Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

List of packages getting exposed without logging in on publisher - AEM 6.5.8

ashishkhadpe
Level 3
Level 3

Hi All,

 

We are currently facing an issue of list of packages getting exposed without logging in on AEM.

 

For example if I hit the URL like http<s>://<host>:<port>/crx/packmgr/list.jsp, I can see the JSON response showing the complete details of packages installed.

 

Not sure if this is with AEM 6.5.8.

 

Any fix for this?

1 Accepted Solution
Rajashankar
Correct answer by
Level 4
Level 4

Hi @ashishkhadpe 

This is a feature as part of http service interface for package management.

 

You can block it by using a custom filter. Please refer this thread same way you can block by implementing your own logic as part  of servlet filter.

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-security-json-extensio...

 

Hope this helps.

 

Regards,

Rajashankar.R

View solution in original post

4 Replies
Arun_Patidar
Community Advisor
Community Advisor

Hi,

I don't see this issue in AEM 6.5.7

can you try on the vanilla instance?

snbaem
Community Advisor
Community Advisor

Hi,

 

I don't see it on 6.5.8 

This is the response for me. Doesn't look like an issue in 6.5.8

{"results":[],"total":0}

Could it be a difference in permissions for everyone group or anonymous user?

Ravi_Pampana
Community Advisor
Community Advisor

Hi,

 

I tried in AEM 6.5 plain instance, AEM 6.5.6 and AEM 6.5.8 and don't see the packages list showing up without login. Make sure that you are not logged into publish instance in any other tab

Rajashankar
Correct answer by
Level 4
Level 4

Hi @ashishkhadpe 

This is a feature as part of http service interface for package management.

 

You can block it by using a custom filter. Please refer this thread same way you can block by implementing your own logic as part  of servlet filter.

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-security-json-extensio...

 

Hope this helps.

 

Regards,

Rajashankar.R

View solution in original post