How to authenticate sling ResoureType based servlet on publish?

Question

Hello Experts,

I have written a sling servlet (ResourceType) as per Adobe guidelines. And this is servlet is being exposed as a Rest API. Question is how to protect/ authenticate it on Publish instance:

On Publish everyone has Read access and resourcetype is pointing to /content/ which has read access for everyone?

@SlingServletResourceTypes(resourceTypes = "MyProject/components/page", methods = HttpConstants.METHOD_POST, selectors = "pdfService", extensions = "html")

Should I move this resourcetype node to /etc and restrict access on Publish instance, pls guide how to handle resouretype servlet exposed as Rest API on Publish instance. thanks.

davidjgonzalezzzz · Accepted Answer

Yes - you can make the node with the sling:resourceType under /etc, /content, (or even /apps i think?) .. I would change the resource type tho since "MyProject/components/page" very much sounds like the resource is an AEM Page, rather than a controlled API endpoint.

So maybe you declare:

@SlingServletResourceTypes(resourceTypes = "MyProject/api/pdf", methods = HttpConstants.METHOD_POST, selectors = "pdfService", extensions = "html")

Create /etc/apis/pdf with sling:resourceType MyProject/api/pdf

Set ACLs on /etc/apis/pdf to be deny all , allow jcr:read Group X

Then you can invoke it via HTTP POST /etc/apis/pdf.pdfservice.html

You'll likely have to open a hole in dispatcher to let that through publish.

davidjgonzalezzzz · Answer

You will want to place ACLs on the resource that has that resource type (MyProject/components/page) -- so if you only want users in Group X to access this servlet, then deny jcr:read all on the node, and then allow jcr:read for Group X on that node.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded