Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Hosting Static HTML in the JCR

Avatar

Level 2

Hi, 

I've got a use case where I need to store and serve static html, js, css, images, flash videos, and etc from the JCR. 

The only suggestions I could find on how to do this come from this article. http://blogs.adobe.com/dekesmith/2012/05/22/place-simple-html-and-image-files-online-with-crx-and-cq...

I've tried all methods of uploading my static content as described in the article and have been able to consistently upload my static content to the JCR. However, the problem that I'm facing is actually trying to render the content. 

In AEM 6.2, when I attempt to hit the static content, such as: /content/some-site/some-static-page.html, it is treated like a binary download. It does the same for all the other filetypes that I've uploaded. Instead of trying to render them, it simply downloads them to my computer.

I noticed that the article was written in 2012, so I tried this on an older version of AEM, specifically 5.6.1, and I was successfully able to render the content within the browser.

I think it has something to do with the one of the rendering servlets, but I'm not sure. Any help is greatly appreciated. 

1 Accepted Solution

Avatar

Correct answer by
Level 2

It appears the reason it downloads the files is due to the Apache Sling Content Disposition Filter.

Adding the path that contains my static files to the Content Disposition Paths list allows my content to render

This resolves my issue. Hopefully it helps someone else in the future.

View solution in original post

17 Replies

Avatar

Correct answer by
Level 2

It appears the reason it downloads the files is due to the Apache Sling Content Disposition Filter.

Adding the path that contains my static files to the Content Disposition Paths list allows my content to render

This resolves my issue. Hopefully it helps someone else in the future.

Avatar

Level 10

Thank you for posting your solution.

Avatar

Level 6

In case you are hosting the HTML files in DAM, you can disable it by changing an OSGI Config:

Dam Safe Binary Filter (com.day.cq.dam.core.impl.servlet.DamContentDispositionFilter), remove text/html from Blacklisted Mime Types

http://stackoverflow.com/a/35031277

Avatar

Level 3

I have the same issue.  I have a package containing static HTML files.

I import this into AEM 6.1 and it is rendered to the browser.

Importing the exact same package into AEM 6.2 results in the files being downloaded instead of served into the browser.

I attempted to add /content/path and also /content/path/somefile.html to the Apache Sling Content Disposition Filter as suggested without seeing any difference in behavior.

I'm curious if you had made any other changes to get this working. 

Thanks.

Avatar

Level 2

Rob,

I don't recall having to change anything else. Did you try checking the "Enable content disposition for all paths" checkbox on that Service?

Avatar

Employee

Root cause:-

This is an intended change made by engineering in AEM 6.2. Even for 6.1, we released a hotfix for it NPR-9381. 

GRANITE-9550 - Extend content disposition filter protection to author

NPR-9381 - HF for GRANITE-9550 - Extend content disposition filter protection to author

This was introduced as part of Sling Security Fix 

https://issues.apache.org/jira/browse/SLING-4883 - Extend content disposition filter protection to jcr:data

https://issues.apache.org/jira/browse/SLING-4973 - Add Content Disposition Excluded Paths

Other customers reported this as a security issue. 

1) They identified that malicius files can potentially be uploaded by using the functionality

2) Access the uploaded file via above URL, verify that the file gets executed

Therefore, engineering fixed the issue and implemented this change and now by default the file instead of opening up in the browser gets download instead.

This is coming through OSGI configuration - 

http://host:port/system/console/configMgr/org.apache.sling.security.impl.ContentDispositionFilter

The checked box - Enable Content Disposition for all paths is causing this change in behavior which is intended.

To revert to old behavior:

If you are OK to bear this security issue, you can uncheck the checkbox and the file would directly open in the browser instead of getting downloaded. Thereby, meeting your requirements.

Avatar

Level 3

Thanks very much for this helpful response.  I have confirmed this re-enables this functionality on my environment.

In my particular case I want to serve these files as an interim step in a migration effort so I am not concerned about the security concerns.  I will recheck the box once completed.

Cheers.

Avatar

Level 3

smacdonald2008, vmehrotr Have same requirement, is there a way to enable this for all the HTML files added under a specific location. Like if I need to show all the HTML files under content/mySite/htmlFiles.

I tried with content/mySite/htmlFiles(/.*), but it does not work.

Client does not want to check the box due to mentioned security concerns.

Please suggest......Thanks

Avatar

Level 1

Hi,

We would also like to host static HTML files (+ accompanying JS, CSS, etc. in subfolders) on AEM. Besides the workaround mentioned above (Apache Sling Content Disposition Filter), which apparently is not recommended due to security concerns, are there any other ways of hosting such static HTML files on AEM? Specifically, we would be interested in a solution for AEM 6.4. 

Essentially, we want to use AEM just as a standard webserver for these files, and then includes them as an iFrame on our regular AEM pages.

Any help would be appreciated!

Avatar

Level 10

Per my knowledge, you could host it under /content path or /content/dam as nt:file or /etc/.. or /apps/.. using proxy accessible using/etc.clientlibs/..

Try it and revert if you get any issues.

Avatar

Level 3

I also had similar requirement and have used the process explained by @francisco.ribeiro .

In case you are hosting the HTML files in DAM, you can disable it by changing an OSGI Config:

Dam Safe Binary Filter (com.day.cq.dam.core.impl.servlet.DamContentDispositionFilter), remove text/html from Blacklisted Mime Types

It worked all good till 6.2, now we are upgrading to 6.4 and again now HTML files have started downloading, instead of rendering in browser. Is Dam Safe Binary filter deprecated in 6.4?

Any suggestion, how it can be done in 6.4, is there a way to enable same from content/dam?

Avatar

Level 10

In a regular HTTP response, the Content-Disposition response header is a header indicating if the content is expected to be displayed inline in the browser, that is, as a Web page or as part of a Web page, or as an attachment, that is downloaded and saved locally.

Content-Disposition: inline  or

Content-Disposition: attachment; filename="filename.jpg"

Content-Disposition - HTTP | MDN

Modify the header's value either via custom code in AEM or Apache mod_header. There should be a configuration in osgi to override the headers.

Avatar

Level 3

Thanks for replying so quick, but here is the case:

The static HTML files are not created in AEM, a different team designs ant write contents to them. Till 6.2 these HTML files were loading fine and now with 6.4 , we can not change the headers for hundreds of already live files.

I debugged more meanwhile for Dam safe Binary filter and observed that the configurations are not bound to any bundle in 6.4.

dam_safe.JPG

In 6.2 it was bound to a bundle under libs "jcrinstall:/libs/dam/install/cq-dam-core-5.8.172.jar".

what has happened to this configuration in 6.4?

Avatar

Level 10

I haven't got a chance to debug "what has changed" with this feature and cq-dam-core configurations. Probably a DayCare ticket would help in case no one is able to spend time on it.

Even if the file is not created in AEM, I assume it is still served by Apache where you can modify the headers. Ideal solution would be to fix it at source/AEM.

Avatar

Level 3

Thanks again for your reply!!

I will raise a day care, meanwhile can you please guide me, which service/configuration can be used to modify headers?

Avatar

Level 3

I have raised a daycare ticket and they have suggested to uncheck the box in "Content Disposition Filter" as mentioned above.

But i have asked them back about security issue with enabling the checkbox, they are yet to reply on that.

Meanwhile if there are other options, it would be really helpful. Thanks.