This section deals with various steps that you should take to ensure that your AEM installation is secure when deployed. The checklist is meant to be applied from top to bottom. Note: There are some additional security considerations applicable at the development phase. Enabling the HTTPS transport layer on both author and publish instances is mandatory for having a secure instance. Ensure that you have installed the latest Security Hotfixes provided by Adobe.

Adobe strongly recommends that after installation you change the password for the privileged AEM admin accounts on all instances. These two accounts use separate credentials and having distinct, strong password for each is vital to a secure deployment. Here you can edit the admin account and change the password. Note: Changing the admin account also changes the OSGi web console account. After changing the admin account, you should then change the OSGi account to something different.

Aside from the AEM admin account, failing to change the default password for the OSGi web console password can lead to:. For more information on changing the web console password, see Changing the OSGi web console admin password below. You must also change the password used for accessing the Web console.

Adobe recommends to define custom error handler pages, especially for and HTTP Response codes in order to prevent information disclosure. Note: See How can I create custom scripts or error handlers knowledge base article for more details.

AEM Dispatcher is a critical piece of your infrastructure. Adobe strongly recommend that you complete the dispatcher security checklist. Caution: Using the Dispatcher you must disable the ". A standard installation of AEM specifies admin as the user for transport credentials within the default replication agents.

Also, the admin user is used to source the replication on the author system.By default the Dispatcher configuration is stored in the dispatcher. The dispatcher will never cache requests without extension, requests with a query string, non-GET requests and if properly configured requests with an authentication header.

With the Dispatcher release 4. This header informs the dispatcher not to cache the response. So for instance you can add the following code in your JSP:. There are two ways you can achieve this. The first is a workaround which consists in creating a small JSP script with the command seen previously and include it as a sly command in page:. There exists some already developed API with these features such as Fetch API or it can be developed internally since it could be a very wide used approach throughout projects.

The Sightly command in this case would become:. Dispatcher default policies avoid caching of dynamic pages automatically. Anyhow it may be necessary to extend those rules to pages that normally would be cached. This is possible by setting the rules inside dispatcher. This represents an interesting solution to change the way you manage dynamic pages. I like a lot the possibility to avoid page caching if the page contains dynamic components. But this need to be considered with attention, because very complex pages with little dynamic components can be better structured with a static cached page calling a non-cached ajax page for the dynamic part.

Interesting solution, but to be evaluated with attention case by case. Save my name, email, and website in this browser for the next time I comment. Contact our team. Cache Dispatcher Request. By Jonas Magdaleno. You Might Also Like. AEM common deploy models February 16, Previous Post Next Post. Reply Ignazio Locatelli July 12, at am This represents an interesting solution to change the way you manage dynamic pages.By submitting your feedback, you accept the Adobe Terms of Use.

Show Menu. Security Checklist. This section deals with various steps that you should take to ensure that your AEM installation is secure when deployed. The checklist is meant to be applied from top to bottom. There are some additional security considerations applicable at the development phase. Once you have changed the password for the AEM admin account, you will need to use the new password when accessing CRX.

This change will also be applied to the admin account used for accessing the Web console, so you will need to use the same password when accessing that. These two accounts use separate credentials and having distinct, strong password for each is vital to a secure deployment. Here you can edit the admin account and change the password. Changing the admin account also changes the OSGi web console account. After changing the admin account, you should then change the OSGi account to something different.

Exposure of the server with a default password during startup and shutdown that can take minutes for large servers. For more information on changing the web console password, see Changing the OSGi web console admin password below.

Changing the OSGi web console admin password You must also change the password used for accessing the Web console. The password must be changed after the initial installation to ensure the security of your instance. Implement Custom Error Handler Adobe recommends to define custom error handler pages, especially for and HTTP Response codes in order to prevent information disclosure. See How can I create custom scripts or error handlers knowledge base article for more details.

Adobe strongly recommend that you complete the dispatcher security checklist. Verification Steps Configure replication and transport users A standard installation of AEM specifies admin as the user for transport credentials within the default replication agents. Also, the admin user is used to source the replication on the author system.

For security considerations, both should be changed to reflect the particular use case at hand, with the following two aspects in mind:. The transport user should not be the admin user. Rather, set up a user on the publish system that has only access rights to the relevant portions of the publish system and use that user's credentials for the transport.

You can start from the bundled replication-receiver user and configure this user's access rights to match your situation. The replication user or Agent User Id should also not be the admin user, but a user who can only see content that is supposed to be replicated. The replication user is used to collect the content to be replicated on the author system before it is sent to the publisher. Check the Operations Dashboard Security Health Checks AEM 6 introduces the new Operations Dashboard, aimed at aiding system operators troubleshoot problems and monitor the health of an instance.

The dashboard also comes with a collection of security health checks. It is recommended you check the status of all the security health checks before going live with your production instance. For more information, consult the Operations Dashboard documentation. Check if Example Content is Present All example content and users e. The sample We. Retail applications are removed if this instance is running in Production Ready Mode.

If, for any reason, this is not the case, you can uninstall the sample content by going to Package Manager, then serarching for and uninstalling all We. Retail packages. Fore more info, see How to Work With Packages. Check if the CRX development bundles are present These development OSGi bundles should be uninstalled on both author and publish productive systems before making them accessible.

This OSGi bundle should be uninstalled on both author and publish productive systems before making them accessible. For more information on how to use it, consult the documentation.By submitting your feedback, you accept the Adobe Terms of Use. Show Menu. Configuring Dispatcher. Dispatcher versions are independent of AEM.

You may have been redirected to this page if you followed a link to the Dispatcher documentation that is embedded in the documentation for a previous version of AEM. Dispatcher Configuration Files By default the Dispatcher configuration is stored in the dispatcher.

AEM Document Security 11.0 Extension for Microsoft Office Release Notes

The configuration file contains a series of single-valued or multi-valued properties that control the behavior of Dispatcher:. If your configuration file is large you can split it into several smaller files that are easier to manage then include these. For example, to include the file myFarm. Using Environment Variables You can use environment variables in string-valued properties in the dispatcher.

For example, if the dispatcher. Use a single farm when you want Dispatcher to handle all of your web pages or web sites in the same way.

Create multiple farms when different areas of your web site or different web sites require different Dispatcher behavior. Use a property name that uniquely identifies the farm within the Dispatcher instance.

The value can have include any alphanumeric a-z, character. If you use more than one render farm, the list is evaluated bottom-up. This is particularly relevant when defining Virtual Hosts for your websites. For permission-sensitive caching, see Caching Secured Content. In some instances, you might want forward additional headers, or remove specific headers:. Remove headers, such as authentication headers, that are only relevant to the web server.

If you customize the set of headers to pass through, you must specify an exhaustive list of headers, including those that are normally included by default. The PATH header enables communication between the replication agent and the dispatcher. The following example configuration handles requests for the. Dispatcher evaluates the values in the virtualhosts properties in the following order:. Dispatcher begins at the lowest farm and progresses upward in the dispatcher.

For each farm, Dispatcher begins with the topmost value in the virtualhosts property and progresses down the list of values. The first-encountered virtual host that matches all three of the hostthe schemeand the uri of the request is used. If no virtualhosts values has scheme and uri parts that both match the scheme and uri of the request, the first-encountered virtual host that matches the host of the request is used.After some research and configuration, I eventually got the custom Servlet published.

Theses were the general steps I followed:. I later revisited the servlet to include the custom functionality we needed, but this base servlet allowed me to at least confirm that my GET and POST requests were getting through.

security headers in aem

Once the servlet was deployed, I was able to test connectivity in a web browser that had already been authenticated with AEM. While working through this issue in AEM 6. In the order I encountered them, they were:.

The first layer of security that my request was bumping up against was the Referrer Header layer, which essentially ensured requests were originating from an accepted Origin. However since my requests were originating externally using Postman, they were being blocked. However, I did come across OSGi configurations that could be implemented to to allow external referrers. Simply add the servlet path as an Excluded Path filter. Omitting this property could lead to difficulties when replicating code packages between Author and Publish instances.

This may not always be necessary, especially if your servlet will be used only by authenticated users e. Since I was building a servlet to handle AJAX form submissions, I needed to allow requests from non-authenticated users originating on Publish instances. I added the servlet path to the Authentication Requirements list sling. Next I needed to add a line to the filters section of my dispatcher any file to allow POST requests to pass through unobstructed.

The line was pretty simple, and included the request type and a GLOB for the URL path since it included a wildcard for future servlets. In order to do this, we needed to create a new Behavior inside of our existing Distribution.

We kept the Origin the same as our Default Behavior, but made a few non-default configurations highlighted in red. Your email address will not be published. The Referrer Header Filter Service 2. ObjectMapper; import org. IOUtils; import org. StringUtils; import org.

What Is A RESTful API? Explanation of REST & HTTP

Reference; import org. SlingServlet; import org. SlingHttpServletRequest; import org. SlingHttpServletResponse; import org. SlingAllMethodsServlet; import javax. The Referrer Header Filter Service The first layer of security that my request was bumping up against was the Referrer Header layer, which essentially ensured requests were originating from an accepted Origin. Loading comments.This section deals with various steps that you should take to ensure that your AEM installation is secure when deployed.

The checklist is meant to be applied from top to bottom. There are some additional security considerations applicable at the development phase. Enabling the HTTPS transport layer on both author and publish instances is mandatory for having a secure instance. It is highly recommended that any connections to remote services such as databases or external data stores like Amazon S3 use encrypted connections as well. Ensure that you have installed the latest Security Hotfixes provided by Adobe.

