Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Change user session for Anonymous URLs

Avatar

Level 2

Hi Experts,

 

Is it not possible to intercept a URL ( that is whitelisted for anonymous usage through "Apache Sling Authentication Service" configuration ) in AEM's Sling Filter and change it's User session ?

 

I'm trying to implement it with HttpServletRequestWrapper by adding a valid basic authorization token to request header. But, as I do requestWrapper.getUserPrincipal().getName().toString(), is still returning "anonymous" user. Any idea?

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Hi,

Is my understanding correct that based on certain criteria you want to switch an anonymous session into an authenticated session of a different user?

Technically it should be possible (wrap the HttpRequest and inject a different session), but that's a lot of of work to make it right in all circumstances.

 

What do you want to achieve with that? I am quite sure that there might be a simpler way to solve your requirement.

 

Jörg

View solution in original post

3 Replies

Avatar

Correct answer by
Employee Advisor

Hi,

Is my understanding correct that based on certain criteria you want to switch an anonymous session into an authenticated session of a different user?

Technically it should be possible (wrap the HttpRequest and inject a different session), but that's a lot of of work to make it right in all circumstances.

 

What do you want to achieve with that? I am quite sure that there might be a simpler way to solve your requirement.

 

Jörg

Avatar

Level 2
Hi Jörg, yes, you are right. I want an external system to access /bin/querybuilder.json, but since it is an authenticated service, I've taken an approach to creating an anonymous servlet that acts like a controller that collects request, check the header for token, authorize against an external OAuth server and if successful, want to create a system user session and pass it to the Querybuilder API using sling's org.apache.sling.engine.SlingRequestProcessor. Please suggest any better approach.

Avatar

Employee Advisor
Hm, that sounds quite problematic, because you need to proxy a request. If you are familiar with the QueryBuilder java API, you could write your own servlet, which checks against the external system and then uses the QueryBuilder API directly. You don't start a new HTTP request, but instead approach the API directly. And then you can also pass a different JCR session than the session the user is using; for example you can use a JCR system user.