, , , , ,

Cross Site Request Forgery (CSRF) is regarded as a top 10 web application security risks by OWASP – Open Web Application Security Project.

What is CSRF?
CSRF is an serious attack in which a malicious third party (website, blog or a program) causes a authenticated users’ web browser to perform unwanted action on a trusted site. This action takes place without the knowledge of the legitimate authenticated user.

In order to mitigate this attack, the cross origin requests (CORS) should be regularised. OWASP recommends two ways to be defended.
1. Check standard headers to verify the request is from same origin/trusted origins AND
2. check CSRF token before serving the request

How AEM handles this?
AEM does this both by below actions as in Adobe docs

  1. It automatically injects and verifies cryptographic token into all forms and AJAX requests for all POST requests
  2. It has referrer-header based filter, that allows only POST requests from white-listed hosts

Injecting CSRF token:

Requirements:- CSRF Protection framework is available in granite.jquery and the key at /etc/keys/hmac needs to be replicated to all the instances. Add to your component in case granite.jquery is not available by default

Generating the CSRF token:
An authenticated user can only generate the CSRF token. It implies unauthenticated access to the system is prevented.
Accessing /libs/granite/csrf/token.json will generate the token as {“token”:”ey….U0″}
This token will consists of two values. {“exp”:,”iat”:}

Injection:- The generated token has to be sent as a header to the post request like CSRF-TOKEN:

NOTE: The dispatcher configuration need to allow the url /libs/granite/csrf/token.json and CSRF-TOKEN header

Referrer-header configurations:

In order to allow the trusted servers, AEM has a referrer filter that can be configured.
In config manager, we have a configuration called “Apache Sling Referrer Filter“. This has below configs

  • which http methods should be filtered
  • whether an empty referrer header is allowed
  • a white list of servers to be allowed in addition to the server host.

In addition two these two, one can implement Cross origin request sharing by using JSONP calls/ manipulating Access-Control-Allow-Origin in request header.

Until AEM 6.2 the official release allows only authenticated POST calls from the external sources.

AEM 6.3 has introduced Cross-Origin Resource sharing configuration that allows authenticated and unauthenticated client side calls. This has configuration for allowed methods (POST,GET,DELETE.etc.,)

The config manager has a configuration named “Adobe Granite Cross Origin Resource Sharing Policy“. This is explained here 

How to Identify the Encoding of the Request (String Encoding)


, , , , ,

Today, I’ve come across an issue between two sites My client is hosting, one site is internal and another is for end user. In internal site, we don’t do any encoding for the requests. Whereas the other site is UTF-8 encoded.

When I process the request parameters for encoding of both the elements in my servlet, the conflict has occurred (Obvious). So before I do any sort of encoding I should be identifying whether it is encoded already or not.

In this blog, I’m going to explain how to do this. In-order to identify the encoding, I used Java NIO (New IO) API. It is available from Java 1.4 (JDK 1.4) onward. The  difference between IO and NIO is explained in this Blog.

The java.nio.charset.CharsetDecoder does the trick in identifying this. My  interest was to identify whether the string (String is UTF-16 encoded) is encoded with UTF-8 or not.

Charset.forName(“UTF-8”).newDecoder() returns the UTF-8 CharsetDecoder object. By using this decoder, decoding the byte array will result in CharacterCodingException if the byte array is not UTF-8 encoded. Below snippet helps does this work.


try {

            CharsetDecoder charsetDecoder = Charset.forName("UTF-8").newDecoder();

            charsetDecoder.decode(ByteBuffer.wrap(bytes)); // bytes is a byte[]
            System.out.println(new String(bytes) +" is UTF-8 encoded ");

} catch (CharacterCodingException e) {

             System.out.println(new String(bytes) +" is not UTF-8 encoded ");
            // new String(bytes) converts byte array to string

Java New IO is basically processes the buffers, hence ByteBuffer is used in this snippet.

