How do we allow post request to CQ from external sites? | Community
Skip to main content
P
Panduranga_Swam
October 16, 2015
Solved

How do we allow post request to CQ from external sites?

  • October 16, 2015
  • 5 replies
  • 4739 views

By default Apache Sling Referrer Filter will block all the post requests, if I remove POST from 'Filter Methods' from  Apache Sling Referrer Filter it do allow, but i need specific URLS to be allowed not all the requests.

Can some one please help me on this.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Ove_Lindström

This is the CORS-problem (Cross-Origin Resource Sharing)

Basically, there are two ways of doing this.

1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).

2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control)
Notice that this is not fully supported by all browsers yet.

edit:

I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.

 

/O

5 replies

O
Ove_LindströmAccepted solution
Level 6
October 16, 2015

This is the CORS-problem (Cross-Origin Resource Sharing)

Basically, there are two ways of doing this.

1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).

2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control)
Notice that this is not fully supported by all browsers yet.

edit:

I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.

 

/O

Sham_HC
Sham_HC
Level 10
October 16, 2015

At CQ you need to custom implement for specific url.   

In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.

[1] http://www.webmasterworld.com/forum92/3229.htm
[2] http://modsecurity.org/

P
Panduranga_SwamAuthor
October 16, 2015

Sham HC wrote...

At CQ you need to custom implement for specific url.   

In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.

[1] http://www.webmasterworld.com/forum92/3229.htm
[2] http://modsecurity.org/

 


Hi Sham Thanks you very much for the reply, but in my case as the redirection comes from a payment gate way it is not adding the referrer in request header.

Is it possible to add the referrer header in dispatcher for a particular incoming request ?

P
Panduranga_SwamAuthor
October 16, 2015

Ove Lindstrm wrote...

This is the CORS-problem (Cross-Origin Resource Sharing)

Basically, there are two ways of doing this.

1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).

2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control)
Notice that this is not fully supported by all browsers yet.

edit:

I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.

 

/O

 


Thank you very much Ove Lindstrm , but in my use case  the redirection comes from a payment gate way which does not add referrer header, I guess the allowed hosts will map against the referrer header which again will fail.

Sham_HC
Sham_HC
Level 10
October 16, 2015

browser-reports Http Referer header with the domains/urls submitted for your particular setup.   Payment Gateways should pass it back to next integration layer.  Check your payment configuration to pass it.    Dispatcher just acts as proxy & does not add anything.  If required you can fake using rewrite. 

Terms & ConditionsAccessibility statement

Loading footer...