0

I have some content in AEM and I am planning to export those content into mobile app(react) in headless way. I am using AEM content as service, sling content exporter(Jackson) to export the content.

For example, http://localhost:4502/content/we-retail/language-masters/en/course.model.json will export some content to frontend application(react mobile app). I want to protect this API call and I should return the json response only to my frontend application(react mobile app)

Basically I want to validate who is calling AEM. In this case I want to allow only mobile(react) to call AEM and want reject all others. How do I protect my AEM content ?

The one way I am thinking is to use Apache sling referrer filter in AEM. Referrer filter will reject the request if we are not allowing the mobile app (react ) in "Allow Host". Is this correct way to handle? if there any other best way to handle this? how about using Adobe granite OAuth 2.0 server ?

Please suggest me what are the available option to protect the content in headless.

Mario R
  • 171
  • 6
  • I haven't fully understand your question. a) is it a mobile app, or a ReactJS single-page-application on you website? b) if it is a real app, is the content loading done once (e.g. a batch build process), or dynamically from the end-users device? PS: The solution should be in any case not in AEM, but on the Dispatcher. – Alexander Berndt Jun 23 '22 at 10:18
  • It is a mobile app. it is not single page application. Content loads from dispatcher but concern here how aem allows only mobile app to get the content. Basically I want to restrict external people to connect aem pages. – Mario R Jun 23 '22 at 15:02

1 Answers1

1

As you give the App away (and it is based on JavaScript), you cannot get full security. Attackers could use a jailbroken phone and debug or de-compile your app. But you can easily secure your API in a way, that nobody can “accidently” find the entrance. Nor the average hacker can gain access.

The simple approach = SSL + Basic Auth

Make sure, that your site is only accessible via https (= SSL). Then just add a Basic Auth password, which is hard to guess. This is simple to implement (on Dispatcher and in the App), and developers/operators could still test the API. Only make sure, that the password is obfuscated in your App. So, don’t store it as plain text. A simple XOR encryption is probably enough.

The advanced approach = SSL with client-certificates

Instead of a Basic Auth password, you could use an SSL client certificate (implement that also on the Dispatcher, and NOT in AEM). This is probably a little bit over-engineered, and it can still get lost. But now the attacker must de-compile your App to extract the certificate. The Basic Auth password could theoretically be “found” in other ways – or it could be attacked with brute force.

PS: In both cases you need to monitor your API with some intrusion detection. And you must be able to distribute new passwords or client certificates to legitimate clients.

PPS: Mobile Security is a huge topic. This could not be handled in a StackOverflow question. But to stop script-kiddies from crawling your API, the simple approach is probably good enough.

Alexander Berndt
  • 1,628
  • 9
  • 17
  • Thank you so much for your detailed response. In both cases AEM is not doing any check. How can dispatcher manage for SSL + Basic Auth and SSL with client-certificates? Do you want dispatcher to validate user name and password for basic auth case? Could you please share me some reference on this ? – Mario R Jun 24 '22 at 11:55
  • The Dispatcher is just an Apache Webserver with a mod_dispatcher module, which handles caching and invalidation. So just refer to the normal Webserver documentation https://httpd.apache.org/docs/2.4/howto/auth.html – Alexander Berndt Jun 24 '22 at 12:08
  • thanks for the reference. Yeah, you are correct, dispatcher can not do any check. it uses to cache the do the load balancer. Apache may perform SSL + Basic Auth and SSL with client-certificates. Sorry, I till have this doubt how can apache do this validation , can apache validate username and password ? – Mario R Jun 24 '22 at 12:38
  • Alexander Berndt - can you please provide your input on https://stackoverflow.com/questions/73152395/how-to-configure-ssl-client-certificate-in-aem-dispatcher? – Mario R Jul 28 '22 at 11:48