etc.clientlib proxy in publish does not work for anonymous users

Avatar

Avatar

pegr69

Avatar

pegr69

pegr69

07-03-2019

Hi,

I have an issue with the AEM 6.4.installation,

We try to use the new etc.clientlib proxy servlet that came in AEM 6.3 in our AEM 6.4.3 installation and I have an issue with the JS and CSS files not being loaded properly, all URLs give me a 404 error if I am not logged into the publish server.

This is of course not possible in the real world.

The only way for me to get this to work is to apply an ACL jcr:read access for anonymous users to the /etc folder.

I however feel that this opens up a security issue towards AEM since it opens up the entire etc folder, even though I can control traffic to AEM via dispatcher.

Is this really the only way forward with this proxy or have I missed something in the security settings?

The documentation only says the ACLs is managed on a per location basis but I have applied anonymous access to the componentclientlib folders but that does nothing.

So I am after a clear description to how ACLs should be applied in order to get the etc.clientlib proxy to work in the publishing environment.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

pegr69

Avatar

pegr69

pegr69

05-04-2019

So I found the issue, but still not really sure as to why..

We had a /etc/map configuration where we hide the /content path on the publishing servers, the problem was that this caused the url to be rewritten during the call sequence to the publish server, hence /etc.clientlib gave a 404, however I do not understand why it was rewritten for anonymous users but when logged in it worked fine, still checking. When I also applied read access for the group everyone to the /etc path everything worked fine, however when doing a reboot of the server it cleared the rights for everyone during the repoinit process as described in the sling docs. Oh well, investigation ongoing..

Answers (3)

Answers (3)

Avatar

Avatar

Gaurav-Behl

MVP

Total Posts

1.1K

Likes

226

Correct Answer

281

Avatar

Gaurav-Behl

MVP

Total Posts

1.1K

Likes

226

Correct Answer

281
Gaurav-Behl
MVP

08-03-2019

Not sure if this would help, revert in case I'm supposed to tweak my configs & test..

This is on 6.4.3

1.gif

Avatar

Avatar

pegr69

Avatar

pegr69

pegr69

08-03-2019

Ok, have you tested and used this because I cannot get that to work, still 404s even after a reboot.

I am using 6.4.3.

Avatar

Avatar

Gaurav-Behl

MVP

Total Posts

1.1K

Likes

226

Correct Answer

281

Avatar

Gaurav-Behl

MVP

Total Posts

1.1K

Likes

226

Correct Answer

281
Gaurav-Behl
MVP

07-03-2019

To me, the solution provided by Andrew Khouryis better than going with ACL route

1. Go to http://hostport/system/console/configMgr

2. Search for and open Apache Sling Authentication Service

3. Add these two entries to the sling.auth.requirements

-/etc.clientlibs

-/etc/clientlibs/granite

4. After changing the property, restart the bundle http://host:port/system/console/bundles/org.apache.sling.auth.core

source Not able to access etc.clientlibs on publish environment