Comments (4)
kwin
commented on July 26, 2024
Also compare with the check in https://github.com/0ang3el/aem-hacker/blob/3ce91f217b259b0b4e6abd07f56d453b0c82b46b/aem_hacker.py#L619.
from aem-project-archetype.
krystiannowak
commented on July 26, 2024
makes it impossible to strip Authorization headers (except with workarounds like using
mod_headers)
@kwin default_clientheaders.any does NOT need to be included from clientheaders.any:
https://github.com/adobe/aem-project-archetype/blob/develop/src/main/archetype/dispatcher.cloud/src/conf.dispatcher.d/clientheaders/clientheaders.any#L7
Customizable Files
(...)
conf.dispatcher.d/clientheaders/clientheaders.any
This file is included from inside your .farm files. It specifies what request headers should be forwarded to the backend.
vs
Immutable Configuration Files
(...)
conf.dispatcher.d/clientheaders/default_clientheaders.any
Default request headers to forward to the backend, suitable for a standard project. If you need customization, modify clientheaders.any. In your customization, you can still include the default request headers first, if they suit your needs.
AFAIK Authorization header has been added 2 years back to support authentication for Sync Doc APIs - see https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/implementing/developing/generating-access-tokens-for-server-side-apis.html?lang=en#the-server-to-server-flow
/cc: @jalagari
from aem-project-archetype.
kwin
commented on July 26, 2024
@krystiannowak Thanks for the pointers. Still I would consider that an insecure default. Maybe you can somehow tweak the dispatcher to only allow Bearer authentication scheme (https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#authentication_schemes) or at least block the Basic one by default. That would probably require an adjustment of the dispatcher module....
from aem-project-archetype.
krystiannowak
commented on July 26, 2024
@kwin /clientheaders is a simple list of strings (representing header names) as per https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/dispatcher-configuration.html?lang=en#specifying-the-http-headers-to-pass-through-clientheaders - so there is no filtering by value or matching any kind of regular expression in it
from aem-project-archetype.
Related Issues (20)
- Update FileVault from 1.1.6 -> 1.3.2
- Adobe I/O SSR (React) action does not work HOT 1
- Archetype version 42's tag shows an error when viewing in Github
- Forms tests fail with "cannot find symbol"
- Caching by default the sample site
- mvn clean test not working due to ui.frontend and ui.apps.structure module HOT 1
- AIO SSR Actions not getting deployed with install phase
- Cannot have different Pipeline variables for Stage & Prod - Cloud manager
- Cypress tests not generated when using uiTestingFramework parameter
- Archetype 23 does not exist when trying to create AEM project for version 6.5.0
- [ERROR] ValidationViolation: "jackrabbit-filter: Node '/apps/mysite/components/form/container/cq:editConfig' is not contained in any of the filter rules", filePath=jcr_root\apps\mysite\components\form\container\_cq_editConfig.xml
- Add replication metadata for CAC and Editable Templates
- Why Maven version is not stored in the pom.xml?
- Use jib-maven-plugin for building (Docker) images
- ui.tests (both cypress and wdio) throw errors with "install" or "deploy" phases HOT 2
- Enforce local build of ui-tests module by default HOT 8
- Is there a plan to move towards faster bundler for the frontend module ? such as esbuild or vite for newer archetype ?
- package.json: Is it LICENSE or LICENSE.txt or something else?
- ui.frontend + "npm run watch" not working on Windows 11 (fix/workaround inside) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aem-project-archetype.