Friday, March 15, 2024

Responsive Authoring Issue in AEM as a Cloud

 

Photo by Taras Shypka on Unsplash

While migrating our websites from AMS (AEM 6.5) to AEM as a Cloud, we noticed that responsive authoring for certain Editable templates wasn’t functioning as expected. Interestingly, these same templates were working flawlessly in the AMS environment.

Additionally, selecting the breakpoints was not functioning correctly.

This issue was not present in the AMS (6.5) environment, where both responsive authoring and breakpoint selection were functioning as expected.

After analysis, the root cause of the issue is the logic difference between AME 6.5 and AEM as Cloud for responsive authoring on /libs/cq/gui/components/authoring/editors/clientlibs/core.lc-0e2523ebda58d68c5bc85efa684b50e6-lc.min.js (the hash may vary if any additional changes introduced)

In AEM 6.5 — check if the configuration width is greater than or equal to the device width.

if(cfg[bp].width>=deviceWidth

getDeviceBreakpoint:function(deviceWidth){var cfg=this.getBreakpoints(),closestBp;for(var bp in cfg)if(cfg[bp].width>=deviceWidth&&(!closestBp||cfg[bp].width<=cfg[closestBp].width))closestBp=bp;return closestBp}

In AEM as a Cloud — check if the configuration width is greater than the device width. This can lead to the selection of an incorrect breakpoint. Consequently, changes that should apply to the actual breakpoint, like small, end up being applied to a different one, such as medium.

if(cfg[bp].width>deviceWidth

getDeviceBreakpoint:function(deviceWidth){var cfg=this.getBreakpoints(),closestBp;for(var bp in cfg)if(cfg[bp].width>deviceWidth&&(!closestBp||cfg[bp].width<=cfg[closestBp].width))closestBp=bp;return closestBp}

To address the issue, it is essential to ensure that the responsive configuration sets the breakpoints in emulators to one less than the standard breakpoint value (standard breakpoint value — 1). Additionally, within the editable template structure’s responsive configuration, the breakpoint value should be maintained at the standard breakpoint value.

For instance, in the configuration of the emulator for a large breakpoint: /apps/<Project>/emulators/bootstrap/large/cq:emulatorConfig, (width:1199)

In the responsive configuration of the template structure for large breakpoints (for better management enable these configurations through the template-type): /conf/<project>/settings/wcm/templates/<template>/structure/jcr:content/cq:responsive/breakpoints/large (width:1200)

You can examine the emulator and responsive configuration of a page using the PageInfo servlet — For example, https://aemhost/libs/wcm/core/content/pageinfo.json?path=%2Fcontent%2Ftest%2Fus%2Fen%2Ftest-page

Now, you can start editing the page to make it work well on different devices.



Friday, February 9, 2024

Exploring Security Features in Adobe Experience Manager for Cloud Environments

 In this post, let us explore some of the security-related setup/configurations available on AEM as a Cloud platform to protect the platform.

Traffic Filter Rules:

Traffic filter rules can be used to block or allow requests at the CDN layer (Fastly). These traffic filter rules are available to all AEM as Cloud Service Sites and Forms customers OOTB.

The traffic filter rules can be used for multiple scenarios.

  • Rate Limit the requests based on client IPS’s.
  • Block traffic based on IP addresses, Request Path, Query String, method, domain, reqHeader, reqCookie, postParam, etc.
  • Black traffic from specific countries.

The traffic rules can be targeted to the Author or Publish tier or both together. You can also apply various operations — like equals, doesNotEquals, in, matches, etc. The CDN responds with a 406 return code if a rule is matched and blocked.

The traffic rules can be managed through a YAML file and deployed separately through the Cloud Manager Config pipeline to Non-prod and prod environments. Create a YAML file(cdn.yaml) specific to Dev environments and Stage/Prod environments, separate into different folders, e.g., Config-Dev/cdn.yaml and Config-Prod/cdn.yaml; the config files can be managed through a separate repository or within a Dispatcher module repository, crate config pipeline specific to dev and stage/prod environments and point to the corresponding config folder along with repository, branches and other configurations.

