Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Secure sling servlet - Need suggestions

Avatar

Level 5

Hi Team,

We have considerable functionality built where we are making jQuery ajax calls to AEM sling servlet which then invokes a REST API to fetch/post data from other systems such as SFDC/SAP. We are aware that incoming POST calls to AEM for modifications are filtered but is there any OOTB way to secure AEM sling servlets in this case? We are making sure to make jQuery ajax post call to send parameters in the request body.

Did anyone implement security token methodology where it needs to be generated at server sise passed in jQuery ajax call request data to be validated?

Any pointers on this would be helpful.

 

Thanks

Srikanth

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Hi @srikanthpogula!

The recommended way for Sling servlet reqistration is to bind them to resource types. This way, all default mechanism for access control management of the JCR apply. The system will manage access based on the ACLs set on the according resource.

As outlined in the Sling documentation, this is does not apply to path-bound servlets, which is one of the major drawbacks of this binding approach. Please see https://sling.apache.org/documentation/the-sling-engine/servlets.html#caveats-when-binding-servlets-...

So there is no OOTB way to handle access control for path-bound serlvets and for most use cases it is not recommended to bind servlets based on path.

 

That being said, there are some ideas on how to handle this case:

  • You could build your own module to check for permissions and integrate that with your servlet.
  • You could built a synthetic content hierarchy that reflects your servlet(s), apply ACLs to this structure and check in your servlet.

 

Update 1:

Thanks for sharing additional details on your use case, @srikanthpogula!

You clarified, that your servlet is bound to specific resource types. That's good!

In this case, you can leverage AEMs default mechanisms for access control. You specify permissions for certain groups on your content hierarchy and the system will check if the user/session trying to access the resource has according permissions.

Example:

In this case, AEM will automatically check if the requesting user as an active session and according permissions to access the resource. The method of invoking this request does not matter, it can be via jQuery/AJAX, Postman/Fiddler, curl or whatever. If the request has session information (e. g. a cookie) identifying him as a logged in user with valid permissions, the request will succeed. Otherwise it will be declined (depending on your setup: redirect to a login page or return a 401, 403 or 404 HTTP response code).

 

Update 2:

Taking your latest comment into account, your requirement is not about authentication or authorization but aims to prevent abuse of a publicly available endpoint. While every regular user should be able to use your website (which includes AJAX calls to the respective endpoint/servlet), you want to prevent unintended or malicious requests to the servlet.

Is my understanding correct?
Are you looking for a protection against DoS/DDoS and the like?

 

There is no OOTB functionality in AEM that supports similar requirements. While AEM comes with various security features that including a framework for CSRF protection, I'm not quite sure if any of this will help for your use case. But please read through the links and check for yourself if this can help.

Apart from that, there are 3rd party tools, such as Web Application Firewalls (WAF) which may help increase the security of your application. I've seen customers implement mod_security with it's core rule set (CRS).

 

Hope that helps!

View solution in original post

10 Replies

Avatar

Correct answer by
Employee Advisor

Hi @srikanthpogula!

The recommended way for Sling servlet reqistration is to bind them to resource types. This way, all default mechanism for access control management of the JCR apply. The system will manage access based on the ACLs set on the according resource.

As outlined in the Sling documentation, this is does not apply to path-bound servlets, which is one of the major drawbacks of this binding approach. Please see https://sling.apache.org/documentation/the-sling-engine/servlets.html#caveats-when-binding-servlets-...

So there is no OOTB way to handle access control for path-bound serlvets and for most use cases it is not recommended to bind servlets based on path.

 

That being said, there are some ideas on how to handle this case:

  • You could build your own module to check for permissions and integrate that with your servlet.
  • You could built a synthetic content hierarchy that reflects your servlet(s), apply ACLs to this structure and check in your servlet.

 

Update 1:

Thanks for sharing additional details on your use case, @srikanthpogula!

You clarified, that your servlet is bound to specific resource types. That's good!

In this case, you can leverage AEMs default mechanisms for access control. You specify permissions for certain groups on your content hierarchy and the system will check if the user/session trying to access the resource has according permissions.

Example:

In this case, AEM will automatically check if the requesting user as an active session and according permissions to access the resource. The method of invoking this request does not matter, it can be via jQuery/AJAX, Postman/Fiddler, curl or whatever. If the request has session information (e. g. a cookie) identifying him as a logged in user with valid permissions, the request will succeed. Otherwise it will be declined (depending on your setup: redirect to a login page or return a 401, 403 or 404 HTTP response code).

 

Update 2:

Taking your latest comment into account, your requirement is not about authentication or authorization but aims to prevent abuse of a publicly available endpoint. While every regular user should be able to use your website (which includes AJAX calls to the respective endpoint/servlet), you want to prevent unintended or malicious requests to the servlet.

Is my understanding correct?
Are you looking for a protection against DoS/DDoS and the like?

 

There is no OOTB functionality in AEM that supports similar requirements. While AEM comes with various security features that including a framework for CSRF protection, I'm not quite sure if any of this will help for your use case. But please read through the links and check for yourself if this can help.

Apart from that, there are 3rd party tools, such as Web Application Firewalls (WAF) which may help increase the security of your application. I've seen customers implement mod_security with it's core rule set (CRS).

 

Hope that helps!

Hi @markus_bulla_adobe, we registered AEM sling servlets using resource type, they are not path bound.

Can you please elaborate on the two suggestions you made, if possible can you please point me to documentation or resources where i can get more information on these?

Avatar

Employee Advisor

Hi @srikanthpogula!

I have update my initial answer to reflect the provided information.

Hope that helps!

Thanks @markus_bulla_adobe, for the information. Actually we do not have login functionality for our website, content/servlet is accessible for anonymous user.

Avatar

Employee Advisor

Hi @srikanthpogula!

Another update from my side added to my initial answer.

Hope that helps!

Avatar

Community Advisor

First Security can be extended by using resourceType based servlet and then using OOB ACLs for not let any user to invoke the servlet.

you can take advantages for JWT to secure your servlet call by validating the tokens, passed by ajax, on server side.

These two ways you can use in my knowledge.

Hope this will help.

Umesh Thakur

Avatar

Level 5
Hi @Umesh_Thakur, we registered AEM sling servlets using resource type, they are not path bound. Can you point me to resource on JWT or its examples.

Avatar

Community Advisor

So your requirement is to only secure Sling Servlet, right?

We also had similar requirement like only admin user can execute the servlet, for that I simply get the userId from the session and put the condition in the doPost method like:

String userId = session.getUserID();

if (StringUtils.isNotEmpty(userId) && userId.equalsIgnoreCase("admin"))

{

//// your stuff

} else {

response.getWriter().print("You need to login as admin to run the script.");

}

 

same thing you can also do if it like that otherwise.

I am not able to find any JWT implementation in AEM for your but I had done it in simple java application with the help of  

org.springframework.web.filter.OncePerRequestFilter class for request filtering to get tokens to be validated then processing the request.

 

Hope this will help.

Umesh Thakur

Avatar

Level 5
Hi @Umesh_Thakur, yes, the requirement is secure the AEM sling servlet which are being invoked from jQuery ajax function. Registering servlet with resource type gives enough security? Can anyone make a malicious request by taking the servlet url from browser network tab and pass malicious data in Postman/Fiddler? I am looking for ways to avoid such scenarios.