Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

AEM Bundle Whitelisting

Avatar

Avatar
Validate 25
Level 3
Jai1122
Level 3

Likes

21 likes

Total Posts

127 posts

Correct Reply

2 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Boost 5
Boost 3
View profile

Avatar
Validate 25
Level 3
Jai1122
Level 3

Likes

21 likes

Total Posts

127 posts

Correct Reply

2 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Boost 5
Boost 3
View profile
Jai1122
Level 3

11-02-2021

Hi Experts,

  We are using AEM 6.4.5 and working on a custom authentication handler. Eventually the handler will invoke TokenUtil, something like.

TokenUtil.createCredentials(request, response, this.repository, userId, true);

Internally TokenUtil does the following,

repository.loginAdministrative((String)null);

 Meaning we need to whitelist the bundle.  However, Adobe has recommended that whitelisting is not a good idea and definitely  not advisable for production instances. I could see this question already asked for AEM6_3

 

I am not really certain if I should do the whitelisting or what is the way forward. Kindly advise.

 

Regards,

Jai

 

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Validate 1
MVP
Umesh_Thakur
MVP

Likes

147 likes

Total Posts

157 posts

Correct Reply

53 solutions
Top badges earned
Validate 1
Applaud 25
Ignite 3
Ignite 1
Give Back 5
View profile

Avatar
Validate 1
MVP
Umesh_Thakur
MVP

Likes

147 likes

Total Posts

157 posts

Correct Reply

53 solutions
Top badges earned
Validate 1
Applaud 25
Ignite 3
Ignite 1
Give Back 5
View profile
Umesh_Thakur
MVP

11-02-2021

There were always a flaw in the design that was getting Admin session and using and it was also violating the principle of least privileges that is why adobe is recommending not to use admin session and not to whitelist the bundle that is using admin session from SlingRepository.loginAdministrative().

so Solution of this is only to go with Service User approach.

Details can be found here https://experienceleague.adobe.com/docs/experience-manager-64/administering/security/security-servic...

 

but still if you what to whitelist the bundle you can do with Apache Sling Login Admin whitelist config from config manager.

 

Hope this will help.

Umesh Thakur

 

Answers (1)

Answers (1)

Avatar

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,113 likes

Total Posts

3,145 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,113 likes

Total Posts

3,145 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile
Jörg_Hoh
Employee

12-02-2021

If that method is doing it internally, whitelist your application bundle. There is no other way to do it, except you avoid creating that method.