Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now
SOLVED

Question about servlet domain when interacting with an api

Avatar

Level 2
Level 2
8/5/25 3:50:28 AM

Greetings,
For security reasons, our client has asked us to add the header "Access-Control-Allow-Origin" with a list of our sites domains.
But i specifically was wondering about one particular aspect of api intengration.
We use AEMAACS

 

So in our case, we call an internal sevlet, from which we then call the api, will attach some snippets as a visual example.

When the api receives our request in that case, is the sender the domain from which we called the servlet initially www.example.com or is it the domain of our specific adobe servlet.

 

Thanks in Advance!

Best Regards,

Daniel

servlet.png
256 KB
apiCall.png
312 KB
Topics

Topics help categorize Community content and increase your ability to discover relevant content.

Experience Manager as a Cloud Service Workflow

Views

347

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 4
Level 4
8/5/25 9:31:35 AM

Hi @DanielMa63 ,

 

You have a website like www.example.com, and on that site, you trigger a call to a custom servlet inside AEM. That servlet then talks to your backend API.

Now, your client asked to add an Access-Control-Allow-Origin header to allow only certain website domains to call the API.

But here’s the key point:

The API is not being called directly by the browser (www.example.com).
Instead, it’s being called by the AEM server itself (from the servlet code).

So when the API receives the request, it doesn’t know or care about www.example.com — it only sees that AEM is making the call.

So what does this mean?

  • The domain seen by the API is AEM’s domain, not your site’s domain.

  • The CORS header (Access-Control-Allow-Origin) is only needed when the browser directly calls the API – and that’s not happening here.

  • In your case, the API should allow calls from AEM, not from www.example.com.

Bottom line:

Even though your user is on www.example.com, the API only sees AEM as the caller — not the browser. So, the client should allow AEM’s server in their rules, not your site’s domain.

 

Thanks & Regards,

Vishal

View solution in original post

Views

329

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Correct answer by
Level 4
Level 4
8/5/25 9:31:35 AM

Hi @DanielMa63 ,

 

You have a website like www.example.com, and on that site, you trigger a call to a custom servlet inside AEM. That servlet then talks to your backend API.

Now, your client asked to add an Access-Control-Allow-Origin header to allow only certain website domains to call the API.

But here’s the key point:

The API is not being called directly by the browser (www.example.com).
Instead, it’s being called by the AEM server itself (from the servlet code).

So when the API receives the request, it doesn’t know or care about www.example.com — it only sees that AEM is making the call.

So what does this mean?

  • The domain seen by the API is AEM’s domain, not your site’s domain.

  • The CORS header (Access-Control-Allow-Origin) is only needed when the browser directly calls the API – and that’s not happening here.

  • In your case, the API should allow calls from AEM, not from www.example.com.

Bottom line:

Even though your user is on www.example.com, the API only sees AEM as the caller — not the browser. So, the client should allow AEM’s server in their rules, not your site’s domain.

 

Thanks & Regards,

Vishal

Views

330

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
8/5/25 11:32:26 PM
In response to VishalKa5

Yes, thanks for the response, it resolves my doubt!

Views

295

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
8/5/25 10:09:07 AM

Hi @DanielMa63,

Based on your code and description, here is what I understood:

  • You have an internal servlet (DruidLoginServlet) hosted within AEMaaCS.

  • That servlet makes an outbound call to an external API using a method like callApiDruidGet(...) via HttpClient.

  • The frontend (eg. www.example.com) makes a request to your servlet.

  • That servlet then calls the external API.

When your AEM servlet (on AEMaaCS) sends a request to the API from the backend, the origin of the request (from the API’s point of view) is AEMaaCS's server infrastructure, not the original browser/client (ie. not www.example.com).

More precisely:

  • The Origin or Referer headers that an external API sees will typically be those of AEMaaCS, unless:

    • You manually forward the original headers from the client

    • Or the client sends the request directly to the API (not your servlet)

Access-Control-Allow-Origin: This header is only relevant in responses from the API to the browser, not in requests.

Here’s how it works:

  • If a browser makes a cross-origin AJAX call, the API response must include the correct Access-Control-Allow-Origin to allow it.

  • But in your case, the browser is not calling the API; your AEM backend is.

So the external API does not need to return CORS headers (like Access-Control-Allow-Origin) unless the frontend itself directly calls the external API from the browser.

 

Is that what you are trying to understand in your original request?


Santosh Sai

AEM BlogsLinkedIn


Views

321

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
8/5/25 11:31:42 PM
In response to SantoshSai

Yes that is what i was wondering, thanks!

Views

297

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
How to mock/unit test a Sling filter that does a redirect? (and other questions) Solved

Views

122

Likes

0

Replies

2
Problem with URL with selector Solved

Views

109

Likes

0

Replies

2
XF Field throws an error while giving auto suggestions Solved

Views

463

Likes

0

Replies

3
Intermittent network error when using LdapIdentityProvider in AEMaaCS publish instance

Views

9

Likes

0

Replies

0
Impact on Dispatcher cache when 10k pages are deleted

Views

458

Likes

0

Replies

5