This thread has helped me to identify the solution to this problem. Using Charset.forName we can get other character sets to do same operation.

The user can modify this snippet specific to their application needs.

Note: To form a String from encoded byte array, we can use String constructor itself. This decodes the byte array before creating the String object.


OSGi Components – What, Why and How


, , ,

A basic structure in java is a bundle which helps in modular development (Core benefit of the framework). Bundle basically a Jar file consists of Java source.

A bundle participates in a life cycle (Start,stop,etc). When the container is in a life cycle, all its java files has to be. So how OSGi achieves this?

Let us discuss in detail about how Java files participate in OSGi life cycle in this post.

A plain java file participate into OSGi life cycle using component.

Declarative services or Service Component Runtime SCR is an extender that creates components from an XML resource that is defined your bundle.

Each java file will be injecting a component descriptor xml to Service-Component header of the bundle. A reference to the component description file is entered in the MANIFEST.MF file via the Service-Component property.

A sample component XML will look like below example:

<?xml version="1.0" encoding="UTF-8"?>
<component name="sample.component" immediate="true">
  <implementation class="sample.SampleComparator" />
  <property name="service.description" value="Sample Comparator Service" />
  <property name="service.vendor" value="Apache Software Foundation" />
    <provide interface="java.util.Comparator" />

Properties in Component XML

name – Uniquely identifies this component and is also used to retrieve optional configuration from the Configuration Admin Service (if available).
immediate – Defines whether the component is to be instantiated immediately (true) or on-demand (false).

implementation.class – The fully qualified name of the class implementing the component. This class must be public and have a public default constructor for it to be usable by the Service Component Runtime. This class is not required to be exported and may as well be private to the bundle. In fact, you will generally not export the component implementation class.

property – These elements define configuration properties to the component. These properties are available through the ComponentContext which is presented to the component in the activate method (see below).

service – If the component is to be registered as a service, the service names are listed in provide elements inside the service element. These names will generally be interfaces and must be visible to other bundles for the service to be usable. In this sample, the service is java.util.Comparator class, which is always visible.

The developer no need to worry about all these while declaring an component in OSGi.

Here comes various bundling tools which will does the task automatically.


We just have to specify the annotation called @Component.

Various properties of @Component annotation are:
Defaut: true
Declarative service descriptor is getting generated or not, by default it will get generated

Defaut: 1.0
Declarative service specification version is being set here

Defaut: false
Whether Metatype Service data is generated or not. If this parameter is set to true Metatype Service data is generated in the metatype.xml file for this component. Otherwise no Metatype Service data is generated for this component. [This we can cover in another post]

Defaut: true
SCR Descriptor: component.enabled
Whether the component is enabled when the bundle starts

Defaut: —
SCR Descriptor: component.immediate
Whether the component is immediately activated

Once the bundle gets activated, the Declarative service will take care of activating, resolving dependency (DS handles dynamic dependencies), and registering the service (A component can be registered as a service using @Service annotation. This post explains it well).

There are few more annotations associated with a component. Those are:
@Activate: Do something at the time of component activation, mostly initializing the objects or obtaining the services
@Deactivate: Do something at the time of component activation, releasing objects

A component is a standalone entity of a OSGi container. It can not be accessed or communicated with other components right away. In order to achieve this, we need to define this as a service, we use @Service for the same.

These are all about the OSGi components, in next posts we can discuss in detail about OSGi services and how service bindings happening and all.

You may also interested in:

OSGi Component vs Service

What is OSGi?

Class Loading in OSGI (what? and How?)

Introduction to Sling – CQ5 building block

What is a Bundle in OSGi Framework?


Inner classes in Java – Types (Examples and Explanation)

Java 1.8 Features – Lambda Expressions


, , , , ,

It has been quite a while since the release of another version of java, Java 1.8 (Java SE 8 or JDK 8). I’d like to give series of posts to showcase the new features of this version. In this post, I’ll be explaining the lambda expressions which is totally new to the language (thought of starting with new feature first).

