Adobe Experience Manager

The best practice to secure AEM Publish endpoints via Dispatcher is to:

1. First Deny EVERYTHING

2. Then Allow only what you need to 

This is why the first rule in the OOTB AEM Publish Dispatcher is "DENY *" [1]

In terms of identifying what URL end-points need to be ALLOWED in Dispatcher for POST'ing depends on your application's design. Hopefully custom POST end-points are bound to servlets registered to Servlets by Resource Type and Selector/Extension, and the resource that has the respective sling:resourceType's are permissioned accordingly.

If you actually use SlingPostServlet in your application on AEM Publish, then you would want to ensure that POST requests without any selectors, etc. are ONLY available on the content trees that should be written to using the SlingPostServlet, and those resources are permissions properly so only expected users can write to them.

Generally speaking, I would be concerned if any user that isn't admin has write access to /content (not sure if your original example was just an example).

[1] https://github.com/adobe/aem-project-archetype/blob/master/src/main/archetype/dispatcher.ams/src/con...

@VKumar20,

If you are referring to a Sling Servlet from AEM, You would probably need to review the business logic. Amend the doPost() method to check for necessary acceptable values. If acceptable values are not matched, you can return your own custom status, for example, 406 NOT ACCEPTABLE.

I am actually assuming that your doPost method returns a "XXX" (whatever your servlet is setting as the response status) status as the response, on every request.

Example Code to Implement 406 HTTP Response:

@Override
protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException {
    if (request.getParameter("test") == null) {
        response.setStatus(org.eclipse.jetty.http.HttpStatus.NOT_ACCEPTABLE_406);
    }
    // your logic
}