Level 2

Repoinit not able to set ACL properly in AEM SDK | Not Able to correctly retrieve a Session in AEM

Forum|Forum|1 year ago
February 15, 2024
3 replies
2050 views

Hey Guys,

As I've said before I'm trying to create a system user to retrieve a valid session in order to create nodes in AEM using a JCR Session.

Down bellown I have my repoinit config file

org.apache.sling.jcr.repoinit.RepositoryInitializer~aem-showcase.cfg.json

{
    "scripts": [
        "create path (sling:OrderedFolder) /content/dam/aem-showcase",
        "create path (nt:unstructured) /content/dam/aem-showcase/jcr:content",
        "set properties on /content/dam/aem-showcase/jcr:content\n  set cq:conf{String} to /conf/aem-showcase\n  set jcr:title{String} to \"AEM Showcase\"\nend",
        "create path (nt:Folder) /content/dam/aem-showcase/comments",
        "create path (nt:unstructured) /content/dam/aem-showcase/comments/jcr:content",
        "create service user aem-showcase-jcr-service-user with forced path system/cq:services/aem-showcase-jcr-service-user\n set principal ACL for aem-showcase-jcr-service-user\n allow jcr:all on :repository,/content/dam/aem-showcase/comments\nend"
    ]
}

Also I've made sure to have a sling.serviceusermapping config in order to make sure I have the user mapped to a subservice you can see the content of that in the script down bellow as well

org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended~aem-showcase.cfg.json

{
    "user.mapping": [
        "aem-showcase.core:AEMShowCaseUserJCR=[aem-showcase-jcr-service-user]"
    ]
}

And finally I've created a OSGI service to create my nodes programatically, but of course when I retrieve the session and I try to grab the comments node It says it does not exist even though I checked on the crx and it does exist,

package com.aem.showcase.core.services.impl;

import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;

import javax.jcr.Node;
import javax.jcr.PathNotFoundException;
import javax.jcr.Session;
import javax.jcr.nodetype.NodeType;

import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.serviceusermapping.ServiceUserMapped;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

import com.aem.showcase.core.pojos.CommentPojo;
import com.aem.showcase.core.services.CommentsService;

@Component(
    service = CommentsService.class,
    reference = {
        @3214626(
            name = CommentServiceImpl.SERVICE_ID,
            service = ServiceUserMapped.class,
            target = "(subServiceName=AEMShowCaseUserJCR)"
        )
    },
    immediate = true)
public class CommentServiceImpl implements CommentsService{

    @3214626
    ResourceResolverFactory resourceResolverFactory;
    
    protected static final String SERVICE_ID = "AEMShowCaseUserJCR";

    @9944223
    public boolean createComment(CommentPojo commentPojo) {
        try (ResourceResolver resolver = resourceResolverFactory.getResourceResolver(getAdminResourceResolverMap())){
            
            Session session = resolver.adaptTo(Session.class);
            Node commentsNode = null;
            try {
                commentsNode = session.getNode("/content/dam/aem-showcase/comments");    
            } catch (PathNotFoundException e) {
                commentsNode = session.getNode("/content/dam/aem-showcase").addNode("comments", NodeType.NT_FOLDER);
            }

            Node comment = commentsNode.addNode(commentPojo.getId(), NodeType.NT_UNSTRUCTURED);
            comment.setProperty("id", commentPojo.getId());
            comment.setProperty("content", commentPojo.getContent());
            comment.setProperty("created", commentPojo.getCreated());
            comment.setProperty("fullName", commentPojo.getFullname());
            comment.setProperty("upvote", commentPojo.getUpvote_count());

            session.save();
            session.logout();

            return true;
        } catch (Exception e) {
            String test = "Just to see the exception";
            // TODO: handle exception
        }

        return false;
    }

    @9944223
    public boolean deleteComment(CommentPojo commentPojo) {
        // TODO Auto-generated method stub
        return false;
    }

