Customizing Components and Other Elements

When creating your own components or customizing an existing component, it is often easiest (and safest) to reuse existing definitions. The same principles also apply to other elements within AEM, for example, the error handler.

This can be done by copying and overlaying the existing definition. In other words, copying the definition from /libs to /apps/<your-project>. This new definition, in /apps, can be updated according to your requirements.

NOTE
See Using Overlays for more details.

For example:

  • Customizing a Component

    This involved overlaying a component definition:

    • Create a component folder in /apps/<website-name>/components/<MyComponent> by copying an existing component:

      • For example, to customize the Text component copy:

        • from /libs/foundation/components/text
        • to /apps/myProject/components/text
  • Customizing pages shown by the Error Handler

    This case involves overlaying a servlet:

    • In the repository, copy one or more default scripts:

      • from /libs/sling/servlet/errorhandler/
      • to /apps/sling/servlet/errorhandler/
CAUTION
Do not change anything in the /libs path.
The reason is because the content of /libs is overwritten the next time you upgrade your instance (and may well be overwritten when you apply either a hotfix or feature pack).
For configuration and other changes:
  1. copy the item in /libs to /apps
  2. make any changes within /apps

When to use JCR Queries and when not to use them

JCR Queries are a powerful tool when employed correctly. They are appropriate for:

  • real end-user queries, such as fulltext searches on content.

  • occasions where structured content must be found across the entire repository.

    In such cases, make sure that queries only run when required. For example, on component activation or cache invalidation (as opposed to, for example, Workflows Steps, Event Handlers that trigger on content modifications, and Filters).

Never use JCR Queries for pure rendering requests. For example, JCR Queries are not appropriate for the following:

  • rendering navigation
  • creating a “top 10 latest news items” overview
  • showing counts of content items

For rendering content, use navigational access to the content tree instead of performing a JCR Query.

NOTE
If you use the Query Builder, you use JCR Queries, as the Query Builder generates JCR Queries under the hood.

Security Considerations

NOTE
It is also worthwhile to reference the security checklist.

JCR (Repository) Sessions

Use the user session, not the administrative session. This means you should use:

slingRequest.getResourceResolver().adaptTo(Session.class);

Protect against Cross-Site Scripting (XSS)

Cross-site scripting (XSS) allows attackers to inject code into web pages viewed by other users. This security vulnerability can be exploited by malicious web users to bypass access controls.

AEM applies the principle of filtering all user-supplied content upon output. Preventing XSS is given the highest priority during both development and testing.

Also, a web application firewall, such as mod_security for Apache, can provide reliable, central control over the security of the deployment environment and protect against previously undetected cross-site scripting attacks.

CAUTION
Example code provided with AEM may not itself protect against such attacks and generally relies on request filtering by a web application firewall.

The XSS API cheat sheet contains information that you must know to use the XSS API and make an AEM app more secure. You can download it here:

The XSSAPI cheat sheet.

Get File

Securing Communication for Confidential Information

As for any internet application, make sure that when transporting confidential information

  • traffic is secured through SSL
  • HTTP POST is used if applicable

This applies to information that is confidential to the system (like configuration or administrative access) and information confidential to its users (like their personal details)

Distinct Development Tasks

Customizing Error Pages

Error pages can be customized for AEM. This is advisable so that the instance does not reveal sling traces on internal server errors.

See Customizing Error Pages shown by the Error Handler for full details.

Open Files in the Java™ Process

Because AEM can access many files, it is recommended that the number of open files for a Java™ process be explicitly configured for AEM.

To minimize this issue, development should ensure that any file opened is correctly closed when (meaningfully) possible.

Experience Manager


B2B Reimagined: Transforming Go-to-Market Strategies for Profitable Growth

Online | Strategy Keynote | General Audience

B2B brands are facing a digital revolution. Buyers expect hyper-relevant content and self-service, while internally AI is transforming...

Wed, Mar 19, 1:00 PM PDT (8:00 PM UTC)

Register

Elevate and Empower Teams with Agentic AI for Exceptional Experiences

Online | Strategy Keynote | General Audience

Elevate and empower your CX teams with AI that transforms creativity, personalization, and productivity. Discover how Adobe is...

Tue, Mar 18, 1:00 PM PDT (8:00 PM UTC)

Register

Connect with Experience League at Summit!

Get front-row access to top sessions, hands-on activities, and networking—wherever you are!

Learn more