Expand my Community achievements bar.

SOLVED

Restrict user access to /bin/querybuilder.json and /bin/security/authorizables.json on author

Avatar

Employee

 

I'd like to know if it's possible to restrict access for users to the following paths to prevent them being able to retrieve results of other users on AEM 6.5:

 

1./bin/querybuilder.json
2. /bin/security/authorizables.json

 

Questions:

1. Is it possible to configure AEM to restrict access to these paths?
2. If access restriction is possible, could you please provide details on how to achieve this?
3. Will implementing access restrictions have any consequences on out-of-the-box AEM functionalities?

 

 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Why do you want to restrict access to it? Because both will only return data which the user has read access to, so it cannot be misused to get access of otherwise non-accessible content.

View solution in original post

5 Replies

Avatar

Community Advisor

Hi, 

 

The easiest way would be to access the author instance through a dispatcher. This way, you could block those entries for all users at the dispatcher level, and the AEM functionality will remain intact.

 

Hope this helps



Esteban Bustamante

Avatar

Employee

Hi @sssaadw  
1.Is it possible to configure AEM to restrict access to these paths?

Yes, it is possible to configure AEM to restrict access to specific paths like /bin/querybuilder.json and /bin/security/authorizables.json. Access can be restricted using Dispatcher configurations or by setting appropriate permissions in AEM itself.

2.If access restriction is possible, could you please provide details on how to achieve this?

Access restriction can be achieved by configuring the Dispatcher filter rules or by configuring AEM user/group permissions:

Dispatcher Configuration: Using the Dispatcher, you can set up filter rules to deny access to the specified URLs. The Dispatcher works as AEM’s caching and/or load balancing tool, which can also be used to restrict access to certain paths by configuring the /filter section in the dispatcher.any file. For example, to deny access to the paths in question, you would add rules similar to the following:
/filter {
/0001 { /type "deny" /url "/bin/querybuilder.json*" }
/0002 { /type "deny" /url "/bin/security/authorizables.json*" }
}


3.Will implementing access restrictions have any consequences on out-of-the-box AEM functionalities?

Implementing access restrictions may have consequences depending on which users or groups are affected by the change. For example, restricting access to the /bin/querybuilder.json path might affect features or custom functionalities that rely on the Query Builder to retrieve information. Similarly, restricting access to /bin/security/authorizables.json might impact functionalities that rely on user/group information.

Avatar

Community Advisor

@sssaadw 

 

To restrict user access to /bin/querybuilder.json and /bin/security/authorizables.json on the author instance in Adobe Experience Manager (AEM), you can use the Sling Servlet Resolver's whitelist and blacklist configurations.

 

Here's how you can do it:

  1. Open the AEM Web Console by navigating to http://<your-aem-instance>:<port>/system/console/configMgr

  2. Search for "Apache Sling Servlet/Script Resolver and Error Handler" and click on it to open the configuration.

  3. In the "Servlet Resolver Whitelist" field, ensure that /bin/querybuilder.json and /bin/security/authorizables.json are not listed. This field lists the paths that are allowed to be accessed.

  4. In the "Servlet Resolver Blacklist" field, add /bin/querybuilder.json and /bin/security/authorizables.json. This field lists the paths that are not allowed to be accessed.

Please note that this will restrict access to these paths for all users, including administrators. If you want to allow certain users to access these paths, you may need to implement a custom solution such as a servlet filter, that checks the user's permissions before allowing access to these paths.

Avatar

Correct answer by
Employee Advisor

Why do you want to restrict access to it? Because both will only return data which the user has read access to, so it cannot be misused to get access of otherwise non-accessible content.

Avatar

Administrator

@sssaadw Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni