This page (The Dispatcher Security Checklist | Adobe Experience Manager) mentions that this path needs to be opened.
Any ideas what's the json for? I know it returns user information.
I am trying to find a way to prevent "hackers" from brute-forcing their way into the admin password via this URL.
Thank you.
Solved! Go to Solution.
Views
Replies
Total Likes
I have checked the userinfo.json response in my project.
On prod author as we do have SSO, I could see certain information about myself (logged-in user) while accessing /libs/cq/security/userinfo.json.
On prod publish we aren't supposed to login so, I can see anonymous while accessing /libs/cq/security/userinfo.json.
This can be blocked,
This api is used to get user info which you don't need in publish for the end user.
Hi @jayv25585659 ,
There is nothing to worry on this because it will only give information related to current logged-in user. Hence, only admin can see admin's details post login.
You can try login to AEM using different accounts and notice the JSON.
For publish side, the end user will only access through site domain and I am sure there you would already have mapping to right content pages and error handling so nothing to worry. Are you able to access the URL on publish, which gives user info?
Hope it helps!
Thanks,
Ritesh Mittal
using this endpoint, someone can guess (unlimited requests) the admin password to the publisher?
this command works: curl -v https://admin:admin@www.my-host.com
you probably can use some httpd magic to prevent the use of basic auth in requests.
(On the AEM side you could also disable basic auth, but that could break some of your automation scripts.)
I have checked the userinfo.json response in my project.
On prod author as we do have SSO, I could see certain information about myself (logged-in user) while accessing /libs/cq/security/userinfo.json.
On prod publish we aren't supposed to login so, I can see anonymous while accessing /libs/cq/security/userinfo.json.