Expand my Community achievements bar.

SOLVED

How do we allow post request to CQ from external sites?

Avatar

Level 1

By default Apache Sling Referrer Filter will block all the post requests, if I remove POST from 'Filter Methods' from  Apache Sling Referrer Filter it do allow, but i need specific URLS to be allowed not all the requests.

Can some one please help me on this.

1 Accepted Solution

Avatar

Correct answer by
Level 6

This is the CORS-problem (Cross-Origin Resource Sharing)

Basically, there are two ways of doing this.

1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).

2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.

edit:

I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.

 

/O

View solution in original post

5 Replies

Avatar

Correct answer by
Level 6

This is the CORS-problem (Cross-Origin Resource Sharing)

Basically, there are two ways of doing this.

1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).

2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.

edit:

I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.

 

/O

Avatar

Level 10

At CQ you need to custom implement for specific url.   

In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.

[1] http://www.webmasterworld.com/forum92/3229.htm
[2] http://modsecurity.org/

Avatar

Level 1

Sham HC wrote...

At CQ you need to custom implement for specific url.   

In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.

[1] http://www.webmasterworld.com/forum92/3229.htm
[2] http://modsecurity.org/

 


Hi Sham Thanks you very much for the reply, but in my case as the redirection comes from a payment gate way it is not adding the referrer in request header.

Is it possible to add the referrer header in dispatcher for a particular incoming request ?

Avatar

Level 1

Ove Lindstrm wrote...

This is the CORS-problem (Cross-Origin Resource Sharing)

Basically, there are two ways of doing this.

1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).

2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.

edit:

I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.

 

/O

 


Thank you very much Ove Lindstrm , but in my use case  the redirection comes from a payment gate way which does not add referrer header, I guess the allowed hosts will map against the referrer header which again will fail.

Avatar

Level 10

browser-reports Http Referer header with the domains/urls submitted for your particular setup.   Payment Gateways should pass it back to next integration layer.  Check your payment configuration to pass it.    Dispatcher just acts as proxy & does not add anything.  If required you can fake using rewrite.