发表新帖
发表新帖

AEM: 403 Forbidden occurs when call a Post servlet

后端 未结
关注
3 1846
星月不相逢
星月不相逢 2021-01-25 13:19

My problem is similar with this: CQ5: 403 Forbidden occurs when call a Post servlet but in AEM 6.1

According to accepted answer of above topic, I must remove POST from A

相关标签:
3条回答
  • 南笙
    2021-01-25 13:33

    If you are trying to POST data to AEM instance from outside AEM, thats the solution. Its not advised for security reasons. But if its a must you could add authentication to your POST requests and setup the CSRF security measures. In addition to this you could setup your dispatcher to allow the POST request only to selective paths and block the remaining. Even so following all this doesn't guarantee complete security.

    For alternatives, I am not sure what your use-case is but you could create a form in AEM and handle the POST via that form and on whatever external resource you are trying to currently send POST to AEM, include this form as iframe.

    0 讨论(0)
  • 孤独总比滥情好
    2021-01-25 13:35

    If you are testing your code on author mode, you get 403 forbidden error for the request. This requires csrf token (Introduced in AEM 6.1 to perform checks on POST, PUT and DELETE requests from browser against CSRF attacks). CSRF token is validated on form submission at the server side. CSRF protection framework is loaded if granite.jquery dependency is added or you can declare dependency granite.csrf.standalone to use the framework. On publish it should work fine before login.

    0 讨论(0)
  • 离开以前
    2021-01-25 13:52

    The POST call is needed for the modification of the content. There will be no harm untill unless your instances are not protected by some more request handle mechanism infront of AEM by dispatcher and Akamai servers, where you can do a request filter at dispatcher and before that even at akamai level and allow only the exact post requests for a application specific.

    Dispatch filter example:

    which shows to allow only the post call with a @SlingServlet(paths = "/bin/sling/myproj/exampleauthhandler")

    /filter {
    /0001  { /glob "*" /type "deny" }
    /0999 { /type "allow" /method "POST" /url "/bin/sling/myproj/exampleauthhandler" }
}

    More information you can find for AEM dispatcher

    https://docs.adobe.com/docs/en/dispatcher/disp-config.html

    we have also methods called PUT and PATCH which is also worthy but not best suited for the real time scenarios.

    PATCH :: https://tools.ietf.org/html/rfc5789

    also an good discussion you can find PUT vs PATCH

    REST API - PUT vs PATCH with real life examples

    0 讨论(0)
 看不清?
提交回复
热议问题