Expand my Community achievements bar.

deploying custom scope

Avatar

Level 4

how to deploy custom scope in AEM 

by default AEM 6.5 provides profile , offline and replicate scopes

8 Replies

Avatar

Community Advisor

Hi @sriram_1 ,

May I know what do you mean by custom scope? - is it OAuth Scopes? If yes please refer to this: https://experienceleague.adobe.com/docs/experience-manager-learn/foundation/authentication/oauth-cod...

Appreciate If you elaborate more of your question for better understanding, if I misunderstood. 

Regards,

Santosh

Avatar

Level 4

Hi Santosh thanks for the quick response,

we are working in a project where we need to fetch/crawl data from AEM.

as part of project we want to implement server to server authentication mechanism could you provide me some inputs on how to achieve this.

 

I am referring into this doc for authentication:

https://medium.com/tech-learnings/how-to-manage-the-protected-aem-resources-through-oauth-2-0-851ce4... 

 

Thanks

Sriram

Avatar

Level 4

Hi @SantoshSai 

yes it is Oauth scope.

 

below is the code for custom scope as mentioned in the above link provided by you

 

package com.adobe.acs.samples.authentication.oauth.impl;

import com.adobe.granite.oauth.server.Scope;
import com.adobe.granite.oauth.server.ScopeWithPrivileges;
import org.apache.jackrabbit.api.security.user.User;
import org.osgi.service.component.annotations.Component;

import javax.servlet.http.HttpServletRequest;

/**
 * OAuth Scope support was introduced in AEM 6.3
 */
@Component(
        service = Scope.class
)
// This class must implement ScopeWithPrivileges, but it must register as an OSGi Service against Scope.class
public class SampleScopeWithPrivileges implements ScopeWithPrivileges {
    public static final String WRITE_DAM_SCOPE_NAME = "vendor-x__write-dam";
    public static final String BASE_PATH = "/content/dam";

    /**
     * Informational purposes only
     **/
    public String getDescription(HttpServletRequest request) {
        return "Write access to AEM Assets";
    }

    /**
     * return the unique Scope name. This value must be unique across all scope implementations.
     **/
    public String getName() {
        // If there is overlay in Scope's w the same `getName()` value, one of the named scopes will be selected at random for use (based on Service registration order).
        // If a scope is being provided as a 3rd party package, it is good to ensure the scope name has some low-likelihood collision name:
        // * For example: "vendor-x__dam_write"
        return WRITE_DAM_SCOPE_NAME;
    }

    /**
     * @param user The authenticated "AEM user" being asked to authorise the scope.
     *             return the JCR path these privileges provided by `getPrivileges()`.
     **/
    public String getResourcePath(User user) {
        // While the User is provided; it is atypical to derive the path based on the user.
        // Assuming a low number of path/privilege permutation is its usually better create multiple scopes for each user-type/path combination.

        // A use case for having the user drive the result of getResourcePath, is for a scope that provides access to the authorizing user's rep:User/profile node.
        return BASE_PATH;
    }

    /**
     * If the scope is associated with one specific endpoint return the URI to the endpoint. Otherwise return null.
     **/
    public String getEndpoint() {
        // Return null
        return null;
    }

    /**
     * - JCR Privileges: http://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.html
     * - JCR Privilege Mapping: https://jackrabbit.apache.org/oak/docs/security/privilege/mappingtoitems.html
     * - AEM Privileges: cq:storeUGC, crx:replicate
     * - Custom privileges also supported (though these are rare)
     **/
    private static final String[] privileges = {
            "crx:replicate",
            "jcr:lockManagement",
            "jcr:versionManagement",
            "rep:write"
    };

    /**
     * return the privileges to be applied to the path returned by `getResource(...)`. Note these will supersede any JCR-based ACLs.
     **/
    public String[] getPrivileges() {
        return privileges;
    }
}

 

 

 

could you please elaborate me on : // This class must implement ScopeWithPrivileges, but it must register as an OSGi Service against Scope.class

 

Thank you 

Avatar

Community Advisor

@sriram_1 

Yes ScopeWithPrivileges is interface and which extends Scope interface for scopes that define required privileges on their content paths.

API Documentation: https://developer.adobe.com/experience-manager/reference-materials/6-5/javadoc/com/adobe/granite/oau...

 

Avatar

Level 4

yes, but how to egister as an OSGi Service against Scope.class and how to implement the same

 

 

Thanks,

Sriram