since ‎06-03-2019
‎16-01-2020
Brett_Birschba1
Level 2
Re: [AEM Skill Builder | October] AEM Component Generator – Best Practice AEM Components in a Fraction of the Time Brett_Birschba1 - Adobe Experience Manager
This webinar was re-recorded on Jan 14, 2020, and can be found at https://adobe.ly/2NIeggL
860
Views
0
Likes
0
Replies
Re: AEM Security - .json Extension Brett_Birschba1 - Adobe Experience Manager
Ok, sounds good, thanks!
1769
Views
1
Like
0
Answers
Re: AEM Security - .json Extension Brett_Birschba1 - Adobe Experience Manager
Hey Joerg, I definitely thought of that, but disabling JSON rendering in the Apache Sling GET Servlet breaks other OOTB functionalities related to personalization where calls to `/home/users/X/XXXXXXXXX.infinity.json` based on the current user are used.
1436
Views
2
Likes
0
Answers
Re: AEM Security - .json Extension Brett_Birschba1 - Adobe Experience Manager
vipins5188​ What is the purpose of the sling filter pattern of `/libs/wcm/core/content/pageinfo.json`? The JSON I believe comes from the Apache Sling GET Servlet which listens to "resource type" of `sling/servlet/default` - should the filter be more broad to capture all requests that would be handled by the GET servlet?
1425
Views
1
Like
0
Answers
Re: Dispatcher Security - .feed extension Brett_Birschba1 - Adobe Experience Manager
Thanks @andyshreve I completely agree with you on the point about blocking content grabbing. My confusion is that the rule that Adobe docs provide is insufficient to do so. There are some selectors you have above that are not covered by it. And though the rule blocks the .feed. selector, it does not block the .feed extension which appears to return the same thing. Thoughts?Also, any idea what the `_jcr_content` / `jcr:content` selector actually does? I know you can put those tokens in a path to ...
1080
Views
0
Likes
0
Answers
Re: AEM Security - .json Extension Brett_Birschba1 - Adobe Experience Manager
Thanks vipins5188​ I'll take a look at your solution and see if that will be a clean solve. I'd rather do this if possible rather than require all JSON requests to have a whitelisted selector since the latter seems arbitrary.It does raise a question, however, about why Adobe doesn't solve this issue of being insecure by default. Was hoping maybe there was some setting that I was just missing.
1433
Views
1
Like
0
Answers
Re: AEM Security - .json Extension Brett_Birschba1 - Adobe Experience Manager
Heh thanks kunal23​ I do realize we could technically use a custom selector to get around the issue of whitelisting. It's definitely a workable solution, and thus I appreciate you confirming.That said, given that this is a security issue, shouldn't AEM have a solution that doesn't require custom development?
1417
Views
1
Like
0
Answers
AEM Security - .json Extension Brett_Birschba1 - Adobe Experience Manager
In AEM we generally block all `page.infinity.json` and `page.N.json` requests, as it allows content grabbing and reveals internal node structure including usernames or anything else that might be considered "internal". However, page.json requests (no selector) seem to also render their JSON contents, and this is a lot harder to block unless we generically block the .json extension, requiring all valid JSON URLs to be whitelisted.Is there a way to safely block JSON rendering to close this vulnera...
5199
Views
1
Like
11
Answers and Comments
Dispatcher Security - .feed extension Brett_Birschba1 - Adobe Experience Manager
Reference Adobe Docs at: Configuring Dispatcher AEM docs have a rule that “prevents content grabbing” where the feed selector is prevented for extensions json, xml, and html.# Deny content grabbing for /content and its subtree/0082 { /type "deny" /path "/content/*" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)' /extension '(json|xml|html)'}Docs also indicate that the following URLs should all be blocked by your configuration:/content/add_valid_path_to_a_page/_jcr_content.feed/co...
