Page level selectors validation to prevent DoS Attacks

Posted on Friday, May 17, 2013 By

In the Adobe CQ security checklist located at, Denial of Service (DoS) Attacks prevention was briefly touched on. In this blog post I am going to give an example on how to best handle selectors validation at the CQ page level.

As mentioned in the security checklist, one of the most commonly seen Denial of Service attacks targeting CQ is by requesting a content page with unlimited number of URLs. Without selectors validation, these page requests are then usually cached, causing the disks to fill up very quickly and bring down the service.

Remember the Apache Sling script resolution? A script may have the following form (see


Imagine I have a valid CQ page test.html, here are the few variations I can have for the same page:

All these would be valid pages (if without checking the selectors) and would be cached in the cache layer if configured so.

The best way to prevent the above is to do a validation of the selectors at the page level. Sling API, specifically the RequestPathInfo, provides the getSelectors() method to get all the selectors from the requested URL. If you are not expecting any selectors being passed to your CQ page, you should make sure that slingRequest.getRequestPathInfo().getSelectors() yield an empty array. Otherwise, you should do a very strict comparison of the selectors array with what you’re expecting.

If there’s any unexpected selectors, you may choose to throw a 404 (Not Found) or other error status code so that the page does not get cached.


Note that the above would only prevent invalid requests from being cached. These requests, although not cached, would still be routed all the way to the CQ servers (another means of DoS attacks is to generate massive number of requests to a targeted server). So another highly recommended line of defense, is to set up very strict dispatcher filter rules so that invalid requests would not generate any traffic to the CQ servers.


9:31 PM Permalink

CQ 5.6 Out Of The Box Workflow Processes, and what they do/can be used for.

Posted on Monday, May 13, 2013 By

I will try and cover what are all the OOTB workflow processes available in CQ 5.6. The processes in red below are the ones where I will add some explanations to as and when I find time.