For more details, refer to this document — Traffic Filter Rules including WAF Rules | Adobe Experience ManagerExamples and result analysis of Traffic Filter rules including WAF rules | Adobe Experience Manager (mktossl.com)

WAF (Web Application Firewall):

A WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as DDOS, cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection. A shield is placed between the web application and the Internet by deploying a WAF in front of a web application. The WAF operates through a set of rules that aim to protect against vulnerabilities in the application by filtering out malicious traffic.

The WAF rules/flags, e.g., XSS, SQLI, LOG4J-JNDI, can be enabled along with the other traffic filter rules explained above. The WAF rules can be enabled through the same cdn.yaml file and the Config pipeline.

The WAF traffic filter rules require either an Enhanced Security license or a WAF-DDoS Protection license.

For more details, refer to this document — Traffic Filter Rules including WAF Rules | Adobe Experience Manager.

Mod_Security:

Mod_security is an Apache module that helps protect your website from various attacks. Mod_security acts as a Web Application Firewall (WAF) that filters and blocks known malicious HTTP requests. Blocked HTTP requests include many, but not all, forms of Brute Force, Cross-Site Scripting (XSS), Remote File Inclusion (RFI), Remote Execution, and SQL injection (SQLi) attacks. By default, the mod security module is enabled on AEM as a Cloud Dispatcher (Apache), but the required rules and configurations can be enabled based on your needs.

For more details, refer to this document — Use ModSecurity to protect your AEM site from DoS Attack | Adobe Experience Manager (mktossl.com)

IP Allow List:

IP allowlisting is a way of giving trusted individuals access to the business network. With an IP allow list, the network administrator can allow specific IP addresses to access your files, applications, and software remotely.

AEM as a cloud service is, by default, accessible via the internet. While security is handled through user authentication and authorization, IP allow-listing is a way to limit access only to trusted IP addresses. Cloud Manager’s IP allowlists can be used to limit and control access only to such trusted IP addresses.

Cloud Manager users with appropriate permissions can create allowlists of trusted IP addresses from which their site’s users can access their AEM domains. After adding IP allowlists — Enter an IP or IP CIDR block that can be applied/unapplied multiple times as a unit or entity to an author and/or publisher service in an environment. For instance, this would be helpful if you wish to allow access to your Author environment from your company’s network, VPN, or VDI but block external access.

For more details, refer to this document — Adding IP Allow Lists | Adobe Experience Manager Applying and Un-Applying IP Allow Lists | Adobe Experience Manager

CDN uses the IP Allowlists defined in Cloud Manager to block the incoming requests for a specific environment/tier. The IP Allow lists defined in Cloud Manager take precedence over Traffic Filters Rules.

Advanced Networking:

AEM as a Cloud Service provides advanced networking features that allow for precise management of connections to and from AEM as a Cloud Service program.

AEM as a Cloud supports various networking configurations, including — Flexible Port egress, Dedicated egress IP address, and VPN.

Virtual Private Network (VPN) allows an AEM as a Cloud Service customer to connect the AEM environments within a Cloud Manager Program to an existing, supported VPN. This allows secure and controlled connections between AEM as a Cloud Service and services within the customer’s network.

Flexible port egress allows for custom, specific port forwarding rules to be attached to AEM as a Cloud Service, allowing connections from AEM to external services to be made.

The dedicated egress IP address allows requests from AEM as a Cloud Service to use a dedicated IP address, allowing the external services to filter incoming requests by this IP address.

For more details, refer to this document — Advanced networking | Adobe Experience Manager Demystifying Dedicated Egress IPs in AEM Cloud Services | by Albin Issac | Tech Learnings | Dec, 2023 | Medium

Dispatcher Filters:

The request can also be restricted at the dispatcher layer by the /filter section to specify the HTTP requests the Dispatcher accepts. All other requests are sent back to the web server with a 404 error code (page not found). If no /filter section exists, all requests are accepted.

The /filter section consists of a series of rules that either deny or allow access to content according to patterns in the request-line part of the HTTP request. Use an allowlist strategy for your /filter section:

  • First, deny access to everything.
  • Allow access to content as needed.
/filter {
/0001 { /glob "*" /type "deny" }
/0002 { /type "allow" /method "POST" /url "/content/[.]*.form.html" }
}

For more details, refer to this document — Configuring Dispatcher | Adobe Experience Manager

HIPPA (Health Insurance Portability and Accountability Act) Compliance:

HIPAA compliance ensures the protection and confidential handling of patient health information, adhering to strict standards set by the Health Insurance Portability and Accountability Act.

