What is the AEM Apache Sling Referrer Filter OSGI configuration?

AEM “referrer not allowed”

Out of the box, AEM denies all server names or hosts to make HTTP requests to the respective running AEM publish/author instance. During an HTTP request made to the AEM publish/author, AEM checks the Referrer header configuration. If the referrer configured to allow the host(s), then AEM will fulfill the request, and if not, the AEM “referrer not allowed” error message will be shown.

Take an example of an AEM application that exposes a servlet that exposes the endpoint of “/bin/stores.js”. This endpoint will return an array of store detail JSON objects. This feature will be reusable, so throughout the AEM application, on many occasions, the endpoint is being used to render HTML elements to the page using javascript. Now take an example of a microsite within the same organization of m.site.com (mobile site) where it would like to consume “/bin/stores.js”. 

When the micro-site makes an HTTP GET request on “/bin/stores.js”, you will get the AEM “referrer not allowed” error because the host (or m.site.com) referrer is not allowed; we must allow m.site.com in the Apache Sling Referrer Filter settings.

What is an “HTTP Referrer header”? 

The HTTP Referrer header identifies the address of the webpage that’s making a request. We can use this information to allow specific hosts to fulfill the HTTP request.

Read More: https://en.wikipedia.org/wiki/HTTP_referer

In OSGI Configurations in AEM (http://localhost:4502/system/console/configMgr) use the browser finder (CTRL + F) and find “Apache Sling Referrer Filter”. Click on the configuration, and let’s break it down to see what fields control what.

Breaking things down

• Allow Empty (Boolean): only enable this if you are testing (using a REST Client). Enabling this will allow any hosts to make requests to your AEM application (remember to turn this off in your production environment).
• Allow Hosts (String[]): allows specific hosts to make requests to your AEM instance; use string characters only.
• Allow Regexp Host (String[]): allows specific hosts to make requests to your AEM instance; use regex only.
• Filter Methods (String[]): defines which HTTP method(s) will be checked with the values in the allowed hosts before accepting incoming HTTP requests.