Expand my Community achievements bar.

SOLVED

what's the use of "/libs/cq/security/userinfo.json"? Is there a way to limit/restrict access to this path?

Avatar

Level 8
Level 8
2/13/23 10:12:04 PM

This page (The Dispatcher Security Checklist | Adobe Experience Manager) mentions that this path needs to be opened.

Any ideas what's the json for? I know it returns user information.

 

I am trying to find a way to prevent "hackers" from brute-forcing their way into the admin password via this URL.

 

Thank you.

Views

1.5K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
2/14/23 3:01:03 AM

I have checked the userinfo.json response in my project.

On prod author as we do have SSO, I could see certain information about myself (logged-in user) while accessing /libs/cq/security/userinfo.json.

 

On prod publish we aren't supposed to login so, I can see anonymous while accessing /libs/cq/security/userinfo.json.

View solution in original post

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Community Advisor
Community Advisor
2/14/23 1:33:19 AM

This can be blocked, 

This api is used to get user info which you don't need in publish for the end user.



Arun Patidar

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
2/14/23 1:34:20 AM

Hi @jayv25585659 ,

 

There is nothing to worry on this because it will only give information related to current logged-in user. Hence, only admin can see admin's details post login.

 

You can try login to AEM using different accounts and notice the JSON.

 

For publish side, the end user will only access through site domain and I am sure there you would already have mapping to right content pages and error handling so nothing to worry. Are you able to access the URL on publish, which gives user info?

 

Hope it helps!

 

Thanks,

Ritesh Mittal

Views

1.5K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 8
Level 8
2/14/23 3:06:58 PM
In response to Ritesh_Mittal

using this endpoint, someone can guess (unlimited requests) the admin password to the publisher?

this command works: curl -v https://admin:admin@www.my-host.com

Views

1.4K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
2/18/23 6:15:09 AM
In response to jayv25585659

you probably can use some httpd magic to prevent the use of basic auth in requests. 
(On the AEM side you could also disable basic auth, but that could break some of your automation scripts.)

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
2/14/23 3:01:03 AM

I have checked the userinfo.json response in my project.

On prod author as we do have SSO, I could see certain information about myself (logged-in user) while accessing /libs/cq/security/userinfo.json.

 

On prod publish we aren't supposed to login so, I can see anonymous while accessing /libs/cq/security/userinfo.json.

Views

1.4K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
AEM Cloud - Unable to resolve some dependencies which is exported by org.apache.felix.framework Solved

Views

98

Likes

0

Replies

1
How to invoke workflow from publish button Solved

Views

90

Likes

0

Replies

4
Bulk Publishing of Tags?

Views

42

Likes

0

Replies

1
Dynamic media interactive video is not showing the experience fragment as pop up

Views

39

Likes

0

Replies

0
Limited amount of images showing on the side Panel

Views

30

Likes

0

Replies

0