Hi Team,
We have considerable functionality built where we are making jQuery ajax calls to AEM sling servlet which then invokes a REST API to fetch/post data from other systems such as SFDC/SAP. We are aware that incoming POST calls to AEM for modifications are filtered but is there any OOTB way to secure AEM sling servlets in this case? We are making sure to make jQuery ajax post call to send parameters in the request body.
Did anyone implement security token methodology where it needs to be generated at server sise passed in jQuery ajax call request data to be validated?
Any pointers on this would be helpful.
Thanks
Srikanth
Solved! Go to Solution.
Views
Replies
Total Likes
Hi @srikanthpogula!
The recommended way for Sling servlet reqistration is to bind them to resource types. This way, all default mechanism for access control management of the JCR apply. The system will manage access based on the ACLs set on the according resource.
As outlined in the Sling documentation, this is does not apply to path-bound servlets, which is one of the major drawbacks of this binding approach. Please see https://sling.apache.org/documentation/the-sling-engine/servlets.html#caveats-when-binding-servlets-...
So there is no OOTB way to handle access control for path-bound serlvets and for most use cases it is not recommended to bind servlets based on path.
That being said, there are some ideas on how to handle this case:
Update 1:
Thanks for sharing additional details on your use case, @srikanthpogula!
You clarified, that your servlet is bound to specific resource types. That's good!
In this case, you can leverage AEMs default mechanisms for access control. You specify permissions for certain groups on your content hierarchy and the system will check if the user/session trying to access the resource has according permissions.
Example:
In this case, AEM will automatically check if the requesting user as an active session and according permissions to access the resource. The method of invoking this request does not matter, it can be via jQuery/AJAX, Postman/Fiddler, curl or whatever. If the request has session information (e. g. a cookie) identifying him as a logged in user with valid permissions, the request will succeed. Otherwise it will be declined (depending on your setup: redirect to a login page or return a 401, 403 or 404 HTTP response code).
Update 2:
Taking your latest comment into account, your requirement is not about authentication or authorization but aims to prevent abuse of a publicly available endpoint. While every regular user should be able to use your website (which includes AJAX calls to the respective endpoint/servlet), you want to prevent unintended or malicious requests to the servlet.
Is my understanding correct?
Are you looking for a protection against DoS/DDoS and the like?
There is no OOTB functionality in AEM that supports similar requirements. While AEM comes with various security features that including a framework for CSRF protection, I'm not quite sure if any of this will help for your use case. But please read through the links and check for yourself if this can help.
Apart from that, there are 3rd party tools, such as Web Application Firewalls (WAF) which may help increase the security of your application. I've seen customers implement mod_security with it's core rule set (CRS).
Hope that helps!
Hi @srikanthpogula!
The recommended way for Sling servlet reqistration is to bind them to resource types. This way, all default mechanism for access control management of the JCR apply. The system will manage access based on the ACLs set on the according resource.
As outlined in the Sling documentation, this is does not apply to path-bound servlets, which is one of the major drawbacks of this binding approach. Please see https://sling.apache.org/documentation/the-sling-engine/servlets.html#caveats-when-binding-servlets-...
So there is no OOTB way to handle access control for path-bound serlvets and for most use cases it is not recommended to bind servlets based on path.
That being said, there are some ideas on how to handle this case:
Update 1:
Thanks for sharing additional details on your use case, @srikanthpogula!
You clarified, that your servlet is bound to specific resource types. That's good!
In this case, you can leverage AEMs default mechanisms for access control. You specify permissions for certain groups on your content hierarchy and the system will check if the user/session trying to access the resource has according permissions.
Example:
In this case, AEM will automatically check if the requesting user as an active session and according permissions to access the resource. The method of invoking this request does not matter, it can be via jQuery/AJAX, Postman/Fiddler, curl or whatever. If the request has session information (e. g. a cookie) identifying him as a logged in user with valid permissions, the request will succeed. Otherwise it will be declined (depending on your setup: redirect to a login page or return a 401, 403 or 404 HTTP response code).
Update 2:
Taking your latest comment into account, your requirement is not about authentication or authorization but aims to prevent abuse of a publicly available endpoint. While every regular user should be able to use your website (which includes AJAX calls to the respective endpoint/servlet), you want to prevent unintended or malicious requests to the servlet.
Is my understanding correct?
Are you looking for a protection against DoS/DDoS and the like?
There is no OOTB functionality in AEM that supports similar requirements. While AEM comes with various security features that including a framework for CSRF protection, I'm not quite sure if any of this will help for your use case. But please read through the links and check for yourself if this can help.
Apart from that, there are 3rd party tools, such as Web Application Firewalls (WAF) which may help increase the security of your application. I've seen customers implement mod_security with it's core rule set (CRS).
Hope that helps!
Hi @markus_bulla_adobe, we registered AEM sling servlets using resource type, they are not path bound.
Can you please elaborate on the two suggestions you made, if possible can you please point me to documentation or resources where i can get more information on these?
Views
Replies
Total Likes
Hi @srikanthpogula!
I have update my initial answer to reflect the provided information.
Hope that helps!
Views
Replies
Total Likes
Views
Replies
Total Likes
Views
Replies
Total Likes
Views
Replies
Total Likes
First Security can be extended by using resourceType based servlet and then using OOB ACLs for not let any user to invoke the servlet.
you can take advantages for JWT to secure your servlet call by validating the tokens, passed by ajax, on server side.
These two ways you can use in my knowledge.
Hope this will help.
Umesh Thakur
Views
Replies
Total Likes
So your requirement is to only secure Sling Servlet, right?
We also had similar requirement like only admin user can execute the servlet, for that I simply get the userId from the session and put the condition in the doPost method like:
String userId = session.getUserID();
if (StringUtils.isNotEmpty(userId) && userId.equalsIgnoreCase("admin"))
{
//// your stuff
} else {
response.getWriter().print("You need to login as admin to run the script.");
}
same thing you can also do if it like that otherwise.
I am not able to find any JWT implementation in AEM for your but I had done it in simple java application with the help of
org.springframework.web.filter.OncePerRequestFilter class for request filtering to get tokens to be validated then processing the request.
Hope this will help.
Umesh Thakur
Views
Replies
Total Likes
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies