Expand my Community achievements bar.

SOLVED

Using only POST requests to access content on dispatcher/publisher

Avatar

Level 4
Level 4
10/20/16 8:13:01 PM

Hello,

We have a new requirement where a certain group of users are only allowed to access our content (publish/dispatcher) through POST requests. No GET requests are allowed.

Does anyone have a good idea of how to accomplish this? Looking at this answer i think the way to go would probably be in writing a servlet that processes the POST request for resource type "sling/servlet/default" and just add every extension we'll need (html, css, js, etc.). This servlet will then have to redirect to a GET request.

@Component(immediate = true, metatype = false, label = "PostHijacker") @Service @Properties(value = { @org.apache.felix.scr.annotations.Property(name = "sling.servlet.methods", value = { "POST" }), @org.apache.felix.scr.annotations.Property(name = "sling.servlet.resourceTypes", value = { "sling/servlet/default" }), @org.apache.felix.scr.annotations.Property(name = "sling.servlet.extensions", value = { "html", "css", "js" }) }) public class PostHijacker extends SlingAllMethodsServlet { Logger log = LoggerFactory.getLogger(this.getClass()); protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServerException, IOException { if (request.getHeader("userIsAllowedToPOST")) { ... continue as normal ???... } ...build GET request wrapper... slingRequest.getRequestDispatcher(resource).forward(request, response); } }

I am able to determine the user through a header variable, but i'm not sure how to forward the POST request along the normal path (bypassing the new servlet) if the user is not part of the restricted group.

Thanks

Views

1.2K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 4
Level 4
10/21/16 4:32:37 PM

Hah, yeah i thought the same when i first heard it. Unfortunately this is a corporate wide policy on tablets accessing our intranet, so we have little hope of fighting it.

In case anyone else is in the same situation this is what i've been working on now. Instead of using a servlet, a filter seemed to be close to what i wanted to do. Here is what i have so far and it seems to be the right direction. If it sees a POST request with a specific header, it will change the request to GET and forward. Otherwise it will continue as normal

@Component(immediate=true, enabled=true) @Service(value=Filter.class) @Properties({ @Property(name="sling.filter.scope", value="REQUEST", propertyPrivate=true), @Property(name="service.ranking", intValue=-10000, propertyPrivate=true) }) public class PostFilter implements javax.servlet.Filter { Logger log = LoggerFactory.getLogger(this.getClass()); public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest)request; if (httpRequest.getMethod().equalsIgnoreCase("POST") && httpRequest.getHeader("USER_NOT_ALLOWED_TO_POST") != null) { ServletRequest requestModified = new HttpServletRequestWrapper(httpRequest) { @Override public String getMethod() { return "GET"; } }; httpRequest.getRequestDispatcher(httpRequest.getRequestURI()).forward(requestModified, response); } else { filterChain.doFilter(request, response); } } }

View solution in original post

Views

995

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Level 8
Level 8
10/21/16 2:30:51 PM

I think the appropriate action here would be to go back to whoever created this requirement and simply say, no.

This is quite possibly one of the craziest requests i think i've ever seen.

Views

817

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 4
Level 4
10/21/16 4:32:37 PM

Hah, yeah i thought the same when i first heard it. Unfortunately this is a corporate wide policy on tablets accessing our intranet, so we have little hope of fighting it.

In case anyone else is in the same situation this is what i've been working on now. Instead of using a servlet, a filter seemed to be close to what i wanted to do. Here is what i have so far and it seems to be the right direction. If it sees a POST request with a specific header, it will change the request to GET and forward. Otherwise it will continue as normal

@Component(immediate=true, enabled=true) @Service(value=Filter.class) @Properties({ @Property(name="sling.filter.scope", value="REQUEST", propertyPrivate=true), @Property(name="service.ranking", intValue=-10000, propertyPrivate=true) }) public class PostFilter implements javax.servlet.Filter { Logger log = LoggerFactory.getLogger(this.getClass()); public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest)request; if (httpRequest.getMethod().equalsIgnoreCase("POST") && httpRequest.getHeader("USER_NOT_ALLOWED_TO_POST") != null) { ServletRequest requestModified = new HttpServletRequestWrapper(httpRequest) { @Override public String getMethod() { return "GET"; } }; httpRequest.getRequestDispatcher(httpRequest.getRequestURI()).forward(requestModified, response); } else { filterChain.doFilter(request, response); } } }

Views

996

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Not able to find Cookie data in doPost() at SlingHttpServletRequest request

Views

49

Likes

0

Replies

1
To display popup before moving assets to check for duplication

Views

66

Likes

0

Replies

1
Workfront test instance integration with AEM(set up on local)

Views

37

Likes

0

Replies

0
How to use data-sly-use in SPA React for content fragments?

Views

57

Likes

0

Replies

1
Report on Links

Views

42

Likes

0

Replies

0