Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

How do we allow post request to CQ from external sites?

Avatar

Level 1

By default Apache Sling Referrer Filter will block all the post requests, if I remove POST from 'Filter Methods' from  Apache Sling Referrer Filter it do allow, but i need specific URLS to be allowed not all the requests.

Can some one please help me on this.

1 Accepted Solution

Avatar

Correct answer by
Level 6

This is the CORS-problem (Cross-Origin Resource Sharing)

Basically, there are two ways of doing this.

1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).

2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.

edit:

I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.

 

/O

View solution in original post

5 Replies

Avatar

Correct answer by
Level 6

This is the CORS-problem (Cross-Origin Resource Sharing)

Basically, there are two ways of doing this.

1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).

2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.

edit:

I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.

 

/O

Avatar

Level 10

At CQ you need to custom implement for specific url.   

In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.

[1] http://www.webmasterworld.com/forum92/3229.htm
[2] http://modsecurity.org/

Avatar

Level 1

Sham HC wrote...

At CQ you need to custom implement for specific url.   

In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.

[1] http://www.webmasterworld.com/forum92/3229.htm
[2] http://modsecurity.org/

 


Hi Sham Thanks you very much for the reply, but in my case as the redirection comes from a payment gate way it is not adding the referrer in request header.

Is it possible to add the referrer header in dispatcher for a particular incoming request ?

Avatar

Level 1

Ove Lindstrm wrote...

This is the CORS-problem (Cross-Origin Resource Sharing)

Basically, there are two ways of doing this.

1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).

2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.

edit:

I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.

 

/O

 


Thank you very much Ove Lindstrm , but in my use case  the redirection comes from a payment gate way which does not add referrer header, I guess the allowed hosts will map against the referrer header which again will fail.

Avatar

Level 10

browser-reports Http Referer header with the domains/urls submitted for your particular setup.   Payment Gateways should pass it back to next integration layer.  Check your payment configuration to pass it.    Dispatcher just acts as proxy & does not add anything.  If required you can fake using rewrite.