How can we have Token/key based authentication in AEM Sling post servlet | Community
Skip to main content
S
SunilBansal17
Level 2
October 14, 2022
Solved

How can we have Token/key based authentication in AEM Sling post servlet

  • October 14, 2022
  • 2 replies
  • 4787 views

I am looking to understand the way to have Token/key based authentication in Post sling servlet to secure the service. what are ways we can include to enhance the security of servlet.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by joerghoh

Thanks for your response.

If third party will try to access the servlet from code, then do they need to pass credentials along with post request to access this servlet.


That depends on the authentication model you have in place. For example on publish /content is readable from anonymous so you do not need to get authenticated, while on author you need to be authenticated.

 

 

2 replies

TarunKumar
Community Advisor
TarunKumarCommunity Advisor
Community Advisor
October 14, 2022

Hi @sunilbansal17 
One of the ways that I could suggest is to bind the servlet with resource Type and can restrict access to the page by either using CUG or ACLs. With this approach any custom authentication logic is not required and will be handled by AEM itself.  

    S
    SunilBansal17Author
    Level 2
    October 14, 2022

    Thanks for your response.

    How we can ensure that unauthorized users are not hitting or entertained for the POST servlet with passing some raw input data. this is kind of Rest and anyone can try to hit the URL.

      M
      Adobe Employee
      malay_dubeAdobe Employee
      Adobe Employee
      October 14, 2022

      Hi @sunilbansal17 

      While doing the post call, send user related data such as employeeId as request parameter and have the validation logic in backend to validate the employeeId, whether it's correct or not (Either you can store all Ids inside generic list and check whether it belongs to that list or not). This leverage the access of URL from actual user.

        joerghoh
        Adobe Employee
        joerghohAdobe Employee
        Adobe Employee
        October 14, 2022

        A servlet is a resource, so it is covered implicitly by the Sling Authentication model; in AEM (and other JCR-based systems based on Sling) this normally means, that you authenticate against the repository.

         

        So, first rule of thumb: Bind your servlet to a resourcetype.
        Because then it can only be invoked on a resource (=node) which has that resourcetype set. And for that the authorization can be defined using JCR, typically by Oak access control mechanism.

        For example:

        * you bind your servlet to the resourcetype myapp/servlets/myservlet

        * you set the on the node /content/functions/myfunction the property "resourceType" to "myapp/servlets/myservlet"

        * then you can call the servlet via (content/functions/myfunction).

         

        If you don't do that and bind the servlet directly to a path, only the Sling Authentication takes place; and if you pass that authentication you can execute that servlet;  there is no additional authorization check done.

         

         

        Next: You should use the authorization model of Oak to restrict access to that resource, which has that specific resourcetype set. That means you should the correct permissions to /content/functions/myfunction to the group which should be able to invoke that servlet.

         

        All that is done without writing any code.

         

         

         

         

          S
          SunilBansal17Author
          Level 2
          October 17, 2022

          Thanks Jorg for your response.

          If we set the on the node /content/functions/myfunction the property "resourceType" to "myapp/servlets/myservlet then if anyone will try to access the page inside location /content/functions/myfunction then this servlet will not invoked ?

          I mean one way we will invoke the servlet like 

          https://localhost:port/content/functions/myfunction?post query parameter

          and other way if anyone tried to access page inside this location (https://localhost:port/content/functions/myfunction/test.html) will also invoke this servlet. is this statement not true?

           

            joerghoh
            Adobe Employee
            joerghohAdobe Employee
            Adobe Employee
            October 17, 2022

            If someone is doing a POST to /content/functions/myfunction, then access control of /content/functions/myfunction will be used to determine if this principal is allowed to invoke the servlet.

             

            The resource /content/functions/myfunction/test.html is totally independent of that. 

             

             

              Terms & ConditionsAccessibility statement

              Loading footer...