Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

AssetManager doesn't respect JCR permissions?

Avatar

Level 8

I'm writing a servlet to take a file and store it into the DAM and perform some processing.  I've setup permissions on a folder in the DAM to deny modify, create and delete access for the "author" user.  When i use Postman to submit the file, i sent across the author authentication - but the file still get's written to the DAM.

Does the AssetManager ignore JCR permissions?  Are we supposed to manually check if the user has access to write to a specific location?

1 Accepted Solution

Avatar

Correct answer by
Level 10

leeasling wrote...

Sham - anyway you would be able to verify this?  I'm still seeing that JCR permissions are not be recognized by this in AEM 6.

 

Program looks ok and AssetManager is respecting JCR permissions as you can see [1] when i used session of user who did not had permission.   The only problem in your code is whether success or failure you are displaying uploaded fine. Handle exception correctly & check the acl in your useradmin especially for the group user belongs to. 

[1]

21.08.2014 11:44:31.022 *ERROR* [0:0:0:0:0:0:0:1%0 [1408635871017] POST /bin/submitFile HTTP/1.1] com.day.cq.dam.api.AssetManager createAsset: asset error while creating asset [/content/dam/test/test.txt]: 
com.adobe.granite.asset.api.AssetException: Failed to create Asset at path [ /content/dam/test/test.txt ]
    at com.adobe.granite.asset.core.impl.AssetManagerImpl.createAsset(AssetManagerImpl.java:69)
    at com.day.cq.dam.core.impl.AssetManagerImpl.createAsset(AssetManagerImpl.java:252)
    at com.test.services.osgi.servlets.TestServlet.writeToDam(TestServlet.java:67)
    at com.test.services.osgi.servlets.TestServlet.doPost(TestServlet.java:48)
    
    
    

View solution in original post

4 Replies

Avatar

Level 10

You do not have to check permissions,  if permission is denied exception will be thrown.  All you need to make sure is in custom servlet you need to use user session and not admin one.  If you are using user session can you post complete code for review.

Avatar

Level 8

We are using the user session, not an administrative session.  The code is attached.

package com.test.services.osgi.servlets; import java.io.IOException; import java.io.InputStream; import java.io.PrintWriter; import java.rmi.ServerException; import org.apache.commons.fileupload.servlet.ServletFileUpload; import org.apache.felix.scr.annotations.sling.SlingServlet; import org.apache.sling.api.SlingHttpServletRequest; import org.apache.sling.api.SlingHttpServletResponse; import org.apache.sling.api.request.RequestParameter; import org.apache.sling.api.resource.ResourceResolver; import org.apache.sling.api.servlets.SlingAllMethodsServlet; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.jcr.Session; import com.day.cq.dam.api.AssetManager; @SlingServlet( paths="/bin/submitFile", methods="POST", metatype=true,name="com.test.services.osgi.servlets.TestServlet" ) public class TestServlet extends SlingAllMethodsServlet { private static final long serialVersionUID = -1L; private static final Logger logger = LoggerFactory.getLogger(TestServlet.class); @Override protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServerException, IOException { try { final boolean isMultipart = ServletFileUpload.isMultipartContent(request); PrintWriter out = null; out = response.getWriter(); if (isMultipart) { final java.util.Map<String, RequestParameter[]> params = request.getRequestParameterMap(); for (final java.util.Map.Entry<String, RequestParameter[]> pairs : params.entrySet()) { final org.apache.sling.api.request.RequestParameter[] pArr = pairs.getValue(); final org.apache.sling.api.request.RequestParameter param = pArr[0]; final InputStream stream = param.getInputStream(); Session session = request.getResourceResolver().adaptTo(Session.class); // Save the uploaded file into the Adobe CQ DAM out.println("The Sling Servlet placed the uploaded file here: " + writeToDam(request.getResourceResolver(), stream, param.getFileName(), request.getContentType())); } } } catch (Exception e) { e.printStackTrace(); } } // Save the uploaded file into the AEM DAM using AssetManager API private String writeToDam(ResourceResolver resourceResolver, InputStream is, String fileName, String contentType) { try { // Use AssetManager to place the file into the AEM DAM com.day.cq.dam.api.AssetManager assetMgr = resourceResolver.adaptTo(AssetManager.class); String newFile = "/content/dam/test/" + fileName; assetMgr.createAsset(newFile, is, contentType, true); // Return the path to the file was stored return newFile; } catch (Exception e) { e.printStackTrace(); } return null; } }

Avatar

Level 8

Sham - anyway you would be able to verify this?  I'm still seeing that JCR permissions are not be recognized by this in AEM 6.

Avatar

Correct answer by
Level 10

leeasling wrote...

Sham - anyway you would be able to verify this?  I'm still seeing that JCR permissions are not be recognized by this in AEM 6.

 

Program looks ok and AssetManager is respecting JCR permissions as you can see [1] when i used session of user who did not had permission.   The only problem in your code is whether success or failure you are displaying uploaded fine. Handle exception correctly & check the acl in your useradmin especially for the group user belongs to. 

[1]

21.08.2014 11:44:31.022 *ERROR* [0:0:0:0:0:0:0:1%0 [1408635871017] POST /bin/submitFile HTTP/1.1] com.day.cq.dam.api.AssetManager createAsset: asset error while creating asset [/content/dam/test/test.txt]: 
com.adobe.granite.asset.api.AssetException: Failed to create Asset at path [ /content/dam/test/test.txt ]
    at com.adobe.granite.asset.core.impl.AssetManagerImpl.createAsset(AssetManagerImpl.java:69)
    at com.day.cq.dam.core.impl.AssetManagerImpl.createAsset(AssetManagerImpl.java:252)
    at com.test.services.osgi.servlets.TestServlet.writeToDam(TestServlet.java:67)
    at com.test.services.osgi.servlets.TestServlet.doPost(TestServlet.java:48)