Adobe provides healthcare customers with services that are ready to accept PHI, referring to these services as HIPAA-Ready Services. These HIPAA-Ready Services have additional features and functionalities that allow both customers, Covered Entities or Business Associates, and Adobe to comply with their respective HIPAA obligations.

The Adobe Experience Manager (AEM) as a Cloud Service is part of the HIPPA-ready service provided by Adobe.

Additional licensing is associated with enabling the HIPPA-ready service for the AEM as a Cloud service.

For more details, refer to this document — HIPAA Ready (adobe.com)

Mutual Transport Layer Security (mTLS) authentication from AEM:

AEM supports integrating with the external APIs that require mTLS authentication. The mTLS or two-way TLS authentication enhances the security of the TLS protocol by requiring both the client and the server to authenticate each other. This authentication is done by using digital certificates. It is commonly used in scenarios where strong security and identity verification are critical.

For more details, refer to this document — Mutual Transport Layer Security (mTLS) authentication from AEM | Adobe Experience Manager (mktossl.com)

Server-to-server Token-Based Authentication:

AEM’s Developer Console grants access to Service Credentials, which are production-ready service-to-service access tokens used to facilitate external applications, systems, and services to interact with AEM Author or Publish services over HTTP programmatically. Also, Local Development Access Token can be used by developers building integrations that require programmatic access to AEM as a cloud service needs a simple, quick way to obtain temporary access tokens for AEM to facilitate local development activities. To satisfy this need, AEM’s Developer Console allows developers to self-generate temporary access tokens that can be used to access AEM programmatically.

For more details, refer to this document — Service credentials | Adobe Experience Manager (mktossl.com) Local Development Access Token | Adobe Experience Manager (mktossl.com)

Data encryption:

All data in transit between AEM as a Cloud Service and external components is conducted over secure, encrypted connections using TLS 1.2 or greater. The cloud service provider encrypts all data at rest.

AEM as a Cloud Service also has a FIPS-approved crypto library and support for encryption keys to crypt all the critical data present in the cloud repository.

For more details, refer to this document — aem-cloud-service-security-overview.pdf (adobe.com)

OAuth2 Support for the Mail Service:

AEM as a Cloud Service offers OAuth2 support for its integrated Mail Service, allowing organizations to adhere to secure email requirements.

For more details, refer to this document — OAuth2 Support for the Mail Service | Adobe Experience Manager

Secret Variable Management through Cloud Manager:

In AEM as a Cloud service, the environment-specific configurations can be enabled using the Cloud manager environment variable. Two value types can be enabled — secret values and standard variables. The secret values can be centrally managed through Cloud Manager UI rather than managed through the code base to improve security; the secret variables can be referred to OSGI services, JAVA code, etc.

For more details, refer to this document — Support Custom Run Modes in AEM as a Cloud | Environment Specific Variables in AEM as a Cloud | by Albin Issac | Tech Learnings | Medium

Network security:

The AEM as a Cloud Service security model includes tenant and node-level isolation for all services. Each AEM as a Cloud Service tenant exists within its own isolated namespaces, including its own networking policies, computing, and storage.

Reference — aem-cloud-service-security-overview.pdf (adobe.com)

IAM integration:

AEM as a Cloud Service integrates Adobe Identity Management Service (IMS) for user verification. Various other Adobe products, including the Adobe Admin Console, also utilize this IMS authentication method. For AEM Authors in AEM as a cloud service, Adobe IMS authentication is activated, a change from previous AEM versions where identity and access management (IAM) settings had to be implemented individually on each AEM author server. With AEM in the cloud, single sign-on (SSO) configurations for AEM Authors and user and group management are centrally handled through the Adobe Admin Console using Adobe IMS.

For more details, refer to this document — AEM as a Cloud: IMS based SSO Authentication for Authors | by Albin Issac | Tech Learnings | Dec, 2023 | Medium

Also, the IAM system can be integrated with the publishers to enable an authenticated experience for the users who visit AEM websites.

