Using servlet path requires specifying allowed paths, risking vulnerability if not managed carefully. Additional paths can be added, potentially exposing the application. Consumers accessing servlet responses may be affected by path changes.

» CognitoConfigServlet.java

package com.flagtick.core.servlets;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.flagtick.core.services.PromisIntegrationService;
import com.flagtick.core.utils.Constants;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

import javax.servlet.Servlet;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;

import static java.net.HttpURLConnection.HTTP_OK;
import static java.net.HttpURLConnection.HTTP_UNAVAILABLE;

@Component(
        name = CognitoConfigServlet.SERVLET_SERVICE_DESCRIPTION,
        immediate = true,
        service = Servlet.class,
        property = {"sling.servlet.methods=GET", "sling.servlet.paths=/bin/cognito/config"})
public class CognitoConfigServlet extends SlingAllMethodsServlet {
    public static final String SERVLET_SERVICE_DESCRIPTION = "=FLAGTICK - Cognito Configuration";
    @Reference
    transient private PromisIntegrationService flagtickIntegrationService;

    private static final long serialVersionUID = 1L;

    @Override
    protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response) throws IOException {
        if (flagtickIntegrationService == null) {
            response.setStatus(HTTP_UNAVAILABLE);
            response.getWriter().write("Service unavailable");
            return;
        }

        response.setContentType("application/json");
        response.setCharacterEncoding("utf-8");
        response.setStatus(HTTP_OK);

        ObjectMapper objectMapper = new ObjectMapper();

        Map<String, Object> cognitoResponse = new HashMap<>();
        cognitoResponse.put("region", flagtickIntegrationService.getCognitoRegion());
        cognitoResponse.put("userPoolId", flagtickIntegrationService.getCognitoUserPoolId());
        cognitoResponse.put("clientId", flagtickIntegrationService.getCognitoClientId());
        objectMapper.writeValue(response.getWriter(), cognitoResponse);
    }
}

Note: In contrast, using servlet resourceType is managed by the Sling Engine, ensuring permissions are enforced. Consumers without access to a specific resource cannot invoke the servlet.

The AEM Publish Dispatcher filter configuration specifies the allowed URL patterns to access AEM and must incorporate the URL prefix for the AEM persisted query endpoint on the AEM publish instance.

» dispatcher/src/conf.dispatcher.d/filters/filters.any

/0xxx { /type "allow" /url "/bin/cognito/config" }

Let us rebuild the AEM core module after making adjustments to the Java files.

mvn clean install -PautoInstallBundle

Additionally, you can execute the command `mvn clean install -PautoInstallSinglePackagePublish` to build and deploy to the AEM publish instance running on port 4503.