Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Hosting Static HTML in the JCR

SmashTheGoat
Level 2
Level 2

Hi, 

I've got a use case where I need to store and serve static html, js, css, images, flash videos, and etc from the JCR. 

The only suggestions I could find on how to do this come from this article. http://blogs.adobe.com/dekesmith/2012/05/22/place-simple-html-and-image-files-online-with-crx-and-cq...

I've tried all methods of uploading my static content as described in the article and have been able to consistently upload my static content to the JCR. However, the problem that I'm facing is actually trying to render the content. 

In AEM 6.2, when I attempt to hit the static content, such as: /content/some-site/some-static-page.html, it is treated like a binary download. It does the same for all the other filetypes that I've uploaded. Instead of trying to render them, it simply downloads them to my computer.

I noticed that the article was written in 2012, so I tried this on an older version of AEM, specifically 5.6.1, and I was successfully able to render the content within the browser.

I think it has something to do with the one of the rendering servlets, but I'm not sure. Any help is greatly appreciated. 

1 Accepted Solution
SmashTheGoat
Correct answer by
Level 2
Level 2

It appears the reason it downloads the files is due to the Apache Sling Content Disposition Filter.

Adding the path that contains my static files to the Content Disposition Paths list allows my content to render

This resolves my issue. Hopefully it helps someone else in the future.

View solution in original post

17 Replies
SmashTheGoat
Correct answer by
Level 2
Level 2

It appears the reason it downloads the files is due to the Apache Sling Content Disposition Filter.

Adding the path that contains my static files to the Content Disposition Paths list allows my content to render

This resolves my issue. Hopefully it helps someone else in the future.

View solution in original post

francisco_ribei
Level 6
Level 6

In case you are hosting the HTML files in DAM, you can disable it by changing an OSGI Config:

Dam Safe Binary Filter (com.day.cq.dam.core.impl.servlet.DamContentDispositionFilter), remove text/html from Blacklisted Mime Types

http://stackoverflow.com/a/35031277

Rob_Curran__T4G
Level 3
Level 3

I have the same issue.  I have a package containing static HTML files.

I import this into AEM 6.1 and it is rendered to the browser.

Importing the exact same package into AEM 6.2 results in the files being downloaded instead of served into the browser.

I attempted to add /content/path and also /content/path/somefile.html to the Apache Sling Content Disposition Filter as suggested without seeing any difference in behavior.

I'm curious if you had made any other changes to get this working. 

Thanks.

SmashTheGoat
Level 2
Level 2

Rob,

I don't recall having to change anything else. Did you try checking the "Enable content disposition for all paths" checkbox on that Service?

vmehrotr
Employee
Employee

Root cause:-

This is an intended change made by engineering in AEM 6.2. Even for 6.1, we released a hotfix for it NPR-9381. 

GRANITE-9550 - Extend content disposition filter protection to author

NPR-9381 - HF for GRANITE-9550 - Extend content disposition filter protection to author

This was introduced as part of Sling Security Fix 

https://issues.apache.org/jira/browse/SLING-4883 - Extend content disposition filter protection to jcr:data

https://issues.apache.org/jira/browse/SLING-4973 - Add Content Disposition Excluded Paths

Other customers reported this as a security issue. 

1) They identified that malicius files can potentially be uploaded by using the functionality

2) Access the uploaded file via above URL, verify that the file gets executed

Therefore, engineering fixed the issue and implemented this change and now by default the file instead of opening up in the browser gets download instead.

This is coming through OSGI configuration - 

http://host:port/system/console/configMgr/org.apache.sling.security.impl.ContentDispositionFilter

The checked box - Enable Content Disposition for all paths is causing this change in behavior which is intended.

To revert to old behavior:

If you are OK to bear this security issue, you can uncheck the checkbox and the file would directly open in the browser instead of getting downloaded. Thereby, meeting your requirements.

