Adobe Experience Manager Sites & More

TB3dock · 11/17/22

We understand AEM is not a J2EE container, but it does have filters.

We are trying to integrate datadome, which is a bot protection system to prevent hacking.

This is what needs to be added to the equivalent of web.xml:

<web-app>
...
    <filter>
        <filter-name>datadome-filter</filter-name>
        <filter-class>co.datadome.api.servlet.DataDomeFilter</filter-class>
        <init-param>
            <param-name>datadome.apikey</param-name>
            <param-value>YOUR_SECRET_LICENSE_KEY</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>datadome-filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
...
</web-app>

any idea how one might do this with AEM Cloud?

Maybe, we can write a filter as a proxy to the required filter?

Im thinking something like this, but its a complete guess:


@SlingServletFilter(scope = {SlingServletFilterScope.REQUEST},
					pattern = "/.*",
                    methods = {"GET","POST"})
@Slf4j
@ServiceRanking(100)
public class DDFilter implements Filter{

    co.datadome.api.servlet.DataDomeFilter ddfilter;

    
    public void destroy() {
       ddfilter.destroy()
    }

    
    public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
            throws IOException, ServletException {
    	ddfilter.dofilter (requ, resp, chain);  
   }

    
    public void init(FilterConfig config) throws ServletException { 
       ddfilter = new co.datadome.api.servlet.DataDomeFilter();
       ddfilter.init(??);
    }
    
}

Jörg_Hoh · 11/27/22

AEM 6.x does not come with a web.xml anymore (early CQ5 versions did), so you cannot integrate this filter in the way which is documented by the filtering product. You need to create a wrapper (I would do it implement it on the OSGI Http Whiteboard level, no SLING filter), and then call this filter code.

For the details of the OSGI HTTP whiteboard you can check the specificiation at https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.whiteboard.html#d0e121055

View solution in original post

Jagadeesh_Prakash · 11/17/22

@TB3dock Hope this is useful

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-vault-package-filter-x...

Jörg_Hoh · 11/17/22

What do you want your CS environment protect against?

I think that AEM by itself (of course not necessarily the application you build on top of it) is quite immune against many of the typical "attacks", because it's not a "typical" Java application (no spring, hibernate, SQL etc). This is especially true if you implement the security checklist properly. But I wonder what this filter (which I have never heard of) should help you here.

Can you elaborate in a bit more detail, what type of attack this filter should prevent you?

TB3dock · 11/17/22

This is to protect against bots filling out and submitting account registration forms, to stop account harvesting by bots repeatedly calling the "does this email exist" api, to stop bots from brute force password checks (usually from list of known/stolen passwords for a given account), to stop bots hitting our document uploader etc, to stop networks trying to abuse bonuses, to block blacklisted countries and IPs, and also has easy "kill switch" and alerting when you are under attack. Its not for DDoS, its to mitigate every other type of automated attack.

It does a similar job to google recaptcha, but without forcing 10% of valid customers to "select lamp posts" (v2) or us having to implement our own tuning algorithms and captcha (V3).

This protection is absolutely and 100% required for a high volume online gaming website.

Datadome does this by tracking (and blocking) known bot IPs (frequently from large networks of bot infested PCs) using honey pots and learning from attacks, from behaviour analysis (learns how real users use the site), and by analysis of the client. where as google captcha v2 has a false positive rate of around 10%, datadome has around 0.1%.

Cloudflare have a similar product, which we have also used.

Albin_Issac · 11/17/22

Yes, your assumption is correct

No web.xml or other configuration files to enable the filter; just add filter class to the core bundle

Sample

@Component(service = Filter.class,
           property = {
                   EngineConstants.SLING_FILTER_SCOPE + "=" + EngineConstants.FILTER_SCOPE_REQUEST,
           })
@ServiceDescription("Demo to filter incoming requests")
@ServiceRanking(-700)
@ServiceVendor("Adobe")
public class LoggingFilter implements Filter {

    private final Logger logger = LoggerFactory.getLogger(getClass());

    @Override
    public void doFilter(final ServletRequest request, final ServletResponse response,
                         final FilterChain filterChain) throws IOException, ServletException {

        final SlingHttpServletRequest slingRequest = (SlingHttpServletRequest) request;
        logger.debug("request for {}, with selector {}", slingRequest
                .getRequestPathInfo().getResourcePath(), slingRequest
                .getRequestPathInfo().getSelectorString());

        filterChain.doFilter(request, response);
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }

}

Regards

Albin

www.albinsblog.com

TB3dock · 11/17/22

Thanks for the reply. Unfortunately, we are not trying to write our own filter (we alreay have several of these), we are trying to integrate a 3rd party filter.

Jörg_Hoh · 11/27/22

AEM 6.x does not come with a web.xml anymore (early CQ5 versions did), so you cannot integrate this filter in the way which is documented by the filtering product. You need to create a wrapper (I would do it implement it on the OSGI Http Whiteboard level, no SLING filter), and then call this filter code.

For the details of the OSGI HTTP whiteboard you can check the specificiation at https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.whiteboard.html#d0e121055

TB3dock · 11/28/22

Thanks, I looked at this whiteboard page, but I cant see how it can help me, or how its different from creating a filter as a wrapper (as per my example in the main post), or even where to put the code.

I can create a normal filter wrapper under filters directory, and I have guessed how to instantiate it and call it, but cant guess how to pass in parameters.

    public void init(FilterConfig config) throws ServletException { 
       ddfilter = new co.datadome.api.servlet.DataDomeFilter();
       ddfilter.init(??);
    }

Adobe Experience Manager Sites & More

how to add a filter if there is no web.xml in AEM (cloud version)

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe