Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
SOLVED

etc.clientlib proxy in publish does not work for anonymous users

Avatar

Level 2

Hi,

I have an issue with the AEM 6.4.installation,

We try to use the new etc.clientlib proxy servlet that came in AEM 6.3 in our AEM 6.4.3 installation and I have an issue with the JS and CSS files not being loaded properly, all URLs give me a 404 error if I am not logged into the publish server.

This is of course not possible in the real world.

The only way for me to get this to work is to apply an ACL jcr:read access for anonymous users to the /etc folder.

I however feel that this opens up a security issue towards AEM since it opens up the entire etc folder, even though I can control traffic to AEM via dispatcher.

Is this really the only way forward with this proxy or have I missed something in the security settings?

The documentation only says the ACLs is managed on a per location basis but I have applied anonymous access to the componentclientlib folders but that does nothing.

So I am after a clear description to how ACLs should be applied in order to get the etc.clientlib proxy to work in the publishing environment.

1 Accepted Solution

Avatar

Correct answer by
Level 2

So I found the issue, but still not really sure as to why..

We had a /etc/map configuration where we hide the /content path on the publishing servers, the problem was that this caused the url to be rewritten during the call sequence to the publish server, hence /etc.clientlib gave a 404, however I do not understand why it was rewritten for anonymous users but when logged in it worked fine, still checking. When I also applied read access for the group everyone to the /etc path everything worked fine, however when doing a reboot of the server it cleared the rights for everyone during the repoinit process as described in the sling docs. Oh well, investigation ongoing..

View solution in original post

4 Replies

Avatar

Level 10

To me, the solution provided by Andrew Khouryis better than going with ACL route

1. Go to http://hostport/system/console/configMgr

2. Search for and open Apache Sling Authentication Service

3. Add these two entries to the sling.auth.requirements

-/etc.clientlibs

-/etc/clientlibs/granite

4. After changing the property, restart the bundle http://host:port/system/console/bundles/org.apache.sling.auth.core

source Not able to access etc.clientlibs on publish environment

Avatar

Level 2

Ok, have you tested and used this because I cannot get that to work, still 404s even after a reboot.

I am using 6.4.3.

Avatar

Level 10

Not sure if this would help, revert in case I'm supposed to tweak my configs & test..

This is on 6.4.3

1.gif

Avatar

Correct answer by
Level 2

So I found the issue, but still not really sure as to why..

We had a /etc/map configuration where we hide the /content path on the publishing servers, the problem was that this caused the url to be rewritten during the call sequence to the publish server, hence /etc.clientlib gave a 404, however I do not understand why it was rewritten for anonymous users but when logged in it worked fine, still checking. When I also applied read access for the group everyone to the /etc path everything worked fine, however when doing a reboot of the server it cleared the rights for everyone during the repoinit process as described in the sling docs. Oh well, investigation ongoing..