Expand my Community achievements bar.

SOLVED

AEM 6.1 anonymous read access to /etc was removed. How to handle this?

Avatar

Level 2
Level 2
2/23/16 9:27:12 AM

There's a code like this in my project to read some configuration from /etc/my-config-path:

Resource res = resource.getResourceResolver().getResource("/etc/my-config-path");

On AEM 5.6.1 it works correctly since anonymous user has access to entire /etc. On AEM 6.1 res is null since anonymous user has no access to /etc.

I can see two possible solutions:

  1. Give anonymous user read permission to /etc/my-config-path explicitly
  2. Use repository.loginAdministrative(null); to access the resource with admin permissions (but I see some people not recommending this approach on AEM 6.1).

What is your thoughts on this?

Views

2.3K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Administrator
Administrator
2/23/16 11:54:38 PM

In AEM 6.1, service users must be system users, which effectively means that their node in the JCR is of type rep:SystemUser. These users cannot be used to log in normally, only by background processes. The admin user is not a system user, so you cannot use the admin user in a service user mapping like this. You have to create a new system user and assign them the appropriate permissions.

Solution can be found out here:

Link:- http://stackoverflow.com/questions/31350548/resourceresolverfactory-getserviceresourceresolver-throw...

//

Goal: To write data/nodes to content (specifically to /etc/userdata) when a user logs in.

We can achieve this in 2 ways (either way, the user needs to be a 'system user')

Process 1:

Step 1: Use in-built system user in OSGI configuration. In OSGI select Apache Sling Service User Mapper Service

group.abc.commons-service:writeService=oauthservice (where 'oauthservice' is a system user)

Step 2: Assign that system user the permissions to access the content folder.

enter image description here

You see the system users in CRX at: /home/users/system

Process 2:

Step 1: Create a new system user. to do this

Open http://localhost:4502/crx/explorer/index.jsp

Login as admin > Open 'User Administration > Select 'Create System User' > Enter "user id" > Hit the Green button (you will not se a save button :)

I have created "abcwriteservice" user

Step 2: Go to Permissions, and for the user 'abcwriteservice' give Permissions to access the folder where you'd like to write. (In this example: /etc/userdata ) enter image description here

Step 3: Open OSGI console and go to "Apache Sling Service User Mapper Service" to define the service-user mapping. For example: 'group.commons-service:writeService=abcwriteservice'

enter image description here

Step 4: In code, i added extra parameter, as:

Map<String, Object> param = new HashMap<String, Object>(); param.put(ResourceResolverFactory.SUBSERVICE, "writeService"); try { resourceResolverWriter = factory.getServiceResourceResolver(param); if (resourceResolverWriter == null) throw new Exception("Could not obtain a CRX User for the Service:'writeService'"); Node usersRootNode = adminSession.getNode("/etc/userdata/users");

I hope this will help you.

Thanks and Regards

Kautuk Sahni 



Kautuk Sahni

View solution in original post

Views

790

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Level 10
Level 10
2/23/16 9:32:14 AM

In AEM 6.1 - you need to create a system user to access parts of the JCR. THen you give that system user rights to the JCR. Then you need to use Sling Mapping functionality to map the system user. To see all of this in a step by step article - including how to create a system user and how to perform sling mapping -- see this article: 

Querying Adobe Experience Manager 6 data using the Sling getServiceResourceResolver method

Hope this helps 

If you need to see this in a connect session - let me know. 

Views

785

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
2/23/16 1:41:32 PM

Hi,

what kind of information do you store there? If your business logic requires read access to /etc/<yourpath>, then grant read access to it. Like some paths below /etc are readable to anonymous. Hiding it behind a service-user makes it more complicated, but doesn't improve security.

kind regards,
Jörg

Views

804

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Administrator
Administrator
2/23/16 11:54:38 PM

In AEM 6.1, service users must be system users, which effectively means that their node in the JCR is of type rep:SystemUser. These users cannot be used to log in normally, only by background processes. The admin user is not a system user, so you cannot use the admin user in a service user mapping like this. You have to create a new system user and assign them the appropriate permissions.

Solution can be found out here:

Link:- http://stackoverflow.com/questions/31350548/resourceresolverfactory-getserviceresourceresolver-throw...

//

Goal: To write data/nodes to content (specifically to /etc/userdata) when a user logs in.

We can achieve this in 2 ways (either way, the user needs to be a 'system user')

Process 1:

Step 1: Use in-built system user in OSGI configuration. In OSGI select Apache Sling Service User Mapper Service

group.abc.commons-service:writeService=oauthservice (where 'oauthservice' is a system user)

Step 2: Assign that system user the permissions to access the content folder.

enter image description here

You see the system users in CRX at: /home/users/system

Process 2:

Step 1: Create a new system user. to do this

Open http://localhost:4502/crx/explorer/index.jsp

Login as admin > Open 'User Administration > Select 'Create System User' > Enter "user id" > Hit the Green button (you will not se a save button :)

I have created "abcwriteservice" user

Step 2: Go to Permissions, and for the user 'abcwriteservice' give Permissions to access the folder where you'd like to write. (In this example: /etc/userdata ) enter image description here

Step 3: Open OSGI console and go to "Apache Sling Service User Mapper Service" to define the service-user mapping. For example: 'group.commons-service:writeService=abcwriteservice'

enter image description here

Step 4: In code, i added extra parameter, as:

Map<String, Object> param = new HashMap<String, Object>(); param.put(ResourceResolverFactory.SUBSERVICE, "writeService"); try { resourceResolverWriter = factory.getServiceResourceResolver(param); if (resourceResolverWriter == null) throw new Exception("Could not obtain a CRX User for the Service:'writeService'"); Node usersRootNode = adminSession.getNode("/etc/userdata/users");

I hope this will help you.

Thanks and Regards

Kautuk Sahni 



Kautuk Sahni

Views

791

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply