Expand my Community achievements bar.

Adobe Summit 2025: AEM Session Recordings Are Live! Missed a session or want to revisit your favorites? Watch the latest recordings now.
Watch Now!

Mark Solution

This conversation has been locked due to inactivity. Please create a new post.

SOLVED

AEM Bundle Whitelisting

Avatar

Level 5
Level 5
2/11/21 3:06:53 AM

Hi Experts,

  We are using AEM 6.4.5 and working on a custom authentication handler. Eventually the handler will invoke TokenUtil, something like.

TokenUtil.createCredentials(request, response, this.repository, userId, true);

Internally TokenUtil does the following,

repository.loginAdministrative((String)null);

 Meaning we need to whitelist the bundle.  However, Adobe has recommended that whitelisting is not a good idea and definitely  not advisable for production instances. I could see this question already asked for AEM6_3

 

I am not really certain if I should do the whitelisting or what is the way forward. Kindly advise.

 

Regards,

Jai

 

Views

1.0K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
2/11/21 8:55:30 PM

There were always a flaw in the design that was getting Admin session and using and it was also violating the principle of least privileges that is why adobe is recommending not to use admin session and not to whitelist the bundle that is using admin session from SlingRepository.loginAdministrative().

so Solution of this is only to go with Service User approach.

Details can be found here https://experienceleague.adobe.com/docs/experience-manager-64/administering/security/security-servic...

 

but still if you what to whitelist the bundle you can do with Apache Sling Login Admin whitelist config from config manager.

 

Hope this will help.

Umesh Thakur

 

View solution in original post

Views

981

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
2/11/21 8:55:30 PM

There were always a flaw in the design that was getting Admin session and using and it was also violating the principle of least privileges that is why adobe is recommending not to use admin session and not to whitelist the bundle that is using admin session from SlingRepository.loginAdministrative().

so Solution of this is only to go with Service User approach.

Details can be found here https://experienceleague.adobe.com/docs/experience-manager-64/administering/security/security-servic...

 

but still if you what to whitelist the bundle you can do with Apache Sling Login Admin whitelist config from config manager.

 

Hope this will help.

Umesh Thakur

 

Views

982

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Employee Advisor
Employee Advisor
2/12/21 8:20:44 AM

If that method is doing it internally, whitelist your application bundle. There is no other way to do it, except you avoid creating that method.

Views

996

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
After Installing AEM Service pack 22, Imported Package not resolved for AEM UI WCM Admin Bundle(com.adobe.cq.ui.admin) Solved

Views

119

Likes

0

Replies

3
AEM 6.5 Dynamic Media Videos [How to play video, thubnail, looping and renditions]

Views

69

Likes

0

Replies

1
Enable "Export to Metadata" for individual assets in AEM

Views

88

Likes

0

Replies

1
Attempting To Create AEM Folder Gives 409

Views

194

Likes

0

Replies

7
Custom Error Pages Dispatcher AEM as Cloude Service PassThrough not working

Views

133

Likes

0

Replies

2