Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

deploying custom scope

Avatar

Level 3

how to deploy custom scope in AEM 

by default AEM 6.5 provides profile , offline and replicate scopes

7 Replies

Avatar

Community Advisor

Hi @sriram_1 ,

May I know what do you mean by custom scope? - is it OAuth Scopes? If yes please refer to this: https://experienceleague.adobe.com/docs/experience-manager-learn/foundation/authentication/oauth-cod...

Appreciate If you elaborate more of your question for better understanding, if I misunderstood. 

Regards,

Santosh

Avatar

Level 3

Hi Santosh thanks for the quick response,

we are working in a project where we need to fetch/crawl data from AEM.

as part of project we want to implement server to server authentication mechanism could you provide me some inputs on how to achieve this.

 

I am referring into this doc for authentication:

https://medium.com/tech-learnings/how-to-manage-the-protected-aem-resources-through-oauth-2-0-851ce4... 

 

Thanks

Sriram

Avatar

Level 3

Hi @SantoshSai 

yes it is Oauth scope.

 

below is the code for custom scope as mentioned in the above link provided by you

 

package com.adobe.acs.samples.authentication.oauth.impl;

import com.adobe.granite.oauth.server.Scope;
import com.adobe.granite.oauth.server.ScopeWithPrivileges;
import org.apache.jackrabbit.api.security.user.User;
import org.osgi.service.component.annotations.Component;

import javax.servlet.http.HttpServletRequest;

/**
 * OAuth Scope support was introduced in AEM 6.3
 */
@Component(
        service = Scope.class
)
// This class must implement ScopeWithPrivileges, but it must register as an OSGi Service against Scope.class
public class SampleScopeWithPrivileges implements ScopeWithPrivileges {
    public static final String WRITE_DAM_SCOPE_NAME = "vendor-x__write-dam";
    public static final String BASE_PATH = "/content/dam";

    /**
     * Informational purposes only
     **/
    public String getDescription(HttpServletRequest request) {
        return "Write access to AEM Assets";
    }

    /**
     * return the unique Scope name. This value must be unique across all scope implementations.
     **/
    public String getName() {
        // If there is overlay in Scope's w the same `getName()` value, one of the named scopes will be selected at random for use (based on Service registration order).
        // If a scope is being provided as a 3rd party package, it is good to ensure the scope name has some low-likelihood collision name:
        // * For example: "vendor-x__dam_write"
        return WRITE_DAM_SCOPE_NAME;
    }

    /**
     * @param user The authenticated "AEM user" being asked to authorise the scope.
     *             return the JCR path these privileges provided by `getPrivileges()`.
     **/
    public String getResourcePath(User user) {
        // While the User is provided; it is atypical to derive the path based on the user.
        // Assuming a low number of path/privilege permutation is its usually better create multiple scopes for each user-type/path combination.

        // A use case for having the user drive the result of getResourcePath, is for a scope that provides access to the authorizing user's rep:User/profile node.
        return BASE_PATH;
    }

    /**
     * If the scope is associated with one specific endpoint return the URI to the endpoint. Otherwise return null.
     **/
    public String getEndpoint() {
        // Return null
        return null;
    }

    /**
     * - JCR Privileges: http://jackrabbit.apache.org/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConstants.html
     * - JCR Privilege Mapping: https://jackrabbit.apache.org/oak/docs/security/privilege/mappingtoitems.html
     * - AEM Privileges: cq:storeUGC, crx:replicate
     * - Custom privileges also supported (though these are rare)
     **/
    private static final String[] privileges = {
            "crx:replicate",
            "jcr:lockManagement",
            "jcr:versionManagement",
            "rep:write"
    };

    /**
     * return the privileges to be applied to the path returned by `getResource(...)`. Note these will supersede any JCR-based ACLs.
     **/
    public String[] getPrivileges() {
        return privileges;
    }
}

 

 

 

could you please elaborate me on : // This class must implement ScopeWithPrivileges, but it must register as an OSGi Service against Scope.class

 

Thank you 

Avatar

Community Advisor

@sriram_1 

Yes ScopeWithPrivileges is interface and which extends Scope interface for scopes that define required privileges on their content paths.

API Documentation: https://developer.adobe.com/experience-manager/reference-materials/6-5/javadoc/com/adobe/granite/oau...

 

Avatar

Level 3

yes, but how to egister as an OSGi Service against Scope.class and how to implement the same

 

 

Thanks,

Sriram