External AEM POST Requests renders Content Modified Response

Avatar

Avatar

VKumar20

Avatar

VKumar20

VKumar20

23-02-2021

Hello Everyone,

 

Apologies, the same query has been raised sometime back but having some additional queries. if anyone could give any insights, it would be really helpful.

 

Request:

POST / HTTP/1.1
Host: www.xyz.com (changed)
Transfer-Encoding: chunked
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
Content-Length: 4
Content-Type: application/json

0

Response: Content modified /content/xyz

Status
200
Message
OK
Locationxyz
Parent Location/cotent/xyz
Path
/content/xyz
Referer
 
ChangeLog
<pre></pre>

Modified Resource 

Parent of Modified Resource 

 

The above post request(from any third part client like postman etc.) does not modify any thing on AEM however it gives the directory information and a view that something has been modified. 

 

Due to some requirements we can not block the post requests at dispatcher level as well as through referrer filters in AEM.

Apart from filtering and identifying the POST requests at dispatcher level (allow or deny), Is there any other way to handle it? (it should not show 200 with content modified message)

 

Also if we can modify the default response of such post requests  (i believe it is through default SlingPostServlet)? 

View Entire Topic

Avatar

Avatar

davidjgonzalezzzz

Avatar

davidjgonzalezzzz

davidjgonzalezzzz

23-02-2021

Are you attempting to block POST's on AEM Author or AEM Publish? 

 

If you are trying to block POST's on AEM Author, don't 🙂 .. AEM uses POSTS and especially those handled by the Sling Default POST servlet liberally. Blocking anything that isn't a POST to a very specific URL is asking to break AEM's OOTB functionalities. You should instead, use ACLs to control what content/content trees an AEM Author can write to via the POSTs (which will result in a 403, not a 200 if the user does not have permissions to write to the target path)

 

If you are trying to block POST's on AEM Publish. The pattern to do this at AEM Dispatcher is:

1. Deny everything

2. Allow only POSTs for the specific paths/path-patterns you know are required for your application

3. Ensure that your content on AEM Publish is properly protected by ACLs, so any POSTs you DO allow ensure the right ppl are modifying the content.

If you are properly filtering out (DENY'ing) these POST requests at Dispatcher, you will not get a 200, but rather a 404.