    @9944223
    public List<CommentPojo> findAll(String fullname) {
        // TODO Auto-generated method stub
        return null;
    }

    @9944223
    public CommentPojo getComment(long id) {
        // TODO Auto-generated method stub
        return null;
    }

    Map<String, Object> getAdminResourceResolverMap() {
        Map<String, Object> authInfo = Collections.singletonMap(
            ResourceResolverFactory.SUBSERVICE, SERVICE_ID);

        return authInfo;
    }
}

I'm starting to think that maybe because I'm trying to access a node there's inside of /content/dam/* my permissions are not valid to set or being replaced by some other admin acl or something like that.

Please If anybody know how to properly handle that case let me know ASAP.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Imran Khan

Community Advisor

@vasconcelosaquila

There were some issues which I corrected as part of current repoint ACL's. If I am not wrong, your are just trying to have ACL permission to access content node.

{
    "scripts": [
        "create path /content/dam/aem-showcase(sling:OrderedFolder)",
        "create path /content/dam/aem-showcase/jcr:content(nt:unstructured)",
        "create path /content/dam/aem-showcase/comments(nt:Folder)",
        "create path /content/dam/aem-showcase/comments/jcr:content(nt:unstructured)",
        "create service user aem-showcase-jcr-service-user with path system/aem-showcase-jcr-service-user",
        "set ACL for aem-showcase-jcr-service-user\n\tallow jcr:all on /content/dam/aem-showcase/comments\nend",
        "set properties on /content/dam/aem-showcase/jcr:content\n set cq:conf{String} to /conf/aem-showcase\n  set jcr:title{String} to \"AEM Showcase\"\nend"
    ]
}

V

VasconcelosAquilaAuthor

Level 2

Hey Imran, I tried you correction and I still have problems with that, a thing that I noticed is that you changed the path from user from

system/cq:services/aem-showcase-jcr-service-user

to

system/aem-showcase-jcr-service-user

and the question I have is: What is the difference, and where is this user located in the crx de interface?

Raja_Reddy

Community Advisor

Hi @vasconcelosaquila

The path /content/dam/aem-showcase/comments is within the /content/dam hierarchy, which is typically used for storing digital assets. It is possible that the permissions for the system user you created do not allow access to this path or its parent folders.

To verify this, you can try creating a test node outside of the /content/dam hierarchy, such as /content/aem-showcase/test, and see if you are able to access it using the system user. If you are able to access the test node, then the issue might be related to the permissions for the /content/dam hierarchy.

If this is the case, you can try updating the permissions for the system user to allow access to the /content/dam hierarchy and its child nodes. You can do this by modifying the repoinit script to include the necessary permissions. For example:

create service user aem-showcase-jcr-service-user with forced path system/cq:services/aem-showcase-jcr-service-user
set principal ACL for aem-showcase-jcr-service-user
allow jcr:all on /content/dam/aem-showcase
allow jcr:all on /content/dam/aem-showcase/comments

V

VasconcelosAquilaAuthor

Level 2

Hey Raja, thanks for the reply,

I tried your suggestions and also tried the ones from @imran__khan , I tried them all actually.

I've made some changes to my repoinit and here is how it looks like now

{
    "scripts": [
        "create path /content/dam/aem-showcase(sling:OrderedFolder)",
        "create path /content/dam/aem-showcase/jcr:content(nt:unstructured)",
        "create path /content/dam/aem-showcase/comments(nt:Folder)",
        "create path /content/dam/aem-showcase/comments/jcr:content(nt:unstructured)",
        "create service user aem-showcase-jcr-service-user with forced path system/cq:services/aem-showcase-jcr-service-user",
        "set ACL for aem-showcase-jcr-service-user\n",
        "\tallow jcr:all on /content/aem-showcase\n",
        "\tallow jcr:all on /content/aem-showcase/comments\n",
        "\tallow jcr:all on /content/dam/aem-showcase\n",
        "\tallow jcr:all on /content/dam/aem-showcase/comments\nend",
        "set properties on /content/dam/aem-showcase/jcr:content\n set cq:conf{String} to /conf/aem-showcase\n  set jcr:title{String} to \"AEM Showcase\"\nend"
    ]
}

