With the latest AEM Forms 6.5.16 Add-on package which recommended for mitigating multiple security concerns published in the latest security bulletin, AEM crashed in Windows environments with JDK 11.0.18 if the user only had forms-users group privileges.
The failed screen is as follow:
Internal Server Error
Cannot serve request to /aem/createaf.html/content/dam/formsanddocuments in com.adobe.aem.formsndocuments.servlet.ThemeClientLibraryDataSourceServlet
Exception:
java.lang.NullPointerException
at com.adobe.aem.formsndocuments.servlet.ThemeClientLibraryDataSourceServlet.lambda$getThemeClientLibCategoryList$3(ThemeClientLibraryDataSourceServlet.java:76)
at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:176)
at java.base/java.util.Iterator.forEachRemaining(Iterator.java:133)
at java.base/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
at com.adobe.aem.formsndocuments.servlet.ThemeClientLibraryDataSourceServlet.getThemeClientLibCategoryList(ThemeClientLibraryDataSourceServlet.java:81)
at com.adobe.aem.formsndocuments.servlet.ThemeClientLibraryDataSourceServlet.doGet(ThemeClientLibraryDataSourceServlet.java:50)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:266)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:342)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:374)
The issue was found in Windows 11 and in Windows servers environments and based the the crashed location, RedHat Enterprise may likely experience the same issue as well. The reproduction steps are as follow:
- On Windows 11, with JDK 11.0.18 (either from Oracle or from Adobe file share), have an instance with 6.5.0 + 6.5.15 SP + AEM Forms 6.5.15 Add-on + AEM Forms 6.5.16 Compat with nosamplecontent runmode
- Performance an upgrade to the latest AEM 6.5.16 SP + AEM Forms 6.5.16 Add-on (either March 2 release v904 or March 13 release v912)
- Sign in as admin and create a user form-author with only forms-users group membership
- Create a configuration folder for editable template and then create a new Adaptive Form Template call custom-template
- Impersonate as the form-author created in step #3. then attempt to create a new form with the custom-template created in step #4.
Expected:
at 5: The user is able to create a new form without problem
Actual:
at 5: AEM crashed with null point error on the screen
Investigated the crash point and found that the code doesn't check if the returning categories from HtmlLibraryManager is accessible by the user before reading JCR node properties. This ends up causing the crash if the user is not a member of a group that has global administration rights because HtmlLibraryManager service is mapping to a higher privilege service account.
One example of the path that can cause the crash is /lib/granite/operations, as this folder is only accessible by operator group but HtmlLibraryManager will return this as a visible clientlibs for form-author...
The work around found in work around the issue is to use RepositorInitializer to give read access to all /*/clientlibs folders to forms-users . An example is as following where the last two lines only needed if ACS-Tools and GroovyConsole have been installed:
set ACL for coc-forms-users
remove * on /libs/granite/operations
remove * on /libs/granite/topology
remove * on /libs/granite/offloading
remove * on /libs/granite/backup
remove * on /libs/dam/remoteassets/content/siteconnections
remove * on /libs/granite/distribution
remove * on /apps
allow jcr:read on /libs/granite/operations
allow jcr:read on /libs/granite/topology
allow jcr:read on /libs/granite/offloading
allow jcr:read on /libs/granite/backup
allow jcr:read on /libs/dam/remoteassets/content/siteconnections
allow jcr:read on /libs/granite/distribution
allow jcr:read on /apps restriction(rep:glob,/acs-tools/*)
allow jcr:read on /apps restriction(rep:glob,/groovyconsole/clientlibs)
end
Hope this sharing could help those who are also experiencing the same crashing issue.
