Expand my Community achievements bar.

SOLVED

Using only POST requests to access content on dispatcher/publisher

Avatar

Level 4

Hello,

We have a new requirement where a certain group of users are only allowed to access our content (publish/dispatcher) through POST requests. No GET requests are allowed.

Does anyone have a good idea of how to accomplish this? Looking at this answer i think the way to go would probably be in writing a servlet that processes the POST request for resource type "sling/servlet/default" and just add every extension we'll need (html, css, js, etc.). This servlet will then have to redirect to a GET request.

@Component(immediate = true, metatype = false, label = "PostHijacker") @Service @Properties(value = { @org.apache.felix.scr.annotations.Property(name = "sling.servlet.methods", value = { "POST" }), @org.apache.felix.scr.annotations.Property(name = "sling.servlet.resourceTypes", value = { "sling/servlet/default" }), @org.apache.felix.scr.annotations.Property(name = "sling.servlet.extensions", value = { "html", "css", "js" }) }) public class PostHijacker extends SlingAllMethodsServlet { Logger log = LoggerFactory.getLogger(this.getClass()); protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServerException, IOException { if (request.getHeader("userIsAllowedToPOST")) { ... continue as normal ???... } ...build GET request wrapper... slingRequest.getRequestDispatcher(resource).forward(request, response); } }

I am able to determine the user through a header variable, but i'm not sure how to forward the POST request along the normal path (bypassing the new servlet) if the user is not part of the restricted group.

Thanks

1 Accepted Solution

Avatar

Correct answer by
Level 4

Hah, yeah i thought the same when i first heard it. Unfortunately this is a corporate wide policy on tablets accessing our intranet, so we have little hope of fighting it.

In case anyone else is in the same situation this is what i've been working on now. Instead of using a servlet, a filter seemed to be close to what i wanted to do. Here is what i have so far and it seems to be the right direction. If it sees a POST request with a specific header, it will change the request to GET and forward. Otherwise it will continue as normal

@Component(immediate=true, enabled=true) @Service(value=Filter.class) @Properties({ @Property(name="sling.filter.scope", value="REQUEST", propertyPrivate=true), @Property(name="service.ranking", intValue=-10000, propertyPrivate=true) }) public class PostFilter implements javax.servlet.Filter { Logger log = LoggerFactory.getLogger(this.getClass()); public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest)request; if (httpRequest.getMethod().equalsIgnoreCase("POST") && httpRequest.getHeader("USER_NOT_ALLOWED_TO_POST") != null) { ServletRequest requestModified = new HttpServletRequestWrapper(httpRequest) { @Override public String getMethod() { return "GET"; } }; httpRequest.getRequestDispatcher(httpRequest.getRequestURI()).forward(requestModified, response); } else { filterChain.doFilter(request, response); } } }

View solution in original post

2 Replies

Avatar

Level 8

I think the appropriate action here would be to go back to whoever created this requirement and simply say, no.

This is quite possibly one of the craziest requests i think i've ever seen.

Avatar

Correct answer by
Level 4

Hah, yeah i thought the same when i first heard it. Unfortunately this is a corporate wide policy on tablets accessing our intranet, so we have little hope of fighting it.

In case anyone else is in the same situation this is what i've been working on now. Instead of using a servlet, a filter seemed to be close to what i wanted to do. Here is what i have so far and it seems to be the right direction. If it sees a POST request with a specific header, it will change the request to GET and forward. Otherwise it will continue as normal

@Component(immediate=true, enabled=true) @Service(value=Filter.class) @Properties({ @Property(name="sling.filter.scope", value="REQUEST", propertyPrivate=true), @Property(name="service.ranking", intValue=-10000, propertyPrivate=true) }) public class PostFilter implements javax.servlet.Filter { Logger log = LoggerFactory.getLogger(this.getClass()); public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest)request; if (httpRequest.getMethod().equalsIgnoreCase("POST") && httpRequest.getHeader("USER_NOT_ALLOWED_TO_POST") != null) { ServletRequest requestModified = new HttpServletRequestWrapper(httpRequest) { @Override public String getMethod() { return "GET"; } }; httpRequest.getRequestDispatcher(httpRequest.getRequestURI()).forward(requestModified, response); } else { filterChain.doFilter(request, response); } } }