External AEM POST Requests renders Content Modified Response

Avatar

Avatar

VKumar20

Avatar

VKumar20

VKumar20

23-02-2021

Hello Everyone,

 

Apologies, the same query has been raised sometime back but having some additional queries. if anyone could give any insights, it would be really helpful.

 

Request:

POST / HTTP/1.1
Host: www.xyz.com (changed)
Transfer-Encoding: chunked
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
Content-Length: 4
Content-Type: application/json

0

Response: Content modified /content/xyz

Status
200
Message
OK
Locationxyz
Parent Location/cotent/xyz
Path
/content/xyz
Referer
 
ChangeLog
<pre></pre>

Modified Resource 

Parent of Modified Resource 

 

The above post request(from any third part client like postman etc.) does not modify any thing on AEM however it gives the directory information and a view that something has been modified. 

 

Due to some requirements we can not block the post requests at dispatcher level as well as through referrer filters in AEM.

Apart from filtering and identifying the POST requests at dispatcher level (allow or deny), Is there any other way to handle it? (it should not show 200 with content modified message)

 

Also if we can modify the default response of such post requests  (i believe it is through default SlingPostServlet)? 

View Entire Topic

Avatar

Avatar

davidjgonzalezzzz

Avatar

davidjgonzalezzzz

davidjgonzalezzzz

23-02-2021

The best practice to secure AEM Publish endpoints via Dispatcher is to:

 

1. First Deny EVERYTHING

2. Then Allow only what you need to 

 

This is why the first rule in the OOTB AEM Publish Dispatcher is "DENY *" [1]

 

In terms of identifying what URL end-points need to be ALLOWED in Dispatcher for POST'ing depends on your application's design. Hopefully custom POST end-points are bound to servlets registered to Servlets by Resource Type and Selector/Extension, and the resource that has the respective sling:resourceType's are permissioned accordingly.


If you actually use SlingPostServlet in your application on AEM Publish, then you would want to ensure that POST requests without any selectors, etc. are ONLY available on the content trees that should be written to using the SlingPostServlet, and those resources are permissions properly so only expected users can write to them.

 

Generally speaking, I would be concerned if any user that isn't admin has write access to /content (not sure if your original example was just an example).

 

[1] https://github.com/adobe/aem-project-archetype/blob/master/src/main/archetype/dispatcher.ams/src/con...