Adobe Experience Manager Sites & More

Dispatcher configurations are a partial solution that can be bypassed by certain requests. These are the Adobe components you would need to disable in the OSGI console at /system/console/components

• stop "com.day.cq.dam.s7dam.common.servlets.S7damChildServlet" to disable the .children selector
• stop "com.day.cq.wcm.core.impl.servlets.ChildrenListServlet" to disable the .childrenlist selector

Manually stopping components is not an ideal approach since those components will restart when AEM is restarted. A more reliable approach is to use the ACS AEM Commons project's "OSGI Component Disabler" feature that lets you disable specific components based on their class name. You can also add a configuration file for the Disabler to your codebase so the unwanted components are disabled in a reliable way. 

Adobe's AEM security checklist also recommends disabling the "Day CQ WCM Form Chooser Servlet" by blocking it with your dispatcher but you should also disable it on your publish instance:

• stop "com.day.cq.wcm.foundation.forms.impl.FormChooserServlet" to disable the .forms selector

Hi @AnushaAt ,

Please try this:

The deny rules you added are too specific - they only block exact URLs ending in /childrenlist.json or /children.json, but not the pattern you're trying to block (/content/*/*/*.children.json).

Add these rules to your dispatcher configuration (in the /filter section):

/0012 { /type "deny" /url "*.children.json" }

/0013 { /type "deny" /url "*.childrenlist.json" }

/0014 { /type "deny" /url "*.home.json" }

Or use regex patterns for more precision:

/0012 { /type "deny" /url "/content/*.children.json" }

/0013 { /type "deny" /url "/content/*.childrenlist.json" }

/0014 { /type "deny" /url "/content/*.home.json" }

Use wildcards (*) to match any path

Place these rules before any permissive rules in your filter section

Test thoroughly after deployment

Consider blocking other sensitive selectors like *.json, *.xml, *.feed if not needed

The issue was that your original rules were looking for exact literal URLs, not the pattern with content paths.

Hrishikesh Kagane

Hi @AnushaAt ,

Usually the recommendation is to deny everything and allow whatever is needed.

Seems you are allowing everything and denying specific rules ?

Is this for AEM 6.5 or AEM Cloud Service ? 

Refer to Dispatcher checkList 

For your query it really depends on what exact URL you are accessing and the rules you have configured at your dispatcher.

Dispatcher evaluates filter rules top-to-bottom; last match wins. So:

1. You should have an initial default deny:

   /global_00 { /type "deny" /url "*" }

2. Then your broad “allow content” rule(s).

     3. Then after that, your “security” deny rules for selectors, suffixes etc.

As per the understanding www.abc.com/content/*/*/*.children.json  You are using selector ? You can try something like below.

/children_selectors_deny {
  /type "deny"
  /path "/content/*"
  /selectors '(children|childrenlist)'
  /extension "(json)"
}

Regards
Sarath