Secure sling servlet - Need suggestions | Community
Skip to main content
S
SrikanthPo3
Level 5
August 2, 2021
Solved

Secure sling servlet - Need suggestions

  • August 2, 2021
  • 2 replies
  • 5262 views

Hi Team,

We have considerable functionality built where we are making jQuery ajax calls to AEM sling servlet which then invokes a REST API to fetch/post data from other systems such as SFDC/SAP. We are aware that incoming POST calls to AEM for modifications are filtered but is there any OOTB way to secure AEM sling servlets in this case? We are making sure to make jQuery ajax post call to send parameters in the request body.

Did anyone implement security token methodology where it needs to be generated at server sise passed in jQuery ajax call request data to be validated?

Any pointers on this would be helpful.

 

Thanks

Srikanth

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by MarkusBullaAdobe

Hi @srikanthpo3!

The recommended way for Sling servlet reqistration is to bind them to resource types. This way, all default mechanism for access control management of the JCR apply. The system will manage access based on the ACLs set on the according resource.

As outlined in the Sling documentation, this is does not apply to path-bound servlets, which is one of the major drawbacks of this binding approach. Please see https://sling.apache.org/documentation/the-sling-engine/servlets.html#caveats-when-binding-servlets-by-path-1

So there is no OOTB way to handle access control for path-bound serlvets and for most use cases it is not recommended to bind servlets based on path.

 

That being said, there are some ideas on how to handle this case:

  • You could build your own module to check for permissions and integrate that with your servlet.
  • You could built a synthetic content hierarchy that reflects your servlet(s), apply ACLs to this structure and check in your servlet.

 

Update 1:

Thanks for sharing additional details on your use case, @srikanthpo3!

You clarified, that your servlet is bound to specific resource types. That's good!

In this case, you can leverage AEMs default mechanisms for access control. You specify permissions for certain groups on your content hierarchy and the system will check if the user/session trying to access the resource has according permissions.

Example:

In this case, AEM will automatically check if the requesting user as an active session and according permissions to access the resource. The method of invoking this request does not matter, it can be via jQuery/AJAX, Postman/Fiddler, curl or whatever. If the request has session information (e. g. a cookie) identifying him as a logged in user with valid permissions, the request will succeed. Otherwise it will be declined (depending on your setup: redirect to a login page or return a 401, 403 or 404 HTTP response code).

 

Update 2:

Taking your latest comment into account, your requirement is not about authentication or authorization but aims to prevent abuse of a publicly available endpoint. While every regular user should be able to use your website (which includes AJAX calls to the respective endpoint/servlet), you want to prevent unintended or malicious requests to the servlet.

Is my understanding correct?
Are you looking for a protection against DoS/DDoS and the like?

 

There is no OOTB functionality in AEM that supports similar requirements. While AEM comes with various security features that including a framework for CSRF protection, I'm not quite sure if any of this will help for your use case. But please read through the links and check for yourself if this can help.

Apart from that, there are 3rd party tools, such as Web Application Firewalls (WAF) which may help increase the security of your application. I've seen customers implement mod_security with it's core rule set (CRS).

 

Hope that helps!

2 replies

MarkusBullaAdobe
Adobe Employee
MarkusBullaAdobeAdobe EmployeeAccepted solution
Adobe Employee
August 2, 2021

Hi @srikanthpo3!

The recommended way for Sling servlet reqistration is to bind them to resource types. This way, all default mechanism for access control management of the JCR apply. The system will manage access based on the ACLs set on the according resource.

As outlined in the Sling documentation, this is does not apply to path-bound servlets, which is one of the major drawbacks of this binding approach. Please see https://sling.apache.org/documentation/the-sling-engine/servlets.html#caveats-when-binding-servlets-by-path-1

So there is no OOTB way to handle access control for path-bound serlvets and for most use cases it is not recommended to bind servlets based on path.

 

That being said, there are some ideas on how to handle this case:

  • You could build your own module to check for permissions and integrate that with your servlet.
  • You could built a synthetic content hierarchy that reflects your servlet(s), apply ACLs to this structure and check in your servlet.

 

Update 1:

Thanks for sharing additional details on your use case, @srikanthpo3!

You clarified, that your servlet is bound to specific resource types. That's good!

In this case, you can leverage AEMs default mechanisms for access control. You specify permissions for certain groups on your content hierarchy and the system will check if the user/session trying to access the resource has according permissions.

Example:

In this case, AEM will automatically check if the requesting user as an active session and according permissions to access the resource. The method of invoking this request does not matter, it can be via jQuery/AJAX, Postman/Fiddler, curl or whatever. If the request has session information (e. g. a cookie) identifying him as a logged in user with valid permissions, the request will succeed. Otherwise it will be declined (depending on your setup: redirect to a login page or return a 401, 403 or 404 HTTP response code).

 

Update 2:

Taking your latest comment into account, your requirement is not about authentication or authorization but aims to prevent abuse of a publicly available endpoint. While every regular user should be able to use your website (which includes AJAX calls to the respective endpoint/servlet), you want to prevent unintended or malicious requests to the servlet.

Is my understanding correct?
Are you looking for a protection against DoS/DDoS and the like?

 

There is no OOTB functionality in AEM that supports similar requirements. While AEM comes with various security features that including a framework for CSRF protection, I'm not quite sure if any of this will help for your use case. But please read through the links and check for yourself if this can help.

Apart from that, there are 3rd party tools, such as Web Application Firewalls (WAF) which may help increase the security of your application. I've seen customers implement mod_security with it's core rule set (CRS).

 

Hope that helps!

    S
    SrikanthPo3Author
    Level 5
    August 2, 2021

    Hi @markusbullaadobe, we registered AEM sling servlets using resource type, they are not path bound.

    Can you please elaborate on the two suggestions you made, if possible can you please point me to documentation or resources where i can get more information on these?

    Umesh_Thakur
    Community Advisor
    Umesh_ThakurCommunity Advisor
    Community Advisor
    August 2, 2021

    First Security can be extended by using resourceType based servlet and then using OOB ACLs for not let any user to invoke the servlet.

    you can take advantages for JWT to secure your servlet call by validating the tokens, passed by ajax, on server side.

    These two ways you can use in my knowledge.

    Hope this will help.

    Umesh Thakur

      S
      SrikanthPo3Author
      Level 5
      August 2, 2021
      Hi @umesh_thakur, we registered AEM sling servlets using resource type, they are not path bound. Can you point me to resource on JWT or its examples.
      Terms & ConditionsAccessibility statement

      Loading footer...