Cloud Manager DDOS - org.apache.sling.servlets.get.DefaultGetServlet~artifact-id.cfg.json | Community
Skip to main content
M
MoiezMa
New Participant
July 19, 2023
Solved

Cloud Manager DDOS - org.apache.sling.servlets.get.DefaultGetServlet~artifact-id.cfg.json

  • July 19, 2023
  • 2 replies
  • 1756 views

Hi, 

 

I'm trying to build a Production pipeline for cloud Manager, but the "Sling default GET servlet is protected from DOS attacks" is failing. In log it's asking me to disable html and text for Sling default GET servlet. I have created a file under ui.config/src/main/content/jcr_root/apps/my-project/osgiconfig/config/org.apache.sling.servlets.get.DefaultGetServlet~my-project.cfg.json to disable html. txt and xml but the pipeline is still failing with the same error in Summary and Log. 

 

These are contents in file.

 

{ "enable.html": "false", "enable.txt": "false", "enable.xml": "false", "json.maximumresults": "200" }

 

 

I check in configMgr, html, text and xml is enabled. I thought creating this file will change the configMgr for Sling GET Servlet. Does anyone have any idea how can I change the config without ConfigMgr?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by EstebanBustamante

This is part of the security checklist that you should go through in a production env, you can learn more from the links I pasted below, it mentions that only JSON is critical for internal operations, so you should be good. The other renders must be disabled by extra security measures.

https://sling.apache.org/documentation/bundles/rendering-content-default-get-servlets.html 

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security-checklist.html?lang=en

2 replies

EstebanBustamante
EstebanBustamante
New Participant
July 19, 2023

The problem is that you are creating a new config for Apache Sling GET servlet which is wrong because it is not a factory, instead, you should configure the instance which is available by default, that being said, you just need to simply rename your config file to

org.apache.sling.servlets.get.DefaultGetServlet.cfg.json

Instead of 

org.apache.sling.servlets.get.DefaultGetServlet~my-project.cfg.json

 

Additionally, this should be already set if you are running in "Production Ready" mode.

 

 

Esteban Bustamante
    M
    MoiezMaAuthor
    New Participant
    July 19, 2023

    @estebanbustamante I have other sites running in same environment(Multitenancy). Some of the sites are old and i think they might be fetching text from backend apis. How important is it to have text and XML enabled? is there a work around to have a separate Sling GET Servlet for this project and leave the text and xml enable for other sites?  

      EstebanBustamante
      EstebanBustamanteAccepted solution
      New Participant
      July 19, 2023

      This is part of the security checklist that you should go through in a production env, you can learn more from the links I pasted below, it mentions that only JSON is critical for internal operations, so you should be good. The other renders must be disabled by extra security measures.

      https://sling.apache.org/documentation/bundles/rendering-content-default-get-servlets.html 

      https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security-checklist.html?lang=en

      Esteban Bustamante
        Kiran_Vedantam
        Kiran_Vedantam
        New Participant
        July 19, 2023

        Hi @moiezma 

         

        Can you share the exact log of the build failure?

         

        Thanks,

        Kiran Vedantam

          M
          MoiezMaAuthor
          New Participant
          July 19, 2023

          @kiran_vedantam here is the log. 

           

          Sling Get Servlet - Failed WARN - The default plain text renderer is enabled. WARN - The default XML renderer is enabled.

           

           

            Terms & ConditionsAccessibility statement

            Loading footer...