Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

what's the use of "/libs/cq/security/userinfo.json"? Is there a way to limit/restrict access to this path?

Avatar

Level 8

This page (The Dispatcher Security Checklist | Adobe Experience Manager) mentions that this path needs to be opened.

Any ideas what's the json for? I know it returns user information.

 

I am trying to find a way to prevent "hackers" from brute-forcing their way into the admin password via this URL.

 

Thank you.

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

I have checked the userinfo.json response in my project.

On prod author as we do have SSO, I could see certain information about myself (logged-in user) while accessing /libs/cq/security/userinfo.json.

 

On prod publish we aren't supposed to login so, I can see anonymous while accessing /libs/cq/security/userinfo.json.

View solution in original post

5 Replies

Avatar

Community Advisor

This can be blocked, 

This api is used to get user info which you don't need in publish for the end user.



Arun Patidar

Avatar

Community Advisor

Hi @jayv25585659 ,

 

There is nothing to worry on this because it will only give information related to current logged-in user. Hence, only admin can see admin's details post login.

 

You can try login to AEM using different accounts and notice the JSON.

 

For publish side, the end user will only access through site domain and I am sure there you would already have mapping to right content pages and error handling so nothing to worry. Are you able to access the URL on publish, which gives user info?

 

Hope it helps!

 

Thanks,

Ritesh Mittal

Avatar

Level 8

using this endpoint, someone can guess (unlimited requests) the admin password to the publisher?

this command works: curl -v https://admin:admin@www.my-host.com

Avatar

Employee Advisor

you probably can use some httpd magic to prevent the use of basic auth in requests. 
(On the AEM side you could also disable basic auth, but that could break some of your automation scripts.)

Avatar

Correct answer by
Employee Advisor

I have checked the userinfo.json response in my project.

On prod author as we do have SSO, I could see certain information about myself (logged-in user) while accessing /libs/cq/security/userinfo.json.

 

On prod publish we aren't supposed to login so, I can see anonymous while accessing /libs/cq/security/userinfo.json.