We are not able to access the /apps data in the pathfield if we give the rootpath=/apps in AEM 6.4.2



We are not able to access the /apps data in the pathfield if we give the rootpath=/apps in AEM 6.4.2. http://localhost:4502/apps.ext.json?_dc=1587623884633&predicate=siteadmin&_charset_=utf-8&node=xnode-34 always returns blank data.


We have checked the permissions of the /apps folder and tried giving all the permissions to everyone group but its not working.


Kindly suggest.


Ni**bleep**a Sikaria

Accepted Solutions (1)

Accepted Solutions (1)




Hi @textlang,

It's best NOT to allow access to the /apps folder, especially to the everyone group. This will open yourself up to security vulnerabilities.

Instead, to get a JSON representation of the contents for the given folder, you should create a Sling Servlet. You must create a system user, set ACL permissions, and configure the Apache sling Service User Mapper Service Amendment (tutorial); or a more streamlined and automated way, use the ACS Commons Ensure Authorizable to set these things up.

https://localhost:4503/home.appsfolder.json; you can use this strategy to sugar coat or to change the formatting of the URL when delivering the content.



@Component(service = Servlet.class)
        resourceTypes = "sling/servlet/default",
        methods = METHOD_GET,
        extensions = "json",
        selectors = "appsfolder")
public class AppsFolderServlet extends SlingSafeMethodsServlet {

    protected void doGet(SlingHttpServletRequest req, SlingHttpServletResponse res) throws IOException {
        List<Folder> folders = getFolders(req);
        String json = new ObjectMapper().writeValueAsString(pageItems);

    private List<Folder> getFolders() {
        return folder;



Caveats when binding servlets by path:

Binding servlets by paths has several disadvantages when compared to binding by resource types, namely:

  • path-bound servlets cannot be access-controlled using the default JCR repository ACLs
  • path-bound servlets can only be registered to a path and not a resource type (i.e. no suffix handling)
  • if a path-bound servlet is not active, e.g. if the bundle is missing or not started, a POST might result in unexpected results. usually creating a node at /bin/xyz which subsequently overlays the servlets path binding
  • the mapping is not transparent to a developer looking just at the repository

Documentation: https://sling.apache.org/documentation/the-sling-engine/servlets.html#caveats-when-binding-servlets-...

I hope this works. 

Answers (0)