Rob_Curran__T4G
Level 3
Level 3

Thanks very much for this helpful response.  I have confirmed this re-enables this functionality on my environment.

In my particular case I want to serve these files as an interim step in a migration effort so I am not concerned about the security concerns.  I will recheck the box once completed.

Cheers.

sawan051
Level 3
Level 3

smacdonald2008, vmehrotr Have same requirement, is there a way to enable this for all the HTML files added under a specific location. Like if I need to show all the HTML files under content/mySite/htmlFiles.

I tried with content/mySite/htmlFiles(/.*), but it does not work.

Client does not want to check the box due to mentioned security concerns.

Please suggest......Thanks

florensf2806275
Level 1
Level 1

Hi,

We would also like to host static HTML files (+ accompanying JS, CSS, etc. in subfolders) on AEM. Besides the workaround mentioned above (Apache Sling Content Disposition Filter), which apparently is not recommended due to security concerns, are there any other ways of hosting such static HTML files on AEM? Specifically, we would be interested in a solution for AEM 6.4. 

Essentially, we want to use AEM just as a standard webserver for these files, and then includes them as an iFrame on our regular AEM pages.

Any help would be appreciated!

Gaurav-Behl
Community Advisor
Community Advisor

Per my knowledge, you could host it under /content path or /content/dam as nt:file or /etc/.. or /apps/.. using proxy accessible using/etc.clientlibs/..

Try it and revert if you get any issues.

sawan051
Level 3
Level 3

I also had similar requirement and have used the process explained by @francisco.ribeiro .

In case you are hosting the HTML files in DAM, you can disable it by changing an OSGI Config:

Dam Safe Binary Filter (com.day.cq.dam.core.impl.servlet.DamContentDispositionFilter), remove text/html from Blacklisted Mime Types

It worked all good till 6.2, now we are upgrading to 6.4 and again now HTML files have started downloading, instead of rendering in browser. Is Dam Safe Binary filter deprecated in 6.4?

Any suggestion, how it can be done in 6.4, is there a way to enable same from content/dam?

Gaurav-Behl
Community Advisor
Community Advisor

In a regular HTTP response, the Content-Disposition response header is a header indicating if the content is expected to be displayed inline in the browser, that is, as a Web page or as part of a Web page, or as an attachment, that is downloaded and saved locally.

Content-Disposition: inline  or

Content-Disposition: attachment; filename="filename.jpg"

Content-Disposition - HTTP | MDN

Modify the header's value either via custom code in AEM or Apache mod_header. There should be a configuration in osgi to override the headers.

sawan051
Level 3
Level 3

Thanks for replying so quick, but here is the case:

The static HTML files are not created in AEM, a different team designs ant write contents to them. Till 6.2 these HTML files were loading fine and now with 6.4 , we can not change the headers for hundreds of already live files.

I debugged more meanwhile for Dam safe Binary filter and observed that the configurations are not bound to any bundle in 6.4.

dam_safe.JPG

In 6.2 it was bound to a bundle under libs "jcrinstall:/libs/dam/install/cq-dam-core-5.8.172.jar".

what has happened to this configuration in 6.4?

Gaurav-Behl
Community Advisor
Community Advisor

I haven't got a chance to debug "what has changed" with this feature and cq-dam-core configurations. Probably a DayCare ticket would help in case no one is able to spend time on it.

Even if the file is not created in AEM, I assume it is still served by Apache where you can modify the headers. Ideal solution would be to fix it at source/AEM.

sawan051
Level 3
Level 3

Thanks again for your reply!!

I will raise a day care, meanwhile can you please guide me, which service/configuration can be used to modify headers?

sawan051
Level 3
Level 3

I have raised a daycare ticket and they have suggested to uncheck the box in "Content Disposition Filter" as mentioned above.

But i have asked them back about security issue with enabling the checkbox, they are yet to reply on that.

Meanwhile if there are other options, it would be really helpful. Thanks.