Expand my Community achievements bar.

Submissions are now open for the 2026 Adobe Experience Maker Awards.
Apply Now
SOLVED

Sling Servlet Best Approach

Avatar

Level 2
Level 2
8/18/25 7:22:48 PM

Hi everyone,
I have a few path- and resource-based servlets.


For path-based servlets, the URL starts like: http://localhost:4502/bin/test/v1/<identifier> Is exposing /bin to end users considered a problem? If yes, why so, since /bin/test/v1 is not a valid content path in AEM?

In my case, I want to mask /bin/test/v1/<identifier> with a proxy. This proxy will be called from the client side, and I plan to add Apache rewrite rules to map the proxy URL back to the actual servlet. Is this the best way?

 

For resource-based servlets, the URL starts like: http://localhost:4502/content/test/.../<page>.selector.extension I am masking these too with a proxy. Clients will call the proxy, and I’ll redirect it to the servlet API.

My main question: Is writing Apache rewrite rules the best solution here, or would it be better to use something like Sling resource mapping?

 

Thanks in advance!

Views

345

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
8/18/25 7:51:06 PM
In response to SantoshSai

In short:

  • You can expose /bin paths, and technically it will work fine.

  • It’s not best practice, because:

    • You lose repository-level access control.

    • It makes governance harder in multi-tenant or enterprise setups.

  • Preferred approach -> use resourceType-based servlets for most cases.

  • If path-based is required, secure it properly at the Dispatcher and AEM filter level.

  • Use Apache rewrites only if you need nicer/proxy URLs, not as a replacement for proper servlet registration.

References:


Santosh Sai

AEM BlogsLinkedIn


View solution in original post

Views

326

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Community Advisor
Community Advisor
8/18/25 7:28:38 PM

Hi @MatthewDa19,

Is there a specific reason you’re registering your servlet using path?
If you use a resourceType instead, you won’t need to expose /bin or mask it. You can leverage selectors and extensions directly on content paths.

Docs for reference: https://sling.apache.org/documentation/the-sling-engine/servlets.html

Are you constrained to path-based servlets for some reason?


Santosh Sai

AEM BlogsLinkedIn


Views

341

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
8/18/25 7:37:36 PM
In response to SantoshSai

@SantoshSai Thansk for your response!
I can switch some of them to resourceType-based servlets, but for others I still need path-based ones (integration APIs that aren’t tied to content). That’s why I’m worried about exposing /bin and considering masking it behind a proxy. Would exposing /bin directly actually be a problem?

Views

332

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
8/18/25 7:44:58 PM
In response to MatthewDa19

@MatthewDa19 

It's not inherently a security risk, but it’s not considered best practice either.

  • With path-based servlets, you lose repository-level access control.

  • With resourceType-based servlets, you can apply auth/authz policies on the resource.

That’s why Adobe generally recommends using resourceType where possible.

If you must stick to path-based:

  • Keep them under /bin/ (not /apps or /libs)

  • Control access via Dispatcher filters or custom filters

  • Only add rewrites if you want to make URLs “prettier” for end users, but don’t rely on rewrites for security


Santosh Sai

AEM BlogsLinkedIn


Views

328

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
8/18/25 7:51:06 PM
In response to SantoshSai

In short:

  • You can expose /bin paths, and technically it will work fine.

  • It’s not best practice, because:

    • You lose repository-level access control.

    • It makes governance harder in multi-tenant or enterprise setups.

  • Preferred approach -> use resourceType-based servlets for most cases.

  • If path-based is required, secure it properly at the Dispatcher and AEM filter level.

  • Use Apache rewrites only if you need nicer/proxy URLs, not as a replacement for proper servlet registration.

References:


Santosh Sai

AEM BlogsLinkedIn


Views

327

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Community Advisor
Community Advisor
8/21/25 12:47:39 AM

Hi @MatthewDa19 

You should register your servlet with resourceType.

if you calling the api at clienside then I would suggest to expose the path in metatag and use that.

 

Example

<!-- <meta name="basepath" content="currentPagePath.selector.extension"> -->
<meta name="basepath" content="/content/mysite/us/en.api.json">



And you can register your servlet with

@SlingServletResourceTypes(resourceTypes = "cq/Page", methods = HttpConstants.METHOD_GET, selectors = Constants.API_SERVLET_SELECTOR, extensions = Constants.EXTENSION_JSON)

 

Arun Patidar

AEM LinksLinkedIn

Views

245

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
servlet request + javax Filters: how do I redirect users to another page? Solved

Views

75

Likes

0

Replies

1
AEM GraphQL Query approach to get list of pages where XYZ component is enabled. Solved

Views

111

Likes

0

Replies

2
How to mock/unit test a Sling filter that does a redirect? (and other questions) Solved

Views

168

Likes

0

Replies

2
Issue in Sling Model instantiating from Sightly Solved

Views

893

Likes

0

Replies

3
How to use multiple path patterns inside Sling Filter? Solved

Views

150

Likes

0

Replies

3