Hi,
I've got a use case where I need to store and serve static html, js, css, images, flash videos, and etc from the JCR.
The only suggestions I could find on how to do this come from this article. http://blogs.adobe.com/dekesmith/2012/05/22/place-simple-html-and-image-files-online-with-crx-and-cq...
I've tried all methods of uploading my static content as described in the article and have been able to consistently upload my static content to the JCR. However, the problem that I'm facing is actually trying to render the content.
In AEM 6.2, when I attempt to hit the static content, such as: /content/some-site/some-static-page.html, it is treated like a binary download. It does the same for all the other filetypes that I've uploaded. Instead of trying to render them, it simply downloads them to my computer.
I noticed that the article was written in 2012, so I tried this on an older version of AEM, specifically 5.6.1, and I was successfully able to render the content within the browser.
I think it has something to do with the one of the rendering servlets, but I'm not sure. Any help is greatly appreciated.
Solved! Go to Solution.
It appears the reason it downloads the files is due to the Apache Sling Content Disposition Filter.
Adding the path that contains my static files to the Content Disposition Paths list allows my content to render
This resolves my issue. Hopefully it helps someone else in the future.
It appears the reason it downloads the files is due to the Apache Sling Content Disposition Filter.
Adding the path that contains my static files to the Content Disposition Paths list allows my content to render
This resolves my issue. Hopefully it helps someone else in the future.
Thank you for posting your solution.
Views
Replies
Total Likes
In case you are hosting the HTML files in DAM, you can disable it by changing an OSGI Config:
Dam Safe Binary Filter (com.day.cq.dam.core.impl.servlet.DamContentDispositionFilter), remove text/html from Blacklisted Mime Types
I have the same issue. I have a package containing static HTML files.
I import this into AEM 6.1 and it is rendered to the browser.
Importing the exact same package into AEM 6.2 results in the files being downloaded instead of served into the browser.
I attempted to add /content/path and also /content/path/somefile.html to the Apache Sling Content Disposition Filter as suggested without seeing any difference in behavior.
I'm curious if you had made any other changes to get this working.
Thanks.
Rob,
I don't recall having to change anything else. Did you try checking the "Enable content disposition for all paths" checkbox on that Service?
Root cause:-
This is an intended change made by engineering in AEM 6.2. Even for 6.1, we released a hotfix for it NPR-9381.
GRANITE-9550 - Extend content disposition filter protection to author
NPR-9381 - HF for GRANITE-9550 - Extend content disposition filter protection to author
This was introduced as part of Sling Security Fix
https://issues.apache.org/jira/browse/SLING-4883 - Extend content disposition filter protection to jcr:data
https://issues.apache.org/jira/browse/SLING-4973 - Add Content Disposition Excluded Paths
Other customers reported this as a security issue.
1) They identified that malicius files can potentially be uploaded by using the functionality
2) Access the uploaded file via above URL, verify that the file gets executed
Therefore, engineering fixed the issue and implemented this change and now by default the file instead of opening up in the browser gets download instead.
This is coming through OSGI configuration -
http://host:port/system/console/configMgr/org.apache.sling.security.impl.ContentDispositionFilter
The checked box - Enable Content Disposition for all paths is causing this change in behavior which is intended.
To revert to old behavior:
If you are OK to bear this security issue, you can uncheck the checkbox and the file would directly open in the browser instead of getting downloaded. Thereby, meeting your requirements.
Thanks very much for this helpful response. I have confirmed this re-enables this functionality on my environment.
In my particular case I want to serve these files as an interim step in a migration effort so I am not concerned about the security concerns. I will recheck the box once completed.
Cheers.
smacdonald2008, vmehrotr Have same requirement, is there a way to enable this for all the HTML files added under a specific location. Like if I need to show all the HTML files under content/mySite/htmlFiles.
I tried with content/mySite/htmlFiles(/.*), but it does not work.
Client does not want to check the box due to mentioned security concerns.
Please suggest......Thanks
Hi,
We would also like to host static HTML files (+ accompanying JS, CSS, etc. in subfolders) on AEM. Besides the workaround mentioned above (Apache Sling Content Disposition Filter), which apparently is not recommended due to security concerns, are there any other ways of hosting such static HTML files on AEM? Specifically, we would be interested in a solution for AEM 6.4.
Essentially, we want to use AEM just as a standard webserver for these files, and then includes them as an iFrame on our regular AEM pages.
Any help would be appreciated!
Per my knowledge, you could host it under /content path or /content/dam as nt:file or /etc/.. or /apps/.. using proxy accessible using/etc.clientlibs/..
Try it and revert if you get any issues.
I also had similar requirement and have used the process explained by @francisco.ribeiro .
In case you are hosting the HTML files in DAM, you can disable it by changing an OSGI Config:
Dam Safe Binary Filter (com.day.cq.dam.core.impl.servlet.DamContentDispositionFilter), remove text/html from Blacklisted Mime Types
It worked all good till 6.2, now we are upgrading to 6.4 and again now HTML files have started downloading, instead of rendering in browser. Is Dam Safe Binary filter deprecated in 6.4?
Any suggestion, how it can be done in 6.4, is there a way to enable same from content/dam?
In a regular HTTP response, the Content-Disposition
response header is a header indicating if the content is expected to be displayed inline in the browser, that is, as a Web page or as part of a Web page, or as an attachment, that is downloaded and saved locally.
Content-Disposition: inline or
Content-Disposition: attachment; filename="filename.jpg"
Content-Disposition - HTTP | MDN
Modify the header's value either via custom code in AEM or Apache mod_header. There should be a configuration in osgi to override the headers.
Thanks for replying so quick, but here is the case:
The static HTML files are not created in AEM, a different team designs ant write contents to them. Till 6.2 these HTML files were loading fine and now with 6.4 , we can not change the headers for hundreds of already live files.
I debugged more meanwhile for Dam safe Binary filter and observed that the configurations are not bound to any bundle in 6.4.
In 6.2 it was bound to a bundle under libs "jcrinstall:/libs/dam/install/cq-dam-core-5.8.172.jar".
what has happened to this configuration in 6.4?
I haven't got a chance to debug "what has changed" with this feature and cq-dam-core configurations. Probably a DayCare ticket would help in case no one is able to spend time on it.
Even if the file is not created in AEM, I assume it is still served by Apache where you can modify the headers. Ideal solution would be to fix it at source/AEM.
Thanks again for your reply!!
I will raise a day care, meanwhile can you please guide me, which service/configuration can be used to modify headers?
Have you made any progress with this?
I have raised a daycare ticket and they have suggested to uncheck the box in "Content Disposition Filter" as mentioned above.
But i have asked them back about security issue with enabling the checkbox, they are yet to reply on that.
Meanwhile if there are other options, it would be really helpful. Thanks.