For more details, refer to these documents — Enable User Authentication for AEM Websites — Azure AD B2C OAuth 2.0 | by Albin Issac | Tech Learnings | Medium Enable User Authentication for AEM Websites — Azure AD B2C | SAML Application with Azure AD B2C | by Albin Issac | Tech Learnings | Medium Social Login with Google OAuth2 — Adobe Experience Manager (AEM) | by Albin Issac | Tech Learnings | Medium Social Login with LinkedIn — Adobe Experience Manager (AEM) | by Albin Issac | Tech Learnings | Medium

Security Headers:

Security headers are HTTP response headers that define whether a set of security precautions should be activated or deactivated on the web browser. The security headers can be enabled through the Dispatcher (Apache) layer also; if required, some of the security headers can be directly enabled through the AEM publisher,

For more details, refer to this document — Adobe Experience Manager(AEM): HTTP Security Headers for Websites | by Albin Issac | Medium

Protect against Cross-Site Scripting (XSS)

Cross-site scripting (XSS) allows attackers to inject code into web pages viewed by other users. Malicious web users can exploit this security vulnerability to bypass access controls.

AEM applies the principle of filtering all user-supplied content upon output. Preventing XSS is given the highest priority during both development and testing.

The XSS protection mechanism provided by AEM is based on the AntiSamy Java™ Library provided by OWASP (The Open Web Application Security Project). The default AntiSamy configuration can be found at

/libs/cq/xssprotection/config.xml

It is important that you adapt this configuration to your own security needs by overlaying the configuration file. The official AntiSamy documentation provides you with all the information you need to implement your security requirements.

Reference — How to Protect AEM Websites from Cross-Site Scripting(XSS) (youtube.com)

Protect against Cross-Site Request Forgery Attacks

Cross-site request forgery (CSRF) is a web vulnerability that lets a malicious hacker trick the victim into submitting a request that allows the attacker to perform state-changing actions on behalf of the victim.

AEM uses CSRF tokens, and the Sling Referrer Filter — Adobe Experience Manager’s Referrer Filter enables access from third-party hosts to protect the websites from CSRF attacks.

For more details, refer to this document — CSRF protection | Adobe Experience Manager Referrer Filter configuration with AEM Headless | Adobe Experience Manager

In summary, security is essential in the cybersecurity landscape for any platform or website. It is imperative that every platform implements necessary measures to safeguard both the platform and user data. As a cloud service, AEM offers multiple layers of security configurations to protect the platform, enabling these configurations as needed.



Saturday, January 6, 2024

Amazon Q: Generative AI Assistant- Connect to Websites and AEM CMS Data

 Amazon Q is a generative artificial intelligence (AI) powered assistant, designed for work and tailored to your business needs. With Amazon Q, you can engage in conversations, solve problems, generate content, gain insights, and take action by connecting to your company’s information repositories, code, data, and enterprise systems.

You can develop a chat application that connects to various company-specific data sources and websites, enabling it to perform a range of operations such as providing relevant answers, generating content, summarizing information, and more.

Amazon Q is currently in preview. For more details on Amazon Q, please refer to the official announcement at AWS Blog: Introducing Amazon Q — A New Generative AI-Powered Assistant (Preview).

In this blog, we will explore how to integrate Amazon Q with websites and the AEM CMS system, enabling various generative capabilities tailored to specific content.

Amazon Q supports various data sources including Amazon S3, Web Crawlers, Uploaded Files, GitHub, Gmail, Microsoft Teams, SharePoint, Slack, and more.

Access to the Amazon Q preview is available through https://us-east-1.console.aws.amazon.com/amazonq/home?region=us-east-1#welcome

As a first step create a Amazon Q application — Enter a application name, Create New Service Role or you can use the existing service role.

Select the retriever: Choose the ‘Native Retriever’ to index the source content directly. If you are already using Amazon Kendra Search, use the ‘Existing Retriever’. In our case, select ‘Native’ as we are directly going to index content from a website and AEM content natively.

Now you can select the datasource, first select web crawler

Enter a name for the data source and select the source type. You have the option to provide direct URLs or a Sitemap. I am opting for a Sitemap, and you can add up to 3 sitemaps if necessary.

