Adobe Experience Manager Sites & More

Love_Sharma · 15.01.21

Dear Members,

I tried adding custom values to below AEM config under /apps/*/config

org.apache.sling.engine.impl.auth.SlingAuthenticator

org.apache.sling.servlets.resolver.SlingServletResolver

And whenever I restart my instance, I get Resource at '/' not found: No resource found and also when I logout from home screen, same error.

Also, when I go to http://localhost:4502/crx/de/index.jsp# and login from CRX, I am back in session.

Any help appreciated.

Thanks

Jörg_Hoh · 18.01.21

If you get that message it seems that you broke/misconfigured the authentication system.

Lösung in ursprünglichem Beitrag anzeigen

Vijayalakshmi_S · 18.01.21

Hi @Love_Sharma,

Please provide the details of properties that are modified as part of the mentioned configs. (Sling Authenticator and Sling Servlet resolver) and reason for the same/functionality you are trying to achieve.

Love_Sharma · 19.01.21

@Vijayalakshmi_S OOTB properties were not touched and I added my own custom property as shown below. When I tried putting these new values in code base under /config, I encountered the error. I tried putting just the new values adding -domain to the config's PID & using OOTB PID as is mentioning existing and custom values but the time I restart my AEM, I face the issue.

Vijayalakshmi_S · 19.01.21

The two configs shared are not factory configs. Hence we need not add any identifier say "-domain" to the PID while creating OSGI config via code - Remove the same and try.

Alternatively, to assure the issue is not with values you mentioned for the properties, in another fresh instance add these values directly in Felix console instead of code/config node -> check if it works fine.

Jörg_Hoh · 19.01.21

Hi,

please don't change these settings like this. The configuration in the servlet resolver allows anyone (with write access) to place JSPs within /content/ and get them executed. That's definitely a security concern.

The config change for authorization has less side effects regarding security, but I would definitely question its usefulness. I think that you are having an authoring instace here.

Love_Sharma · 19.01.21

@Vijayalakshmi_S Initially haven't added -domain but when it didn't worked added -domain for testing purpose. And I tried adding directly to Felix, that broke the instance too. Wondering if it's a good idea to edit these configs as mentioned by Jörg_Hoh

Love_Sharma · 19.01.21

Jörg_Hoh What I understood from your security concern, we should not edit these configuration with custom values and think of other way to do it ? Please correct me if I get this wrong. Also, if you could educate more on this topic it will be helpful

Jörg_Hoh · 23.01.21

@Love_Sharma I would not add a path below /content into the execution paths of the Sling Servlet Resolver configuration. Because Sling is looking there for scripts/servlets resolving resourcetype. An attack vector could be, that an author creates a component node structure below /content (where the author has write permission), and creates a page referencing that component. With this approach it's possible for the author to execute custom code and on the server.