Hello Experts,
I have written a sling servlet (ResourceType) as per Adobe guidelines. And this is servlet is being exposed as a Rest API. Question is how to protect/ authenticate it on Publish instance:
On Publish everyone has Read access and resourcetype is pointing to /content/ which has read access for everyone?
@SlingServletResourceTypes(resourceTypes = "MyProject/components/page", methods = HttpConstants.METHOD_POST, selectors = "pdfService", extensions = "html")
Should I move this resourcetype node to /etc and restrict access on Publish instance, pls guide how to handle resouretype servlet exposed as Rest API on Publish instance. thanks.
Solved! Go to Solution.
Views
Replies
Total Likes
Yes - you can make the node with the sling:resourceType under /etc, /content, (or even /apps i think?) .. I would change the resource type tho since "MyProject/components/page" very much sounds like the resource is an AEM Page, rather than a controlled API endpoint.
So maybe you declare:
@SlingServletResourceTypes(resourceTypes = "MyProject/api/pdf", methods = HttpConstants.METHOD_POST, selectors = "pdfService", extensions = "html")
Create /etc/apis/pdf with sling:resourceType MyProject/api/pdf
Set ACLs on /etc/apis/pdf to be deny all , allow jcr:read Group X
Then you can invoke it via HTTP POST /etc/apis/pdf.pdfservice.html
You'll likely have to open a hole in dispatcher to let that through publish.
You will want to place ACLs on the resource that has that resource type (MyProject/components/page) -- so if you only want users in Group X to access this servlet, then deny jcr:read all on the node, and then allow jcr:read for Group X on that node.
thanks for taking time to respond. here is a follow up question:
>> so if you only want users in Group X to access this servlet, then deny jcr:read all on the node, and then allow jcr:read for Group X on that
pls note this a Publish instance and everyone (default) group has read all at /content/MyProject/* so this will impact overall permissions on this tree. So is there any other scenario we can consider like moving this node under /etc as it has default deny in publish?
Yes - you can make the node with the sling:resourceType under /etc, /content, (or even /apps i think?) .. I would change the resource type tho since "MyProject/components/page" very much sounds like the resource is an AEM Page, rather than a controlled API endpoint.
So maybe you declare:
@SlingServletResourceTypes(resourceTypes = "MyProject/api/pdf", methods = HttpConstants.METHOD_POST, selectors = "pdfService", extensions = "html")
Create /etc/apis/pdf with sling:resourceType MyProject/api/pdf
Set ACLs on /etc/apis/pdf to be deny all , allow jcr:read Group X
Then you can invoke it via HTTP POST /etc/apis/pdf.pdfservice.html
You'll likely have to open a hole in dispatcher to let that through publish.
thanks for your response, it helps.
Two more things are 1) Maven Project Deployment. How can we automate this node (/etc/apis/pdf ) inclusion in the maven project for different AEM Env.?
2) Since on publish /content/MyProject will have everyone read so was wondering if we create this node under /etc, on AEM upgrade will it override or any Service Pack/ hotfix will overwrite /etc node?
Pls let me know your thoughts? Similar thread is there - https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-configure-a-servlet... but they do not talk about publish read only angle.
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies