Expand my Community achievements bar.

SOLVED

How to authenticate sling ResoureType based servlet on publish?

Avatar

Level 4

Hello Experts,

 

I have written a sling servlet (ResourceType) as per Adobe guidelines. And this is servlet is being exposed as a Rest API. Question is how to protect/ authenticate it on Publish instance:

 

On Publish everyone has Read access and resourcetype is pointing to /content/ which has read access for everyone?

 

@SlingServletResourceTypes(resourceTypes = "MyProject/components/page", methods = HttpConstants.METHOD_POST, selectors = "pdfService", extensions = "html")

 

Should I move this resourcetype node to /etc and restrict access on Publish instance, pls guide how to handle resouretype servlet exposed as Rest API on Publish instance. thanks.
 

1 Accepted Solution

Avatar

Correct answer by
Employee

Yes - you can make the node with the sling:resourceType under /etc, /content, (or even /apps i think?) .. I would change the resource type tho since "MyProject/components/page" very much sounds like the resource is an AEM Page, rather than a controlled API endpoint.

 

So maybe you declare: 

@SlingServletResourceTypes(resourceTypes = "MyProject/api/pdf", methods = HttpConstants.METHOD_POST, selectors = "pdfService", extensions = "html")

 

Create /etc/apis/pdf with sling:resourceType MyProject/api/pdf

Set ACLs on /etc/apis/pdf to be deny all , allow jcr:read Group X

 

Then you can invoke it via HTTP POST /etc/apis/pdf.pdfservice.html 

 

You'll likely have to open a hole in dispatcher to let that through publish.

View solution in original post

4 Replies

Avatar

Employee

You will want to place ACLs on the resource that has that resource type (MyProject/components/page) -- so if you only want users in Group X to access this servlet, then deny jcr:read all on the node, and then allow jcr:read for Group X on that node.

Avatar

Level 4

thanks for taking time to respond. here is a follow up question:

 

>> so if you only want users in Group X to access this servlet, then deny jcr:read all on the node, and then allow jcr:read for Group X on that

 

pls note this a Publish instance and everyone (default) group has read all at /content/MyProject/* so this will impact overall permissions on this tree. So is there any other scenario we can consider like moving this node under /etc as it has default deny in publish?

Avatar

Correct answer by
Employee

Yes - you can make the node with the sling:resourceType under /etc, /content, (or even /apps i think?) .. I would change the resource type tho since "MyProject/components/page" very much sounds like the resource is an AEM Page, rather than a controlled API endpoint.

 

So maybe you declare: 

@SlingServletResourceTypes(resourceTypes = "MyProject/api/pdf", methods = HttpConstants.METHOD_POST, selectors = "pdfService", extensions = "html")

 

Create /etc/apis/pdf with sling:resourceType MyProject/api/pdf

Set ACLs on /etc/apis/pdf to be deny all , allow jcr:read Group X

 

Then you can invoke it via HTTP POST /etc/apis/pdf.pdfservice.html 

 

You'll likely have to open a hole in dispatcher to let that through publish.

Avatar

Level 4

thanks for your response, it helps.

 

Two more things are 1) Maven Project Deployment. How can we automate this node (/etc/apis/pdf ) inclusion in the maven project for different AEM Env.?

 

2) Since on publish /content/MyProject will have everyone read so was wondering if we create this node under /etc, on AEM upgrade will it override or any Service Pack/ hotfix will overwrite /etc node?

 

Pls let me know your thoughts? Similar thread is there - https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/how-to-configure-a-servlet... but they do not talk about publish read only angle.