You can add various additional configurations if required

Web Proxy and Authentication.

Sync Scope

Additional Scope Seetings — Modify the values if required

Control the URL Patterns for the Crawl and Index.

Sync Mode

For the demo, I am using the ‘Run on Demand’ feature for the Sync Run Schedule. Additionally, custom scheduler expressions can be set up using the ‘Custom’ option.

Once the data source is created, you have the option to synchronize it immediately by selecting ‘Sync Now’. This action initiates the crawling and indexing processes.

You now have the ability to preview and tailor the chat box experience according to your specific needs.

Once the indexing is complete, you can begin interacting with the assistant using prompts.

You should be able to locate sources based on the responses generated.

You also have the option to upload a limited number of additional files specific to this chat session, enabling you to execute a variety of prompts based on your website content.

Additionally, you can incorporate optional enhancements into the application, including admin controls and guardrails, plugins, and document enrichments.

The following plugins are available, each designed to perform specific actions

Let’s proceed to create an additional data source. This will connect to the AEM Author for indexing content and assets. Begin by adding a new datasource and then selecting ‘Adobe Experience Manager’.

You can connect to either AEM as a Cloud Service or to AEM On-Premise Author servers. For this demonstration, I am connecting to an on-premise server. If you choose to connect with an On-Premise server, you will need to download the public SSL certificate of the AEM author domain and upload it to an S3 bucket. In my case, I am using an ngrok domain to access the AEM server, and the public certificate can be directly exported from the browser.

Authorization

If authorization is enabled, you will have the option to enable or disable the Identity Crawler setting. Once the Identity Crawler is active, Amazon Q leverages the crawled ACL information to generate chat responses for your end users. Importantly, these responses are tailored based on the documents the user has access to; the chatbot responds to prompts solely in the context of the documents available to the user.

Basic authentication or OAuth can be utilized. For using OAuth authentication (Technical Account) with AEM as a Cloud Service, please refer to Adobe’s guide on generating access tokens for server-side APIs. It is essential that the user possesses administrator access. Additionally, you will need to create a new secret in AWS Secrets Manager to configure the details for basic or OAuth authentication. The configuration details will vary depending on the selected authentication method.

You can define the sync scope as shown in the below diagram

The crawling process can be limited to specific page component names

Additionally, you have the option to target specific content fragment variations, as indicated in the below diagram

For the demonstration, I am restricting the crawling to a specific content root path, limiting it to ‘/content/we-retail/us/en’.

You can also establish include or exclude regex patterns.

Some of the remaining configurations are similar to those used in a web crawler. Once the data source is created, you can proceed with syncing the content.

Once the crawling and indexing processes are completed, you can begin interacting with the content through prompts.

Sample Prompt: ‘Provide a summary of Arctic Surfing in Lofoten.’ Following this prompt, a concise summary will be displayed, accompanied by a source reference to the AEM page.

Once the application is built and tested, it can be deployed, and the URL can be shared with the teams.

When deploying the application, you need to configure the identity provider to support SAML authentication.

Enable the SAML configuration in your Identity Provider (IDP) using the provided details and upload the corresponding metadata file.

Configure the email and group (optional) attributes of the SAML assertion.

Once the deployment is completed, you can access the chatbox URL and share it with your teams. To access the chatbox, you must authenticate with your Identity Provider (IDP).

For demonstration purposes, I have created two users in Adobe Experience Manager (AEM) with valid email addresses. These same users have been enabled in the IDP. However, one of these users does not have access to the ‘/content/we-retail/us/en’ directory(you need to resync for any permission or content changes).

When the user logs into the chatbox using an email that has access to specific content, the chatbox will respond with the required details.

Prompt — “Provide summary on Arctic Surfing in Lofoten”

“When the user logs into the chatbox using an email that does not have access to the specific content, the chatbox will not provide a response.

Prompt — “Provide summary on Arctic Surfing in Lofoten”

In conclusion, Amazon Q represents a significant advancement in the realm of Generative AI Assistants, offering seamless integration with different sources including websites and Adobe Experience Manager (AEM) CMS data. By enabling authorization and configuring the Identity Provider for SAML authentication, users can unlock personalized and secure interactions based on the user’s access rights.