Adobe Experience Manager Forms

hrai · 5/10/23

Hello Experts,

I have written a sling servlet (ResourceType) as per Adobe guidelines. And this is servlet is being exposed as a Rest API. Question is how to protect/ authenticate it on Publish instance:

On Publish everyone has Read access and resourcetype is pointing to /content/ which has read access for everyone?

@SlingServletResourceTypes(resourceTypes = "MyProject/components/page", methods = HttpConstants.METHOD_POST, selectors = "pdfService", extensions = "html")

Should I move this resourcetype node to /etc and restrict access on Publish instance, pls guide how to handle resouretype servlet exposed as Rest API on Publish instance. thanks.

davidjgonzalezzzz · 5/10/23

Yes - you can make the node with the sling:resourceType under /etc, /content, (or even /apps i think?) .. I would change the resource type tho since "MyProject/components/page" very much sounds like the resource is an AEM Page, rather than a controlled API endpoint.

So maybe you declare:

@SlingServletResourceTypes(resourceTypes = "MyProject/api/pdf", methods = HttpConstants.METHOD_POST, selectors = "pdfService", extensions = "html")

Create /etc/apis/pdf with sling:resourceType MyProject/api/pdf

Set ACLs on /etc/apis/pdf to be deny all , allow jcr:read Group X

Then you can invoke it via HTTP POST /etc/apis/pdf.pdfservice.html

You'll likely have to open a hole in dispatcher to let that through publish.

View solution in original post

davidjgonzalezzzz · 5/10/23

You will want to place ACLs on the resource that has that resource type (MyProject/components/page) -- so if you only want users in Group X to access this servlet, then deny jcr:read all on the node, and then allow jcr:read for Group X on that node.

hrai · 5/10/23

thanks for taking time to respond. here is a follow up question:

>> so if you only want users in Group X to access this servlet, then deny jcr:read all on the node, and then allow jcr:read for Group X on that

pls note this a Publish instance and everyone (default) group has read all at /content/MyProject/* so this will impact overall permissions on this tree. So is there any other scenario we can consider like moving this node under /etc as it has default deny in publish?

davidjgonzalezzzz · 5/10/23

Yes - you can make the node with the sling:resourceType under /etc, /content, (or even /apps i think?) .. I would change the resource type tho since "MyProject/components/page" very much sounds like the resource is an AEM Page, rather than a controlled API endpoint.

So maybe you declare:

@SlingServletResourceTypes(resourceTypes = "MyProject/api/pdf", methods = HttpConstants.METHOD_POST, selectors = "pdfService", extensions = "html")

Create /etc/apis/pdf with sling:resourceType MyProject/api/pdf

Set ACLs on /etc/apis/pdf to be deny all , allow jcr:read Group X

Then you can invoke it via HTTP POST /etc/apis/pdf.pdfservice.html

You'll likely have to open a hole in dispatcher to let that through publish.

hrai · 5/14/23

thanks for your response, it helps.

Two more things are 1) Maven Project Deployment. How can we automate this node (/etc/apis/pdf ) inclusion in the maven project for different AEM Env.?

2) Since on publish /content/MyProject will have everyone read so was wondering if we create this node under /etc, on AEM upgrade will it override or any Service Pack/ hotfix will overwrite /etc node?

Pls let me know your thoughts? Similar thread is there - https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-configure-a-servlet... but they do not talk about publish read only angle.

Adobe Experience Manager Forms

How to authenticate sling ResoureType based servlet on publish?

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe