /etc path everything worked fine, however when doing a reboot of the server it cleared the rights for everyone during the repoinit process as described in the sling docs. Oh well, investigation ongoing..

    Terms & ConditionsAccessibility statement

    Loading footer...