Sugar Coat Registered AEM Servlet Scripts and Paths Endpoint

thumbnail

In AEM we tend to write Sling Servlet OSGI Services to expose JSON data using the various service reference properties such as “sling.servlet.paths”, “sling.servlet.resourceTypes”, “sling.servlet.selectors”, and “sling.servlet.extensions”.

Example 1: DirectoriesServlet.Java doGet Servlet Implementation (html extension):
This is an example how a servlet in AEM to retrieve the directories JSON data.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// example for /content/mysite.directories.html
@SlingServlet(
    resourceTypes = "/apps/mysite/components/page/basepage",
    selectors = "directory",
    extensions = "html",
    methods = "GET")
public class MyServlet extends SlingSafeMethodsServlet {
    @Override
    protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException {
        response.setStatus(HttpStatus.OK_200);
        response.setContentType(APPLICATION_JSON_UTF8);
        response.setHeader(HttpHeaders.EXPIRES, EXPIRE_IN_SECONDS);
        response.setHeader(HttpHeaders.CACHE_CONTROL, "max-age=" + EXPIRE_IN_SECONDS);
        String json = new ObjectMapper().writeValueAsString(getDirectories());
        response.getWriter().write(json);
    }
}

Example 2: StoresServlet.Java doGet Servlet Implementation (json extension):
This is an example how a servlet in AEM to retrieve the stores JSON data.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// example for /content/mysite.stores.json
@SlingServlet(
    resourceTypes = "/apps/mysite/components/page/basepage",
    selectors = "stores",
    extensions = "json",
    methods = "GET")
public class MyServlet extends SlingSafeMethodsServlet {
    @Override
    protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException {
        response.setStatus(HttpStatus.OK_200);
        response.setContentType(APPLICATION_JSON_UTF8);
        response.setHeader(HttpHeaders.EXPIRES, EXPIRE_IN_SECONDS);
        response.setHeader(HttpHeaders.CACHE_CONTROL, "max-age=" + EXPIRE_IN_SECONDS);
        String json = new ObjectMapper().writeValueAsString(getStores());
        response.getWriter().write(json);
    }
}

JSON Request:
Typically, multi-channel implementations such as mobile, smartwatches, kiosks, 3rd party websites, etc… will be requesting for JSON data with the path of:

1
2
/content/mysite.directories.html
/content/mysite.stores.json

As you can tell, the path stated above looks unfinished. In such, Sling Servlet Resolver scripts/paths may not be acceptable to present to the end-users. Revealing custom selectors or custom extensions are not suitable for security reasons and detailed information exposure; this can be easily resolved. We can add a layer of security, and also sugar-coat the revealed scripts/paths by utilising the Apache Web Server’s Rewrite Flag, PT, as one of the many good practises to follow.

What is the Apache Web Server’s Rewrite Flag, PT

The [PT] flag causes the result of the RewriteRule to be passed back through URL mapping as an Alias. Simply the end-users will only see an alias of the JSON file while the request is internally mapped to the correct path to the AEM publisher.

Examples of PT:

1
2
RewriteRule ^/api/directories.json$ /content/mysite.directories.html [PT,L]
RewriteRule ^/api/stores.json$ /content/mysite.stores.json [PT,L]

Finally, after the Rewrite rule has been set up, multi-channel implementations can request for the JSON with this path:

1
2
/api/directories.json
/api/stores.json
In summary, this is a standard way to secure your Servlets in AEM, and also to sugar-coat an AEM site’s Sling Servlet Resolver scripts/paths.

Also, do remember to add caching strategies for optimize the load against your AEM production publish instances.

Certified AEM Developer who has been working on AEM software developer for the past 5 years.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top