Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.

Right way to expose an endpoint/servlet from AEM author to 3rd party?

Avatar

Level 4

Hi All,

 

I have a use case where 3rd party system(webhook) make a POST call to AEM author and post it’s payload.

In this case, I need to expose an endpoint(servlet) from AEM author.

To do so, I did virtualise that endpoint through APIGW, whitelisted 3rd party system IP and shared my endpoint with 3rd party system.

Here the issue comes is, the requests from 3rd party is not accepted by AEM because of its authentication, to address this I’m passing ‘basic authentication header’ or ‘alias’ from APIGW to AEM Author.

But, one my leads mentioned that this is not right approach.

 

@aanchal_sikka , @Shashi_Mulugu , @Veena_Vikraman 

 

Can anyone suggest better way?

 

Thanks,

Raju.

8 Replies

Avatar

Community Advisor

Hi,

One approach can be exposing the servlet endpoint.

Security check can be at env level  by whitelisting only certain IP of third party(or use Mutual TLS

Apart from that at dispatcher level only defined set of method whether get or post should be allowed

We can sanitise payload in servlet with jsoup

Make sure to user service user with minimum required access like narrow down certain path and operations

Thanks

 

Avatar

Level 5

Hello,

you didn't mention what version of AEM are you using. In case you are on AEMaaCS please refer to this documentation: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/dev...

 

Good luck,

Daniel

Avatar

Community Advisor

Hi @Rajumuddana ,

Exposing an endpoint in AEM Author for a third-party system to make POST calls can be tricky, especially with authentication concerns. Your lead might be raising concerns about security and best practices. Here are a few points to consider:

  1. Authentication Mechanism: If you are using Basic Authentication, ensure that the credentials are securely managed. It's also good practice to use HTTPS to encrypt the transmission.

  2. Token-Based Authentication: Instead of Basic Authentication, consider using a more secure method like OAuth or JWT. This way, you can generate tokens for the third-party system that can be validated by AEM.

  3. IP Whitelisting: While whitelisting the IP of the third-party system is a good practice, it should be part of a broader security strategy.

  4. Endpoint Validation: Implement additional validation on the AEM side to ensure that the incoming requests are genuinely from the expected third-party service. This could include checking specific headers, payload structures, or signatures.

  5. Access Control: Ensure that the endpoint only allows the required operations (e.g., POST) and that appropriate permissions are in place.

  6. Logging and Monitoring: Set up logging and monitoring for incoming requests to track usage and identify potential issues.

for AEMaaCS: https://experienceleague.adobe.com/en/docs/experience-manager-cloud-service/content/implementing/dev... check this documentation.

- Sravan

Avatar

Level 4

Hi @B_Sravan ,

 

Thanks for your response.

Token-Based Authentication- this is not supported by my 3rd party, since this communication is one way (3rd party --POST--> AEM). Thats why they suggested to use HMAC validation to make sure the request/payload is genuine.

But, at AEM end instead of 'Basic authentication' (enriching the Headers in APIGW), shall i make endpoint/servlet accessed by 'Anonymous' User? or else, what is the best way to authenticate in this case?

 

Thanks,

Raju.

 

Avatar

Community Advisor

I am not sure about your use case to use AEM for expose something, but I am sure certainly this is not a way to do this specially in case of POST call.
My be after knowing your use case I will suggest some way in achieving your task done.

By the way people are using SlingServlet for the same purpose my be this could help you but be informed that will have its own cost for your instance.

Hope this helps

Umesh Thakur

Avatar

Administrator

@Rajumuddana Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!



Kautuk Sahni