List of packages getting exposed without logging in on publisher - AEM 6.5.8 | Adobe Higher Education
Skip to main content
ashishkhadpe
ashishkhadpe
Level 3
July 13, 2021
Répondu

List of packages getting exposed without logging in on publisher - AEM 6.5.8

Hi All,

 

We are currently facing an issue of list of packages getting exposed without logging in on AEM.

 

For example if I hit the URL like http<s>://<host>:<port>/crx/packmgr/list.jsp, I can see the JSON response showing the complete details of packages installed.

 

Not sure if this is with AEM 6.5.8.

 

Any fix for this?

Ce sujet a été fermé aux réponses.
Meilleure réponse par RajaShankar

Hi @ashishkhadpe 

This is a feature as part of http service interface for package management.

 

You can block it by using a custom filter. Please refer this thread same way you can block by implementing your own logic as part  of servlet filter.

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-security-json-extension/qaq-p/319272

 

Hope this helps.

 

Regards,

Rajashankar.R

4 commentaires

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
July 13, 2021

Hi,

I don't see this issue in AEM 6.5.7

can you try on the vanilla instance?

Arun Patidar
    Shubham_borole
    Community Advisor
    Shubham_boroleCommunity Advisor
    Community Advisor
    July 13, 2021

    Hi,

     

    I don't see it on 6.5.8 

    This is the response for me. Doesn't look like an issue in 6.5.8

    {"results":[],"total":0}

    Could it be a difference in permissions for everyone group or anonymous user?

      Ravi_Pampana
      Community Advisor
      Ravi_PampanaCommunity Advisor
      Community Advisor
      July 13, 2021

      Hi,

       

      I tried in AEM 6.5 plain instance, AEM 6.5.6 and AEM 6.5.8 and don't see the packages list showing up without login. Make sure that you are not logged into publish instance in any other tab

        RajaShankar
        Community Advisor
        RajaShankarCommunity AdvisorRéponse
        Community Advisor
        July 13, 2021

        Hi @ashishkhadpe 

        This is a feature as part of http service interface for package management.

         

        You can block it by using a custom filter. Please refer this thread same way you can block by implementing your own logic as part  of servlet filter.

         

        https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-security-json-extension/qaq-p/319272

         

        Hope this helps.

         

        Regards,

        Rajashankar.R

          Conditions d'utilisationAccessibility statement

          Loading footer...