Expand my Community achievements bar.

SOLVED

Provide restricted access to /bin/querybuilder.json

Avatar

Level 3

Hi, We need to provide restricted access to AEM's query-builder json API to a 3rd party app. How can we add some sort of authorization/access restriction around this path: /bin/querybuilder.json. 

 

We can't make it publicly accessible for security considerations.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

with CUG or ACL, it will not work until end user will have session in AEM. I think the best is to achieve from dispatcher.

 

If you want to do it via AEM session then you can use sling filter to check authentication for this path and return 404 status code or continue the request.



Arun Patidar

View solution in original post

9 Replies

Avatar

Community Advisor

hi @beast42 

what do you want to expose through querybuilder, what is your requirement.

Avatar

Level 3

We need to provide search capability to a 3rd party application. It will query AEM DAM and show results in their page.

Avatar

Level 3

Hi, Thanks for the response.

 

Assets API does not provide search functionality. 

Avatar

Community Advisor

Hi,

I think you can enable basic auth at apache server only for this path.



Arun Patidar

Avatar

Level 3

Thanks for the response @arunpatidar.

 

Is there any way we can call  /bin/querybuilder.json from a sling servlet? I was thinking may be we can have a sling servlet (tied to a resource page) which has some authentication (CUG or ACL)? 

Avatar

Correct answer by
Community Advisor

with CUG or ACL, it will not work until end user will have session in AEM. I think the best is to achieve from dispatcher.

 

If you want to do it via AEM session then you can use sling filter to check authentication for this path and return 404 status code or continue the request.



Arun Patidar

Avatar

Employee Advisor

Hi @arunpatidar ,

 

I have one question about this requirement. Query AEM DAM via /bin/querybuilder.json and show the result.

 

Though we are talking about restricted access but what is the guarantee 3rd party user always query about /content/dam/ , if they want they can query like the below also -

 

https://<domain-name>/bin/querybuilder.json?path=/home/users&type=nt:base&p.limit=1000

 

and pull AEM user accounts also as shown below -

 

DEBAL_DAS_0-1659178008235.png

 

Will it be a good idea to use /bin/querybuilder.json? Want to know your thoughts.

Avatar

Community Advisor

Hi @DEBAL_DAS 

Yes, if anonymous user have access to any path like /content, /conf, /etc , then they can query anything within these paths.

That is why it is recommended to create your own servlet with limited capabilities and expose via selector e.g. /bin/querybuilder/asset.cam.json.

This will provide restricted access to json extension.

Note : The servlet should be registered via resourcetype but path.



Arun Patidar