I am using aem6.5 and currently implementing a post form for anonymous user who needs to upload a image to aem publisher under certain content dam path say (/contet/dam/project/uploadimage/*) which latter will be pushed to author and replicated back to all the aem publisher so that all the publisher are in sync.
Here wanted to know what is best pratice we could follow:-
1> Should i create a system user and give permission to write only under (/contet/dam/project/uploadimage/*) create a servelt .
When the anonymous user It will hit the servlet i will referece the system user and get system user and upload the image to (/contet/dam/project/uploadimage/*) and finally logout the system user at the end of servlet processing.
In this way if the anonymous user is a bot or hacker this will not allow to anonymous user to traverse through nodes path for which anonymous user has access.
2> Or is it fine that just use anonymous user access and upload the image to (/contet/dam/project/uploadimage/*) ,
Note:- here anonymous user may have access to read or write based on other modules we could have written.
Assuming that the form submissions frequency is low rate, your solution would be acceptable; where you create a servlet + configure a system user for the WRITE methods. From there your publisher will be triggering the reverse replication back to the author, then the author will be replicating it back to the publishers. Please keep in mind that if you have alot of requests, your publisher can be stalled; causing your AEM web pages to render the html files slower than usual (if not already cached).
If you have a very high frequency website; some other ways are:
Create a new AEM publisher server which will be solely used for servlet processing (such as your form upload functionality). The servlet + system user will be executable from this AEM specfic instance (can be routed from Apache configs); therefore even if you had a large number of form requests pinging this specigic AEM environment, your other AEM publishers that are used to serve pages will not be affected. dont forget to setup reverse replication agent here.
Create a microservice which programmatically accesses the AEM JCR, in particular the "author"; which then will trigger either an AEM event or workflow for replication. Keeping a some kind of throttle behavior which the microservice can que requests to minimalize the impact on the author.
How could the system user take the control of the request in servlet and all other processing in servlet.
I need to get the request detail like request.getParameter("urlparam");
How to convert this all this based on system user which is mentioned below
Map<String, Object> authInfoParam = new HashMap<>();
ResourceResolver resourceResolver = null;
resourceResolver = resourceResolverFactory.getServiceResourceResolver(authInfoParam);