  • Collaboration Worklow
    • Approve Comment – This process is to approve a comment posted on the site automatically. It will only approve the comment if you have the “Approve” box checked on the Arguments tab of the wf process dialog.The script used by the process is located under
      • /etc/workflow/scripts/social/set_approved.ecma.
    • Approve Comment Step – This process is to send a notification to a user or group to approve a comment. You have the option to choose the User/Group on the dialog and also an option to send an email.
    • Blog Search Ping – This process submits a blog post to various blog search engines. It uses the BlogSearchPingService for the post. Look at the “Day CQ Social Collaboration Blog Search Engine Ping” class’ configuration in the Felix Console. There are no arguments available for this process.
    • Calendar Subscription – This process can be used to either subscribe or unsubscribe to a calendar. It will either subscribe or unsubscribe the calendar component given as the “target”  property in the workflow metadata to the event or calendar (payload). You can choose whether you want the process to do a subscription or an un-subscription from the process arguments.
    • Check Blog Spam – This process checks a comment for spam. OOTB you can either use Akismet service, you need to enter a valid key and registered URL for the spam service in the configurations for Day CQ Antispam.
    • Check Journal Spam – Same as the Check Blog Process above, uses the the Akismet service.
    • Flush (Replicate) Page – A process to flush(replicate) a page for a given replication agent, the argument should be like “agent:flush” for the dispatcher flush agent. It uses the script “/etc/workflow/scripts/social/flush_page.ecma”.
    • Forum Subscription – Process to subscribe and unsubscribe from a forum.  Subscribes or unsubscribes the given user in the metadata to the payload forum topic. This process is used in conjunction with the User State Toggle Button feature. You can choose the “Subscribe” or “Unsubscribe” argument. Subscribe is the default.
    • Journal Search Ping – Same as the Blog Search Ping process above.
    • QnA Subscription – Same as the Forum/Calendar Subscription process above.
    • Send Email – Sends an email based on an email template. You can either point to a template or put the template in a text area of the Arguments tab of the process. The Day CQ Mail Service must be configured for this to work.
  • DAM Workflow
    • Command Line – A process to execute multiple command line programs (imagemagick for example). Mime type, Commands and Thumbnails are the arguments that can be passed to the process. This is documented pretty well on the process dialog itself.
    • Create Sub Asset – This process will fragment an asset in its subassets. Sub assets are assets stored under another asset, as a result of splitting up the asset in fragments during its import, e.g. the single pages of a multi-page PDF file.
    • Create Thumbnail – This process will create one or more thumbnails for the asset to be processed. This is pretty self explanatory.
    • Create Video Storyboard – A process to create a video storyboard. Workflow process that calls FFMPEG on the command line to create a storyboard of a video. A storyboard consists of several key frames extracted from the video. The key frames will be stored as subassets of the video asset. Also, a merged film strip of the key frames will be stored as a storyboard rendition of the video asset. Frame Count, Start, Maximum Width, Maximum Height , Upscale and Frames are the arguments. Examples: Create 10 frames, starting with the first at 12 seconds into the movie frames:10,start:12 Create 10 frames, each 100 x 80 px, upscaled: frames:10,maxWidth:100,maxHeight:80,upScale:true Create 5 frames, each at a defined position, each 100 x 80 px, upscaled: maxWidth:100,maxHeight:80,[00:05:00],[00:10:00],[00:15:00],[00:20:00],[00:25:00]. Will create thumbnails of size 140×100 and 48×48 with a black letterbox/pillarbox only for assets of the video based mime types.
    • Create Video Thumbnails – Workflow process that calls FFMPEG on the command line to create thumbnails of the image. You can specify the dimension of the thumbnails to be created. For example, using the following workflow step arguments:count:3,index:1,start:10,[140×100],[48×48]. Will create thumbnails of size 140×100 and 48×48 with a black letterbox/pillarbox only for assets having a video-based mime-type.
    • Create Web Enabled Image – This one is pretty well explained on the process dialog itself.
    • Delete Asset – Self Explanatory.
    • Delete DAM Asset – The process will delete the file in the /var/dam when the asset in the /content/dam location got deleted. Deletes an Item for the Payload under the following condition: The Payloads relative path to a given source root exists in a given destination branch. If the Payload points to /content/dam/geometrixx/buildings, the Process checks if an Item exists at /var/dam/geometrixx/buildings. If there is an Item and this Item is not involved in a Workflowm, it will be deleted. Assuming the source and destination arguments were set to match the example.
    • Extract Meta Data – Self Explanatory.
    • Gate Keeper – This process prevents the workflow from being fired if an asset is restored, a version restore for example.
    • IDS Job Process – Workflow process for InDesign assets.
    • Light Box Update Asset – This process sets the entry in the lightbox as new originial to the asset it references. It looks at the “assetRefs” property for the original asset.
    • Media Extraction – InDesign Media Extraction. This process creates a SOAP packet with an embedded EmbeddedScript to be executed on InDesign server. The process arguments lets you choose the ExtendScript library, Extend Scripts and the Links Folder Path.
    • Page Extraction – InDesign Page Extraction. This process step creates a CQ page from an InDesign document.The actual extraction is carried out by a configurable PageExtractionHandler. This step works on asset renditions only. The renditions to use are determined by the PageExtractionHandler as well and are expected to be created in a previous step. Arguments available  are

      extractionHandler: The actual extraction handler class to use for creating the page
      pageName: The name int for the extracted page
      pageRoot: The root path for the extracted page
      pageTemplate: The template to use for the extracted page
      pageDesign: The page design to use for the extracted page
      pageTitle: The page title to use for the extracted page

    • Resize Image – The process dialog for this is pretty self explanatory.
    • Resize Image to Area – Same as above, except that you can enter the area of the image (width x height).
    • Set Last Modified – Self Explanatory
    • Synchronize /var/dam – The SyncContentProcess syncs the content below /var/dam with /content/dam in two different modes (cleanup and sync). Process is only executed if started with a mode argument, the payload exists and is currently not involved in a Workflow.
    • Synchronize Asset – Self Explanatory from the process dialog.
    • Synchronize Content – The SyncContentProcess syncs the content below /content/dam in two selectable modes (cleanup and sync). Expects its Payload to point to a nt:folder. The cleanup mode removes the nodes in /content/dam structure that have no counterpart in the /var structure. The sync mode starts for any nt:file in the branch a Workflow with the Workflow Model Id provided in the arguments and the files path as the payload. The workflow model id argument is the Identifier of a WorkflowModel. This Workflow will be started on Assets added by this Process in mode sync. It is ignored in cleanup mode. Example :/etc/wokflow/models/syncmodell
    • Transcode Video – Self Explanatory.
    • Unarchiver – The process dialog does a very good job of explaining what this process does.
    • XMP Writeback – Writes metadata back to the binary.
  • WCM Workflow – All the OOTB processes in this group are pretty self explanatory.
    • Activate Page/Asset
    • Create Version
    • Deactivate Page/Asset
    • Reverse Replicate Content
  • Workflow
    • AND Split – Puts an AND split in your workflow model. You can choose between 2 and 5 branches.
    • Absolute Time Auto Advancer – Workflow Auto Advance Process.
    • Auto Advancer – Same as above.
    • Call Url – Process to call a URL. Script is located at /etc/workflow/scripts/urlcaller.ecma. Arguments are URL, username and password. Pretty self explanatory once you look at the ECMA script.
    • Container Step – Process to contain a workflow within a workflow. The process dialog lets you choose the workflow model you want to include.
    • Create Task – Process to create a task in the new CQ 5.6 Task Manager. The process dialog does a pretty good job of defining arguments and what they are used for.
    • Delete Node – Self Explanatory.
    • Dialog Participant Step – This process lets you define your custom dialog that will be presented to the user when they want to complete the workflow task from the CQ inbox. This is a good way to have users enter custom data when completing a workflow task.
    • Dynamic Participant Step – This process lets you choose a participant dynamically within the workflow rather than setting it up in the model on creation.
    • Extract Export Data 
    • Form Participant Step – Same as the dialog participant step. Reference here on how to use it.
    • Goto Step – Lets you go back to a particular step in the workflow. At the time of writing this blog, there was a UI bug where if you had the goto step inside a split, the drop down wont show the steps outside the branch of the split. The workaround for this is to manually update the property in CRXDE for the goto step process.
    • Lock Payload Step – Self Explanatory.
    • No Operation – Self Explanatory.
    • OR Split – Self Explanatory.
    • Participant Step – Self Explanatory.
    • Process Assembler
    • Process Step – Self Explanatory.
    • Random Participant Chooser – Self Explanatory.
    • Scene7
    • Sentiments Analyzer
    • Test & Target Offer
    • Unlock Payload Process – Self Explanatory.
    • Watchwords Analyzer
    • Workflow Initiator Participant Chooser – Sample that chooses the workflow initiator as the participant.

As always, please leave comments with questions/concerns and I will try to answer as soon as I can.

11:56 AM Permalink

How to create a mobile site in CQ

Posted on Tuesday, April 2, 2013 By

Recently found some very nice detailed videos on how to create mobile sites in CQ. Thanks for the OP for the videos.

There are 4 videos in the series.


Of course the official Mobile page is located here


4:07 PM Permalink

Digital Marketing Webinar

Posted on Monday, February 11, 2013 By

Be sure to attend the Digital Marketing webinar that will discuss Adobe CQ dispatcher caching strategies. See the following link for more information:


To sign up for this webinar, click the following link:

2:46 PM Permalink

How to add custom namespace in CRX

Posted on Wednesday, November 21, 2012 By

There are times when custom namespace is needed in a system for organization and management purposes. Without registering the namespace with CRX, properties with custom namespace would not be accepted. In this blog post I will talk about two ways of registering a namespace in CRX.

To illustrate, let’s take a look at the behavior of CRX without registering any namespace. Let me go ahead and enter a property that has namespace in it:

Upon saving, I would get the following error:

Now let’s proceed with registering the namespace. There are two ways of doing this:

Register namespace via CRX Console

  1. Namespace can be added via Node Type Administration in CRX Console.
  2. In the Node Type Administration window, click on “Namespaces” which is located at far right of the toolbar.
  3.  At the bottom of the Namespaces window, click on “New”.
  4. Enter the URI and the Namespace mapping and click Ok. And you should see the namespace added:
  5. Voila! It’s that easy. And now you can add the property again with the registered namespace:


Register custom namespace via CND file

  1. Namespace can also be registered via a CND file. The CND file can be deployed with any CRX packages (install folder, or via the package manager).
  2. Once the package is installed on CRX, any namespaces in CND files found inside the package would be registered automatically.
  3. Here’s the content of the CND file:
  4. That’s it! It’s nothing more than a mapping=uri pair.
9:31 PM Permalink