how to add a filter if there is no web.xml in AEM (cloud version) | Community
Skip to main content
T
TB3dock
New Participant
November 17, 2022
Solved

how to add a filter if there is no web.xml in AEM (cloud version)

  • November 17, 2022
  • 3 replies
  • 2460 views

We understand AEM is not a J2EE container, but it does have filters.

 

We are trying to integrate datadome, which is a bot protection system to prevent hacking.

 

This is what needs to be added to the equivalent of web.xml:

 

 

 

<web-app> ... <filter> <filter-name>datadome-filter</filter-name> <filter-class>co.datadome.api.servlet.DataDomeFilter</filter-class> <init-param> <param-name>datadome.apikey</param-name> <param-value>YOUR_SECRET_LICENSE_KEY</param-value> </init-param> </filter> <filter-mapping> <filter-name>datadome-filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ... </web-app>

 

 

 

any idea how one might do this with AEM Cloud?

 

Maybe, we can write a filter as a proxy to the required filter?

 

Im thinking something like this, but its a complete guess:

 

 

@SlingServletFilter(scope = {SlingServletFilterScope.REQUEST}, pattern = "/.*", methods = {"GET","POST"}) @Slf4j @ServiceRanking(100) public class DDFilter implements Filter{ co.datadome.api.servlet.DataDomeFilter ddfilter; public void destroy() { ddfilter.destroy() } public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException { ddfilter.dofilter (requ, resp, chain); } public void init(FilterConfig config) throws ServletException { ddfilter = new co.datadome.api.servlet.DataDomeFilter(); ddfilter.init(??); } }

 

 

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by joerghoh

AEM 6.x does not come with a web.xml anymore (early CQ5 versions did), so you cannot integrate this filter in the way which is documented by the filtering product. You need to create a wrapper (I would do it implement it on the OSGI Http Whiteboard level, no SLING filter), and then call this filter code.

 

For the details of the OSGI HTTP whiteboard you can check the specificiation at https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.whiteboard.html#d0e121055

3 replies

A
AlbinIs1
New Participant
November 17, 2022

Yes, your assumption is correct

No web.xml or other configuration files to enable the filter; just add filter class to the core bundle

 

Sample

@Component(service = Filter.class,
           property = {
                   EngineConstants.SLING_FILTER_SCOPE + "=" + EngineConstants.FILTER_SCOPE_REQUEST,
           })
@ServiceDescription("Demo to filter incoming requests")
@ServiceRanking(-700)
@ServiceVendor("Adobe")
public class LoggingFilter implements Filter {

    private final Logger logger = LoggerFactory.getLogger(getClass());

    @Override
    public void doFilter(final ServletRequest request, final ServletResponse response,
                         final FilterChain filterChain) throws IOException, ServletException {

        final SlingHttpServletRequest slingRequest = (SlingHttpServletRequest) request;
        logger.debug("request for {}, with selector {}", slingRequest
                .getRequestPathInfo().getResourcePath(), slingRequest
                .getRequestPathInfo().getSelectorString());

        filterChain.doFilter(request, response);
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }

}

Regards

Albin

www.albinsblog.com

    T
    TB3dockAuthor
    New Participant
    November 17, 2022

    Thanks for the reply. Unfortunately, we are not trying to write our own filter (we alreay have several of these), we are trying to integrate a 3rd party filter.

      joerghoh
      joerghohAccepted solution
      Employee
      November 27, 2022

      AEM 6.x does not come with a web.xml anymore (early CQ5 versions did), so you cannot integrate this filter in the way which is documented by the filtering product. You need to create a wrapper (I would do it implement it on the OSGI Http Whiteboard level, no SLING filter), and then call this filter code.

       

      For the details of the OSGI HTTP whiteboard you can check the specificiation at https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.whiteboard.html#d0e121055

        joerghoh
        joerghoh
        Employee
        November 17, 2022

        What do you want your CS environment protect against? 

         

        I think that AEM by itself (of course not necessarily the application you build on top of it) is quite immune against many of the typical "attacks", because it's not a "typical" Java application (no spring, hibernate, SQL etc). This is especially true if you implement the security checklist properly. But I wonder what this filter (which I have never heard of) should help you here. 

        Can you elaborate in a bit more detail, what type of attack this filter should prevent you?

          T
          TB3dockAuthor
          New Participant
          November 17, 2022

          This is to protect against bots filling out and submitting account registration forms, to stop account harvesting by bots repeatedly calling the "does this email exist" api, to stop bots from brute force password checks (usually from list of known/stolen passwords for a given account), to stop bots hitting our document uploader etc, to stop networks trying to abuse bonuses, to block blacklisted countries and IPs, and also has easy "kill switch" and alerting when you are under attack.  Its not for DDoS, its to mitigate every other type of automated attack.

           

          It does a similar job to google recaptcha, but without forcing 10% of valid customers to "select lamp posts" (v2) or us having to implement our own tuning algorithms and captcha (V3).

           

          This protection is absolutely and 100% required for a high volume online gaming website.

           

          Datadome does this by tracking (and blocking) known bot IPs (frequently from large networks of bot infested PCs) using honey pots and learning from attacks, from behaviour analysis (learns how real users use the site), and by analysis of the client.  where as google captcha v2 has a false positive rate of around 10%, datadome has around 0.1%.  

           

          Cloudflare have a similar product, which we have also used.

            Jagadeesh_Prakash
            Jagadeesh_Prakash
            New Participant
            November 17, 2022

            @tb3dock  Hope this is useful

            https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/aem-vault-package-filter-xml-query/td-p/372542

             

              Terms & ConditionsAccessibility statement

              Loading footer...