AssetManager doesn't respect JCR permissions? | Community
Skip to main content
L
leeasling
Level 8
October 16, 2015
Solved

AssetManager doesn't respect JCR permissions?

  • October 16, 2015
  • 4 replies
  • 2360 views

I'm writing a servlet to take a file and store it into the DAM and perform some processing.  I've setup permissions on a folder in the DAM to deny modify, create and delete access for the "author" user.  When i use Postman to submit the file, i sent across the author authentication - but the file still get's written to the DAM.

Does the AssetManager ignore JCR permissions?  Are we supposed to manually check if the user has access to write to a specific location?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Sham_HC

leeasling wrote...

Sham - anyway you would be able to verify this?  I'm still seeing that JCR permissions are not be recognized by this in AEM 6.

 

Program looks ok and AssetManager is respecting JCR permissions as you can see [1] when i used session of user who did not had permission.   The only problem in your code is whether success or failure you are displaying uploaded fine. Handle exception correctly & check the acl in your useradmin especially for the group user belongs to. 

[1]

21.08.2014 11:44:31.022 *ERROR* [0:0:0:0:0:0:0:1%0 [1408635871017] POST /bin/submitFile HTTP/1.1] com.day.cq.dam.api.AssetManager createAsset: asset error while creating asset [/content/dam/test/test.txt]: 
com.adobe.granite.asset.api.AssetException: Failed to create Asset at path [ /content/dam/test/test.txt ]
    at com.adobe.granite.asset.core.impl.AssetManagerImpl.createAsset(AssetManagerImpl.java:69)
    at com.day.cq.dam.core.impl.AssetManagerImpl.createAsset(AssetManagerImpl.java:252)
    at com.test.services.osgi.servlets.TestServlet.writeToDam(TestServlet.java:67)
    at com.test.services.osgi.servlets.TestServlet.doPost(TestServlet.java:48)
    
    
    

4 replies

Sham_HC
Sham_HC
Level 10
October 16, 2015

You do not have to check permissions,  if permission is denied exception will be thrown.  All you need to make sure is in custom servlet you need to use user session and not admin one.  If you are using user session can you post complete code for review.

L
leeaslingAuthor
Level 8
October 16, 2015

We are using the user session, not an administrative session.  The code is attached.

package com.test.services.osgi.servlets; import java.io.IOException; import java.io.InputStream; import java.io.PrintWriter; import java.rmi.ServerException; import org.apache.commons.fileupload.servlet.ServletFileUpload; import org.apache.felix.scr.annotations.sling.SlingServlet; import org.apache.sling.api.SlingHttpServletRequest; import org.apache.sling.api.SlingHttpServletResponse; import org.apache.sling.api.request.RequestParameter; import org.apache.sling.api.resource.ResourceResolver; import org.apache.sling.api.servlets.SlingAllMethodsServlet; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.jcr.Session; import com.day.cq.dam.api.AssetManager; @SlingServlet( paths="/bin/submitFile", methods="POST", metatype=true,name="com.test.services.osgi.servlets.TestServlet" ) public class TestServlet extends SlingAllMethodsServlet { private static final long serialVersionUID = -1L; private static final Logger logger = LoggerFactory.getLogger(TestServlet.class); @Override protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServerException, IOException { try { final boolean isMultipart = ServletFileUpload.isMultipartContent(request); PrintWriter out = null; out = response.getWriter(); if (isMultipart) { final java.util.Map<String, RequestParameter[]> params = request.getRequestParameterMap(); for (final java.util.Map.Entry<String, RequestParameter[]> pairs : params.entrySet()) { final org.apache.sling.api.request.RequestParameter[] pArr = pairs.getValue(); final org.apache.sling.api.request.RequestParameter param = pArr[0]; final InputStream stream = param.getInputStream(); Session session = request.getResourceResolver().adaptTo(Session.class); // Save the uploaded file into the Adobe CQ DAM out.println("The Sling Servlet placed the uploaded file here: " + writeToDam(request.getResourceResolver(), stream, param.getFileName(), request.getContentType())); } } } catch (Exception e) { e.printStackTrace(); } } // Save the uploaded file into the AEM DAM using AssetManager API private String writeToDam(ResourceResolver resourceResolver, InputStream is, String fileName, String contentType) { try { // Use AssetManager to place the file into the AEM DAM com.day.cq.dam.api.AssetManager assetMgr = resourceResolver.adaptTo(AssetManager.class); String newFile = "/content/dam/test/" + fileName; assetMgr.createAsset(newFile, is, contentType, true); // Return the path to the file was stored return newFile; } catch (Exception e) { e.printStackTrace(); } return null; } }
L
leeaslingAuthor
Level 8
October 16, 2015

Sham - anyway you would be able to verify this?  I'm still seeing that JCR permissions are not be recognized by this in AEM 6.

Sham_HC
Sham_HCAccepted solution
Level 10
October 16, 2015

leeasling wrote...

Sham - anyway you would be able to verify this?  I'm still seeing that JCR permissions are not be recognized by this in AEM 6.

 

Program looks ok and AssetManager is respecting JCR permissions as you can see [1] when i used session of user who did not had permission.   The only problem in your code is whether success or failure you are displaying uploaded fine. Handle exception correctly & check the acl in your useradmin especially for the group user belongs to. 

[1]

21.08.2014 11:44:31.022 *ERROR* [0:0:0:0:0:0:0:1%0 [1408635871017] POST /bin/submitFile HTTP/1.1] com.day.cq.dam.api.AssetManager createAsset: asset error while creating asset [/content/dam/test/test.txt]: 
com.adobe.granite.asset.api.AssetException: Failed to create Asset at path [ /content/dam/test/test.txt ]
    at com.adobe.granite.asset.core.impl.AssetManagerImpl.createAsset(AssetManagerImpl.java:69)
    at com.day.cq.dam.core.impl.AssetManagerImpl.createAsset(AssetManagerImpl.java:252)
    at com.test.services.osgi.servlets.TestServlet.writeToDam(TestServlet.java:67)
    at com.test.services.osgi.servlets.TestServlet.doPost(TestServlet.java:48)
    
    
    

Terms & ConditionsAccessibility statement

Loading footer...