Reputation: 424
Why AEM returns 403 for requests without extensions?
By default all the GET requests go to DefaultGetServlet first. Based on the extension, it delegates the request to renderers. Now, if there is no extension in the request URI, why AEM sends 403 (Forbidden) ? At the most, if AEM is unable to serve this, it may send a BAD REQUEST instead. AEM sends 403 even if you are logged in as an admin user (Which has highest level of authorization, if that helps).
Example:
http://localhost:4502/content/geometrixx/en/events
this URL will be responded with 403. Whereas
http://localhost:4502/content/geometrixx/en/events.html
will be served without any problems.
Upvotes: 3
Views: 2381
Answers (3)
Reputation: 1039
Adding to the above, as mentioned by Ahmed:
With the URL "http://localhost:4502/content/geometrixx/en/events" StreamRendererServlet will get executed and resolves to redirect logic ending with /.
// redirect to this with trailing slash to render the index
String url = request.getResourceResolver().map(request,resource.getPath())+ "/";
response.sendRedirect(url);
Once redirected to "http://localhost:4502/content/geometrixx/en/events/"
The same StreamRendererServlet resolves to directory listing logic.
// trailing slash on url means directory listing
if ("/".equals(request.getRequestPathInfo().getSuffix())) {
renderDirectory(request, response, included);
return;
}
In the renderDirectory as indexing will be false,
if (index) {
renderIndex(resource, response);
} else {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
}
a 403 Forbidden response will be sent.
You can change this behavior by enabling "Auto Index" for "Apache Sling GET Servlet" felix configuration console.
Upvotes: 5
Reputation: 1190
Adding on to what Ahmed said:
Without extension, Sling assumes that you are trying to list the contents of that directory path and looks for an index file under that path. When it doesn't finds that index file, it throws back the forbidden error.
If you add an index file under the events node and try to request the same extensionless url, it will serve that index file.
That is to say, when you add the index file (index.html) under /content/geometrixx/en/events,
all requests to http://localhost:4502/content/geometrixx/en/events or http://localhost:4502/content/geometrixx/en/events/index.html will return the same result.
Upvotes: 1
Reputation: 9753
As of this sling ticket SLING-1231 closed in 2009, if no renderer is found the return status code should be 404.
you can see that in the sling sourcecode for DefaultGetServlet.java in the doGet method. source
The following tested on AEM 6.3 but should be the same for 6.0+
For example, if you tried to visit http://localhost:4502/content/geometrixx/en/events.something you'd get a 404 and the sling progress tracker would log No renderer for extension something
Now, if I may rephrase your question, why does extension=null return a 403?
If you look at the sling progress tracker response, you'll probably notice this log:
Using org.apache.sling.servlets.get.impl.helpers.StreamRendererServlet to render for extension=null
Which means that for a null extension, Sling will use the StreamRendererServlet(source) to try and render the resource. Somewhere in that code or probably a filter applied after causes the 403 response code you see. You'll have to debug that one yourself and find out where exactly a 403 is returned.
Upvotes: 4
Related Questions
- AEM Apache Dispatcher 2.4.6 client denied by server configuration
- How to put "Access-Control-Allow-Origin: *" header in a sling node
- Getting org.apache.sling.api.SlingException: Exception during response processing
- AEM - URL does not change with RequestDispatcher forward
- 403 Sling Post servlet
- 403 Response From Adobe Experience Manager OAuth 2 Token Endpoint
- AEM resource resolver failing
- CQ5 Sling default servlets, same extension but different accepts methods
- Can Sling mappings be restricted to requests with host header
- How to properly check selectors and extensions via RequestPathInfo