Also I've changed my code just to make sure I was not trying to access some locked node or something, so that is how the code looks like now

package com.aem.showcase.core.services.impl;

import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;

import javax.jcr.Node;
import javax.jcr.PathNotFoundException;
import javax.jcr.Session;
import javax.jcr.nodetype.NodeType;

import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.serviceusermapping.ServiceUserMapped;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

import com.aem.showcase.core.pojos.CommentPojo;
import com.aem.showcase.core.services.CommentsService;

@Component(
    service = CommentsService.class,
    reference = {
        @Reference(
            name = CommentServiceImpl.SERVICE_ID,
            service = ServiceUserMapped.class,
            target = "(subServiceName=AEMShowCaseUserJCR)"
        )
    },
    immediate = true)
public class CommentServiceImpl implements CommentsService{

    @Reference
    ResourceResolverFactory resourceResolverFactory;
    
    protected static final String SERVICE_ID = "AEMShowCaseUserJCR";

    @Override
    public boolean createComment(CommentPojo commentPojo) {
        try (ResourceResolver resolver = resourceResolverFactory.getResourceResolver(getAdminResourceResolverMap())){
            
            Session session = resolver.adaptTo(Session.class);
            Node commentsNode = null;
            try {
                commentsNode = session.getNode("/content/aem-showcase/comments");    
            } catch (PathNotFoundException e) {
                commentsNode = session.getNode("/content/aem-showcase").addNode("comments", NodeType.NT_FOLDER);
            }

            Node comment = commentsNode.addNode(commentPojo.getId(), NodeType.NT_UNSTRUCTURED);
            comment.setProperty("id", commentPojo.getId());
            comment.setProperty("content", commentPojo.getContent());
            comment.setProperty("created", commentPojo.getCreated());
            comment.setProperty("fullName", commentPojo.getFullname());
            comment.setProperty("upvote", commentPojo.getUpvote_count());

            session.save();
            session.logout();

            return true;
        } catch (Exception e) {
            String test = "Just to see the exception";
            // TODO: handle exception
        }

        return false;
    }

    @Override
    public boolean deleteComment(CommentPojo commentPojo) {
        // TODO Auto-generated method stub
        return false;
    }

    @Override
    public List<CommentPojo> findAll(String fullname) {
        // TODO Auto-generated method stub
        return null;
    }

    @Override
    public CommentPojo getComment(long id) {
        // TODO Auto-generated method stub
        return null;
    }

    Map<String, Object> getAdminResourceResolverMap() {
        Map<String, Object> authInfo = Collections.singletonMap(
            ResourceResolverFactory.SUBSERVICE, SERVICE_ID);

        return authInfo;
    }
}

I'm not failing to get an session but I do fail once I try to grab the nodes, I tried grabing it and in case it did not exist (that should be the case in my first attempt given that I did not create the folder this one time using the repoinit) but once I try getting the first node that does exist (the one with the path /content/aem-showcase) it throws an exception saying that the node does not exist as you guys can see in the image down bellow

Also I've tried looking at the /useradmin in order to see if the user had the correct accesses but it looks like the ACLs in that case are not working as you guys can see in the image down bellow:

Please let me know if you guys see any error on my logic, maybe I'm failing to see something, I also kindly ask you guys to try running the code in one of you guys instance just to make sure.

Thanks in advance.

kautuk_sahni

Community Manager

@vasconcelosaquila Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

Kautuk Sahni

V

VasconcelosAquilaAuthor

Level 2

Hey @kautuk_sahni , can you help me on that issue?

P

PriyaJo1

Adobe Employee

Hi @vasconcelosaquila , Did it finally work for you? I am having similar use case to access the comment on assets. So wanted to check if this ACL worked for you?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded