Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Exposing path based sling servlet as Rest API to 3rd party system

Avatar

Level 4

hello experts,

 

From below discussion [1] it has come out that, for exposing a Rest API from AEM for a 3rd party system is to use Path based Sling Servlet.

 

Now here is some clarification if you can guide us?

- is it good practice to invoke - com.adobe.fd.output.api.OutputService/ com.adobe.fd.assembler.service.AssemblerService in a custom OSGi service and, then use this OSGi service in Sling Servlet's Get method?

- Or we can directly invoke OutputService/ AssemblerService in Sling Servlets's Post method?

 

Please share your opinions. 

 

[1] https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager-forms/what-is-the-best-app...

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

@hrai 

For known reasons, resourceType based servlet is more secure and then you can use the ACLs for limited access to users that can invoke the servlet.

For Path based servlet, a simple user id check in the doPost method should suffice:

String userId = session.getUserID();
if (StringUtils.isNotEmpty(userId) && userId.equalsIgnoreCase("username"))
{
//// success
} else {
//// failure
}

Don't have a reference implementation but you can also use JWT to secure your servlet call by validating the tokens.

Haven't worked with encryption though.

Hope this helps!

View solution in original post

5 Replies

Avatar

Employee Advisor

@hrai 

I assume you're referring to the path specified hereDon't see any issue exposing the path-based sling servlet, and you can directly invoke OutputService/ AssemblerService in Sling Servlet's Post method.

Also, using a particular method will depend on the use-case implementation.

Avatar

Level 4

thanks for response. 

 

>> I assume you're referring to the path specified here.

 

well I am talking about Sling Servlets - path based and resourceType based. In order to expose a sling servlet as Rest API to a 3rd party system, Can we use path based sling servlet like /bin/myservice? However on publish how we will manage permission for this path (/bin/myservice) based servlet? 

 

>> Don't see any issue exposing the path-based sling servlet, and you can directly invoke OutputService/ AssemblerService in Sling Servlet's Post method.

 

Invoking OutputService via OSGi service will give any advantage apart from cross bundle usages? or if there is any other best practice? 

 

I hope I am not making it complicated, share your thoughts. thanks.

Avatar

Employee Advisor

@hrai Thanks for clarifying! 

Path and resourceType are both used for registering the servlet.

When we register a servlet using the path, we must be specific about what all paths are allowed, and the rest are blocked. It's just that allowing more paths to execute servlet makes your application vulnerable, and yes, you have to manage the Apache Sling Servlet / Script Resolver and Error Handler config for the same. That’s why you should not open more doors for servlets to run until and unless required. 

This might not be the case when you use resourceType. Sling Engine will take care of permissions if you register the servlet using Resource Type. Users who cannot access a particular resource will not be able to invoke the servlet. For your quick read- http://www.aemcq5tutorials.com/tutorials/sling-servlet-in-aem/#advantages_selector_over_path 

 

As such, there is no best practice, but this depends on the use case. Invoking via OSGi service will also give modularity to the implementation.

Avatar

Level 4

thank you for the follow up. 

 

Since 3rd party will consume this sling servlet via Rest call. I was wondering why should it be resource based servlet?

 

We can still use path based sling servlet for the simplicity. However one question arises is -

- 1. how to make it secure with some authentication on Publish AEM setup

- 2. how to use encryption for secure response back to calling 3rd party system?

 

Please let me know if you are aware of such scenario?

 

Thank you.

Avatar

Correct answer by
Employee Advisor

@hrai 

For known reasons, resourceType based servlet is more secure and then you can use the ACLs for limited access to users that can invoke the servlet.

For Path based servlet, a simple user id check in the doPost method should suffice:

String userId = session.getUserID();
if (StringUtils.isNotEmpty(userId) && userId.equalsIgnoreCase("username"))
{
//// success
} else {
//// failure
}

Don't have a reference implementation but you can also use JWT to secure your servlet call by validating the tokens.

Haven't worked with encryption though.

Hope this helps!