Lambda expressions is a new feature added to Java 1.8. This helps the developer to process or write a function (Method) in more compact way.

What it is?

Lambda refers to anonymous. A function with no name is considered as lambda functions.
Let us see below example in javascript,

var total = function(m1,m2){}

Here,the function has no name, i.e., an anonymous function that calculates the total.

These anonymous functions are called as Lambda functions or Lambda expressions.

These are widely used all Javascript frameworks (mostly object oriented) and Python, Rail languages. The same feature has been newly introduced in Java 1.8 with extra capabilities

Why Lambda Expressions ?

In Java, as per docs . They enable you to treat functionality as a method argument, or code as data. Lambda expressions let you express instances of single-method interfaces (referred to as functional interfaces) more compactly.

i.e, you can send a method as argument to another method,

we can express the single-method anonymous classes very easily.

How to use Lambda Expressions?

Syntax of lambda expression:

(argtype arg...) -> { return result.. }


() – Input
-> – Lambda Symbol
{} – processing and returning result

1. Single Argument anonymous definition using Lambda:

Example for thread class:
Ordinary Implementation:

Runnable thread = new Runnable(){
public void run(){
System.out.println("I am running");

Lambda Implementation:

Runnable newThread = () -> {
System.out.println("My Runnable");

 2. Use for comparison – Simplifies the sorting:

Collections.sort(names, (s1, s2) -> s1.compareTo(s2));

Here, basic comparator is

(s1, s2) -> s1.compareTo(s2)

This sort returns name in alphabetical order

3. Use with For Each loop:

names.forEach((String str)-> System.out.println("Name:"+str));

Note: Braces is not required for single line ethods


1. Easy to use. Minimizes the number of lines.
2. Overriding an single method interface will require less effort


1. There is no run time benefits such as performance improvement by using lambda expressions
2. Lambda introduction to language looks short handing of lines of code (since other languages has one :))

This explains the capabilities of Lambda expressions (Lambda functions) of Java 1.8. In next post, let us discuss about other features of JDK 8


You may also interested in:

OSGi Component vs Service

What is OSGi?

Class Loading in OSGI (what? and How?)

Introduction to Sling – CQ5 building block

What is a Bundle in OSGi Framework?


Inner classes in Java – Types (Examples and Explanation)

OSGi Component vs Service


, , , ,

OSGi Component and OSGi Services are the basic building blocks in the modular development of the OSGi framework. I tried to explain these two concepts below.

OSGI Component:
A bundle in OSGi is having a life cycle in the container. If the user wants the object to participate in the life cycle, the object has to be declared as component. Life cycle of the component is managed by a component framework such as Declarative Services(DS), BluePrint [Component Model]. A component is an active participant in the OSGi system. @component is the annotation used to indicate the class as a component.

OSGi Services:
Services are using publish-find-bind model. A service object registers itself in OSGi service registry and looked up by other services using its interface name.

A component can publish itself as a service. Service look up can happen only through the service. In order to access another service, a component must make itself as a service. @service is the annotation used to indicate the component as a service. The annotation also need to specify the parent interface through which it needs to referred.

Component vs Service:

  1. All the services are components. But vice-versa not true as all the components need not to be a service.
  2. A component is having a life cycle. But it can’t access other components itself. It need to be service.

You may also interested in:

OSGi Components – What, Why and How

What is OSGi?

Class Loading in OSGI (what? and How?)

Introduction to Sling – CQ5 building block

What is a Bundle in OSGi Framework?


Inner classes in Java – Types (Examples and Explanation)



, , ,

CQ5 is a content centric web application developer. The technology stack of this typically contains Sling as a web application framework and
JCR (Jackrabbit) as content repository API.
Sling is a web application framework by Apache foundation. It process the HTTP request in RESTful way. This is used to create content centric applications on top of JCR. It deploys the application as OSGi bundles.
Jackrabbit – It is a Java Content Repository API. Its fully compliance to the JCR standardizations (JSR). It considers all the content as tree structure(parent-child relationship) i.e., hierarchy of nodes.