Adobe strongly recommends that after installation you change the password for the privileged AEM admin accounts on all instances. These two accounts use separate credentials and having distinct, strong password for each is vital to a secure deployment.

Invoking AEM Forms using Web Services

Here you can edit the admin account and change the password. Changing the admin account also changes the OSGi web console account. After changing the admin account, you should then change the OSGi account to something different. Aside from the AEM admin account, failing to change the default password for the OSGi web console password can lead to:.

For more information on changing the web console password, see Changing the OSGi web console admin password below. You must also change the password used for accessing the Web console. Adobe recommends to define custom error handler pages, especially for and HTTP Response codes in order to prevent information disclosure. See How can I create custom scripts or error handlers knowledge base article for more details.

AEM Dispatcher is a critical piece of your infrastructure. Adobe strongly recommend that you complete the dispatcher security checklist.

security headers in aem

A standard installation of AEM specifies admin as the user for transport credentials within the default replication agents. Also, the admin user is used to source the replication on the author system. For security considerations, both should be changed to reflect the particular use case at hand, with the following two aspects in mind:.

AEM 6 introduces the new Operations Dashboard, aimed at aiding system operators troubleshoot problems and monitor the health of an instance. The dashboard also comes with a collection of security health checks. It is recommended you check the status of all the security health checks before going live with your production instance.

For more information, consult the Operations Dashboard documentation. All example content and users e. The sample Geometrixx applications are removed if this instance is running in Production Ready Mode.

You can then delete all geometrixx packages using the same user interface.Note: Disabling the privacy notice does not disable document usage auditing. Actions such as document open, print, close, and many more can still be audited. Note: Do not install the software in a folder whose name contains double-byte characters. Perform the following steps to update Registry and enable ribbon less user interface:.

Document Security Extension provides a registry setting to make dynamic watermark co-exist with existing headers and footers. The registry settings make the watermark available only during the printing. Perform the following steps to update Registry and enable watermarks during printing:. AEM Document Security This implementation may disable some Excel, Word, and PowerPoint menu options. You can see this phrase in the taskbar.

The documentation states incorrectly that it is restricted only by the Copy permission. In Microsoft Word and Excel andthe following options are unavailable during a protected session:. Note: The ability to start a workflow from the or versions of Word, Excel, and PowerPoint is available only in the Office Professional Plus, Office Enterprise, and Office Ultimate suites and versions, as well as in the stand-alone and Office release versions of these programs.

In Microsoft Excelandthe following options are unavailable during a protected session:. For Microsoft Excel, and files that are protected by Document Security Extension for Microsoft Office, the structure of the workbook is protected. This protection of the workbook disables certain functionality.

For example, the Advanced Properties menu is disabled for protected Excel documents. Opening the protected document: If you try to open a protected document in Document Security Extension for Microsoft Office from SharePoint Server without first opening the Microsoft Office program associated with the file type, such as Microsoft Word, Microsoft Excel, or Microsoft PowerPoint, the document may not open.

An error message displays indicating that you install the applicable plug-in.

security headers in aem

Hence, it is recommended that you open the associated Microsoft Office program, before you open a protected document in Document Security Extension for Microsoft Office from SharePoint Server.

Optional It is recommended that you clear your cache folder before opening a protected document in Document Security Extension for Microsoft Office from SharePoint Server. After opening the protected document: When you open a protected document from SharePoint Server, all permissions on the document are disabled, regardless of the policy that was applied.

Microsoft PowerPoint users who have the permission to modify the document but do not have permission to copy any of its content cannot use the clipboard to copy and paste content within the document. When you apply a policy with dynamic watermark to an Excel or file on a computer that has no printers installed and then save the file, the following error appears: "Internal error while applying dynamic watermark.

When you protect an Excel file using Right Management Extension, the Share Workbook feature becomes disabled, and you cannot secure the file. If you try to protect an Excel file that is already shared, Document Security cannot secure the file.

Before you install the Document Security Extension plug-in on a machine that has a Microsoft Office application with an unsupported language, open the Office application at least once, before you attempt to install Document Security Extension. The Synchronize Off-Line button is available even though the user does not have offline permissions for the document.

However, selecting the button does nothing. If a cell of a Microsoft Excel document contains an image or is filled with background color and a dynamic watermark policy is applied to the document, then the image or the background color filled in the cell appears on top of the watermark and cover the watermark.

If multiple certificates are present on the client machine and the user cancels the certificate selection dialog, then the dialog appears once again and the user has to cancel the dialog twice. The Document Security Experience Manager User Guide. Select an article: Select an article:. For more details, see Enable ribbon-less user interface. The notice informs the user that the document usage is being audited. Now, you can control the behavior of the privacy notice.