2509
Views
1
Like
4
Answers and Comments
Re: Asset Link Share from AEM - Security and Configuration Questions Brett_Birschba1 - Adobe Experience Manager
Thanks for the confirmation KBWEB​. This kinda of stuff makes me angry, because the features give an impression that clients can do a certain thing with the platform, but in reality (due to normal, practical reasons) they cannot. These features have been around long enough that they should be more fully functional than they currently are, and I think it's sad that your team is going to have to build a custom solution, spending the client's money doing so. Not your fault - Adobe should have these...
1187
Views
1
Like
0
Answers
Re: Asset Link Share from AEM - Security and Configuration Questions Brett_Birschba1 - Adobe Experience Manager
Yes, I understand the direction from Adobe, but it seems like an overall bad idea to allow outside world access to the Author which is why Im asking the community if this is "truly" what should be done to enable Asset link Sharing for a client. If not, then to some extent we're selling vaporware.The checkbox to include original asset simply updates the download of renditions to *also* include the original - I dont see any option to remove the renditions (which in some cases could be very signifi...
1199
Views
2
Likes
0
Answers
Re: Asset Link Share from AEM - Security and Configuration Questions Brett_Birschba1 - Adobe Experience Manager
Ok, so the simple answers to my questions are...- No it's not possible to get the link that was shared.- No you cannot update the expiration of a shared link via the authoring interface (an admin can do it via CRX, but that's not practical for business use).A bit disappointing, as both of these seem like they would be helpful and simple to implement. These are the types of things that get me in trouble with clients when they use features like this that were advertised to them...Anyway, I still h...
1180
Views
1
Like
0
Answers
Re: Asset Link Share from AEM - Security and Configuration Questions Brett_Birschba1 - Adobe Experience Manager
I don't actually want to "edit" it per-say - I'd like to be able to retrieve the URL so that I can copy and paste it to someone in an email or instant message or something. I realize the initial share executes an email, but after that point I dont see a way to get ahold of the link.Also, it seems reasonable that someone would potentially want to extend the expiration of a share.
1185
Views
1
Like
0
Answers
Re: Asset Link Share from AEM - Security and Configuration Questions Brett_Birschba1 - Adobe Experience Manager
Hi Arun,Yes, that link you provided is where I grabbed the list of pages I mentioned in my original post. In testing, it appears other paths (e.g. /etc.clientlibs) must also be opened to the public.My question was more generally asking if allowing public access to the author server for link shares is standard practice, since most author servers sit securely behind a firewall.Regarding Link Shares, yes, the method of seeing active Link Shares that you mention is how I am viewing them in AEM. Howe...
1178
Views
0
Likes
0
Answers
Asset Link Share from AEM - Security and Configuration Questions Brett_Birschba1 - Adobe Experience Manager
Is it standard practice to allow public access to the AEM Author (/linkshare.html, /linksharepreview.html, /linkexpired.html) for asset link sharing? I assume we would also need to open up paths like /etc.clientlibs and potentially others?Once I've shared an asset, is there any way for me to recover the share URL or change the expiration? I can see "Shared Links" in the DAM navigation, but clicking one only allows me to "Unshare" - I don't see an option to view/edit.Is there any way to configure...
5425
Views
2
Likes
12
Answers and Comments
Re: AEM Assets - Reorder Subassets/Pages in PDF/PPT Brett_Birschba1 - Adobe Experience Manager
Is the answer the same for Adobe PDF files?
692
Views
0
Likes
0
Answers
AEM Assets - Reorder Subassets/Pages in PDF/PPT Brett_Birschba1 - Adobe Experience Manager
Does the Adobe DAM support reordering pages (subassets) within a PowerPoint (PPT/PPTX) or PDF file? I have a client that is asking for this functionality, as their current DAM apparently supports this. I've experimented a bit with AEM 6.4 but though AEM is able to parse the PPT/PDF into subasset pages, I can't find any control that allows me to reorder those pages.Assuming AEM does not support this functionality, what would a good suggested workaround for users that may not have direct access to...
727
Views
0
Likes
2
Answers and Comments