We try to use the new etc.clientlib proxy servlet that came in AEM 6.3 in our AEM 6.4.3 installation and I have an issue with the JS and CSS files not being loaded properly, all URLs give me a 404 error if I am not logged into the publish server.
This is of course not possible in the real world.
The only way for me to get this to work is to apply an ACL jcr:read access for anonymous users to the /etc folder.
I however feel that this opens up a security issue towards AEM since it opens up the entire etc folder, even though I can control traffic to AEM via dispatcher.
Is this really the only way forward with this proxy or have I missed something in the security settings?
The documentation only says the ACLs is managed on a per location basis but I have applied anonymous access to the componentclientlib folders but that does nothing.
So I am after a clear description to how ACLs should be applied in order to get the etc.clientlib proxy to work in the publishing environment.
So I found the issue, but still not really sure as to why..
We had a /etc/map configuration where we hide the /content path on the publishing servers, the problem was that this caused the url to be rewritten during the call sequence to the publish server, hence /etc.clientlib gave a 404, however I do not understand why it was rewritten for anonymous users but when logged in it worked fine, still checking. When I also applied read access for the group everyone to the /etc path everything worked fine, however when doing a reboot of the server it cleared the rights for everyone during the repoinit process as described in the sling docs. Oh well, investigation ongoing..