Below is the stack these two are ordered over content.


Sling is a OSGi based scriptable application layer on top of JCR.

CQ5 contains both the APIs in place. Which is the better one? Let’s discuss in few scenarios.

1. Getting page title:

Node page = session.getNode("/content/geometrixx/en/services");
Node jcrcontent = page.getChild("jcr:content");
Property titleProp= jcrcontent.getProperty ("title"):
String title = titleProp.getValue().getString();

Access Node first, then the jcr:content of the node. Need to get the property object, that will be adopted to String object.


Resource r = resolver.getResource("/content/geometrixx/en/services");
Page page = r.adaptTo(Page.class);
String title = page.getTitle();

In Sling, from resource, page is obtained. In tat getTitle will return the title of the page.

2. adaptTo Mechanism:
Sling comes with adapters mechanism. One object can be adopted to other. List of adoptable objects with its adopters are available at: http://host-name:por-number/system/console/adapters

3. Exception Handling

property = node.getProperty("myProperty").getString();
} catch (RepositoryException re){
log.error("Exception accessing myProperty", re);

In JCR, if there is no property called myProperty, this will throw an exception. Another possibility is if the property is string array, again there will be an
casting exception.


ValueMap properties = resource.adaptTo(ValueMap.class);
String property = properties.get("myProperty", String.class);

Here, this will not return an exception, in case property not available.

4. Event Handling

class Listener implements ObservationListener {
protected void activate () {
session.getObservationManager.addEventListener( this, // listener
"/", // absPath
true, // isDeep
null, // uuid
null, //nodeTypeNames
true // noLocal


private handleEvents (Events events) {
while (events.hasNext()) {
Event e = events.next();
… // do here your event handling

The user has to register the event using the event handler. This has over head of maintaining the session. It allows the user to access the full repository which is not advisable.


@Component (immediate = true)
@Property (name = "event.topics", value = "/org/apache/sling/api/resource/Resource/")
class Listener implements EventHandler {

public void handleEvent (Event event) {
// handle

Sling comes with Sling Eventing framework. In Felix console, list of event topics are available. User can subscribe to particular event and start the handling.

5. Performance:
Lower level API will always result in better performance. JCR directly accesses the content repository where as sling adheres to the strict RESTful resolution of resources which gives overhead in terms of performance.

In conclusion, when ever there is a need to access the nodes, better is to use Sling API until the very necessary conditions like performance degradation to go for JCR.

Reference: http://labs.6dglobal.com/blog/2015-04-08/cq-haiku-jcr-vs-sling/ & https://cqdump.wordpress.com/2012/11/13/cq-coding-patterns-sling-vs-jcr-part-2/

You may also interested in:

OSGi Component vs Service

What is OSGi?

Class Loading in OSGI (what? and How?)

Introduction to Sling – CQ5 building block

What is a Bundle in OSGi Framework?


Inner classes in Java – Types (Examples and Explanation)

How to hide (disable) the sidekick in AEM


, , ,

Side kick is the container for all possible components to be used in particular page, edit various properties of the page, versioning and workflows specific to page.

This will be loaded in author,preview,analytic,read only and design modes. If there is a requirement to hide the side kick in particular page or in particular mode we have below options.

Option 1: To hide the side kick in particular mode
We can handle this situation from init file itself as this is common for all the pages. Below scriptlet from init.jsp has to be commnented out.

CQ.WCM.launchSidekick("<%= xssAPI.getValidHref(currentPage.getPath()) %>", {
    propsDialog: "<%= dlgPath == null ? "" : xssAPI.getValidHref(dlgPath) %>",
    locked: <%= currentPage.isLocked() %>

Option 2: To hide side kick for particular page or on particular condition
In order to hide the side kick from the page there are 3 methods.

  1. hide()
  2. disable()
  3. destroy()

hide() will not show the side kick from page whereas disable() will load the side kick and hide the options only. But destroy() will delete the side kick itself on the load.

Below is the Ext JS script to be used in order to hide the side kick from page. side kick class is CQ.wcm.Sidekick and xtype of this is sidekick.

Once DOM loaded (CQ.Ext.onReady), checks the sidekick is ready (CQ.WCM.isSidekickReady()), if so that will be hidden(or disabled or destroyed).

Otherwise an event listener will be triggered on sidekick ready ( CQ.WCM.on(“sidekickready”, fn())), then it will be hidden
Script 1:
This script is used when the content finder is not enabled.

    if (CQ.WCM.isSidekickReady()) {
    } else {
        CQ.WCM.on("sidekickready", function(sidekick) {

Script 2:
If content finder is enabled, this will not work. Reason is there will be a window opened to separate the content finder and the page. So we need to fetch the top window then perform this action

    var top = CQ.WCM.getTopWindow();
    if (top.CQ.WCM.isSidekickReady()) {
    } else {
        top.CQ.WCM.on("sidekickready", function(sidekick) {

Instead of hiding, it is good to use destroy as this will destroy the side kick widget from page context.

You may also interested in:

SlingPostServlet – AEM building block – Sling Default Servlet

What is OSGi?

Class Loading in OSGI (what? and How?)

Introduction to Sling – CQ5 building block

What is a Bundle in OSGi Framework?

Scaffolding in CQ

How does scaffolding work in CQ5 (Adobe AEM)?

Dispatcher in AEM – Cache and Load Manager


, , , ,

Dispatcher is acting as a load balancer and web caching system for AEM instances. It actually does not reside in any author or publish instance. It is a module installed in a web server (Apache). It places the cached documents in docroot of web server.

Dispatcher renders a document as below chartDocumentRenderingPolicy

Installation instruction are clearly mentioned in day documentation.

Web server configuration for Dispatcher in Apache:


Dispatcher can be configured using a configuration file called dispatcher.any. It is otherwise called as Farm file. Below are the options available in the farm file.

This is the example farm file mentioned in day documentations.

Caching properties in configuration file:

  /docroot "/opt/dispatcher/cache"
  /statfile  "/tmp/dispatcher-website.stat"          
  /allowAuthorized "0"
    # List of files that are cached
    # List of files that are auto-invalidated

To enable session management (using the /sessionmanagement property), the /allowAuthorized property must be set to “0”

Cache gets re loaded in 2 possible scenarios.
1. Content update (Content and related files changes)
2. Auto invalidation of pages (Time out of cache)

Caching Rules:
1. The URL must be allowed by the configuration rules at /cache section.
i.e., /rules and /filter
2. The URL must not contain the query strings.
3. The HTTP method has to be GET or HEAD
4. The URL should end with extensions
5. The response should be 200 OK.

Invalidation in AEM can be configured in Replication Manager as below:

Load balancing part of the dispatcher configuration goes here:

/hostname "localhost"
/port "4503"
/timeout 0
## Next instance
         # The document categories that are used for load balancing estimates
     /stickyConnectionsFor "/myFolder"
       # Page gets contacted when an instance returns a 500
     /retryDelay "1"
     /numberOfRetries "5"
     /unavailablePenalty "1"
     /failover "1"


1. https://docs.adobe.com/docs/en/dispatcher/page-invalidate.html
2. https://docs.adobe.com/docs/en/dispatcher/disp-install.html
3. https://docs.adobe.com/docs/en/dispatcher/disp-config.html

You may also interested in:

SlingPostServlet – AEM building block – Sling Default Servlet

What is OSGi?

Class Loading in OSGI (what? and How?)

Introduction to Sling – CQ5 building block

What is a Bundle in OSGi Framework?

Scaffolding in CQ

How does scaffolding work in CQ5 (Adobe AEM)?

SlingPostServlet – AEM building block – Sling Default Servlet


, , , , , , , ,

SlingPostServlet is a default servlet which processes each request comes from AEM as POST. Until you explicitly handle the request with a servlet, this servlet will process the POST requests. It does Sling CRUD(Create,Read,Update and Delete) operations by using the options we send in the request. CRUD operations can happen on content nodes. So, the path for the servlet (Sling Resource path) has to be mentioned. This Cheatsheet and Apache Documentation are the greatest materials for this servlet usage.


Through AJAX call or Form submit for POST request, this servlet will be called. Below are the operations can be done using SlingPostServlet.
  • Content Creation
  • Content Modification
  • Content deletion
  • Moving content
  • Copying content
  • Null operation
While creating the content, we have few options using suffix @. Below table describe them. We need to use them with the parameter name.


Suffix Parameter Usage Example
TypeHint This parameter sets the type of the property <input type=”text” name=”width”> <input type=”hidden” name=”width@TypeHint” value=”Long”>
DefaultValue This parameter sets the default value for the property <input type=”text” name=”customer”> <input type=”hidden” name=”customer@DefaultValue” value=”Ram Jack”>
Use Default When Missing In cases like checkbox where no value, the property will not sent. We need to use this in such scenarios     <input type=”hidden” name=”queryIgnoreNoise @UseDefaultWhenMissing” value=”true”/>
Ignore Blanks This will ignore the blank values to be stored in nodes <input type=”hidden” name=”stringProperty @IgnoreBlanks” value=”true”/>
Value From This is useful when we need to store the value from other nodes. <input type=”text” name=”supplied_text” /><input type=”hidden” name=”./text@ValueFrom” value=”supplied_text” />
Delete If no value set in form and existing node has this property, it will delete the existing node     <input type=”hidden” name=”color@Delete” value=”delete text” />
MoveFrom This will receive the values from other node and update here also removes at existing place <input type=”hidden” name=”image@MoveFrom” value=”/tmp/upload/123″ />
CopyFrom This will receive the values from other node and update here but will not remove at existing place <input type=”hidden” name=”image@CopyFrom” value=”/tmp/upload/123″ />
Patch This is useful to add or remove extra value to the property   <input type=”hidden” name=”tags@TypeHint” value=”String[]” /> <input type=”hidden” name=”tags@Patch”    value=”true” />    <input type=”text”   name=”tags”          value=”+cool”/> <input type=”text”   name=”tags”          value=”-boring”/>


Below is the screenshot of the Sling Post Servlet configuration in system console. This servlet can be accessed at [/system/console/configMgr/org.apache.sling.servlets.post.impl.SlingPostServlet]




First option is date format. Always in nodes, date format needs special handling. So here we will mention the number of formats.


Next is Node name hint properties. While creating the node, there are 2 options to name those nodes.
  1.  Using naming algorithm if the resource path ends /* or /
  2.  Otherwise it will use the resource path itself
In order name the resource path, the node hint option will be served as :nodehint.


Maximum node name length is the length of the node’s name

Next 3 options are related to the versioning.


Ignored Parameters is a regular expression field which indicates the request parameters to be removed while processing using SlingPostServlet.


As there is a default servlet for POST requests, sling contains default servlet for GET requests as well. Name of the servlet is [/system/console/configMgr/org.apache.sling.servlets.get.DefaultGetServlet]


We can also extend these servlets to customize as per our needs. It simplifies our work more. This is all about the overview of SlingPostServlet. In case of any thoughts on this, let us discuss in comments section

You may also interested in:

Dispatcher in AEM – Cache and Load Manager

What is OSGi?

Class Loading in OSGI (what? and How?)

Introduction to Sling – CQ5 building block

What is a Bundle in OSGi Framework?

Scaffolding in CQ

How does scaffolding work in CQ5 (Adobe AEM)?