Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

Change user session for Anonymous URLs

bsr78033597
Level 2
Level 2

Hi Experts,

 

Is it not possible to intercept a URL ( that is whitelisted for anonymous usage through "Apache Sling Authentication Service" configuration ) in AEM's Sling Filter and change it's User session ?

 

I'm trying to implement it with HttpServletRequestWrapper by adding a valid basic authorization token to request header. But, as I do requestWrapper.getUserPrincipal().getName().toString(), is still returning "anonymous" user. Any idea?

AEM session
1 Accepted Solution
Jörg_Hoh
Correct answer by
Employee
Employee

Hi,

Is my understanding correct that based on certain criteria you want to switch an anonymous session into an authenticated session of a different user?

Technically it should be possible (wrap the HttpRequest and inject a different session), but that's a lot of of work to make it right in all circumstances.

 

What do you want to achieve with that? I am quite sure that there might be a simpler way to solve your requirement.

 

Jörg

View solution in original post

3 Replies
Jörg_Hoh
Correct answer by
Employee
Employee

Hi,

Is my understanding correct that based on certain criteria you want to switch an anonymous session into an authenticated session of a different user?

Technically it should be possible (wrap the HttpRequest and inject a different session), but that's a lot of of work to make it right in all circumstances.

 

What do you want to achieve with that? I am quite sure that there might be a simpler way to solve your requirement.

 

Jörg

View solution in original post

bsr78033597
Level 2
Level 2
Hi Jörg, yes, you are right. I want an external system to access /bin/querybuilder.json, but since it is an authenticated service, I've taken an approach to creating an anonymous servlet that acts like a controller that collects request, check the header for token, authorize against an external OAuth server and if successful, want to create a system user session and pass it to the Querybuilder API using sling's org.apache.sling.engine.SlingRequestProcessor. Please suggest any better approach.
Jörg_Hoh
Employee
Employee
Hm, that sounds quite problematic, because you need to proxy a request. If you are familiar with the QueryBuilder java API, you could write your own servlet, which checks against the external system and then uses the QueryBuilder API directly. You don't start a new HTTP request, but instead approach the API directly. And then you can also pass a different JCR session than the session the user is using; for example you can use a JCR system user.