Expand my Community achievements bar.

SOLVED

How can we have Token/key based authentication in AEM Sling post servlet

Avatar

Level 2

I am looking to understand the way to have Token/key based authentication in Post sling servlet to secure the service. what are ways we can include to enhance the security of servlet.

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

That depends on the authentication model you have in place. For example on publish /content is readable from anonymous so you do not need to get authenticated, while on author you need to be authenticated.

 

 

View solution in original post

14 Replies

Avatar

Community Advisor

Hi @SunilBansal17 
One of the ways that I could suggest is to bind the servlet with resource Type and can restrict access to the page by either using CUG or ACLs. With this approach any custom authentication logic is not required and will be handled by AEM itself.  

Avatar

Level 2

Thanks for your response.

How we can ensure that unauthorized users are not hitting or entertained for the POST servlet with passing some raw input data. this is kind of Rest and anyone can try to hit the URL.

Avatar

Level 3

Hi @SunilBansal17 

While doing the post call, send user related data such as employeeId as request parameter and have the validation logic in backend to validate the employeeId, whether it's correct or not (Either you can store all Ids inside generic list and check whether it belongs to that list or not). This leverage the access of URL from actual user.

Avatar

Level 2

Can you please elaborate with example, you mean we need to expose one dedicated user to the actual users who all can hit the servlet and same they can send as request parameter and can be validated at backend login as soon there is request.

Avatar

Level 3

If you are using resource based servlet, create a usergroup with setup valid user and give them permission for that specific resource.
Then only those valid user can access the servlet.

If it's a path based servlet, send some user specific data such as emoployee ID in request. In backend use validation logic to validate the employee Id, whether it's correct or not.

Avatar

Level 2

Thanks for your response.

Do we see any way to have Token/key based authentication for the Post servlet.

Avatar

Level 2

Thanks for your response.
Can you please write up the sequence of steps.

1. How the third party will call post servlet in case of both resource and path based.

2. Do they need to pass any credentials while calling the servlet, if yes then how.

Avatar

Community Advisor

HI @SunilBansal17 


Sling Engine will take care of permissions if you register servlet using Resource Type. Users who cannot access a particular resource will not be able to invoke the servlet.

Also you can use JAVA Filter to intercept a request and do some pre-processing of the request, here you can authorize the user as well.

Avatar

Level 2

User can pass the input data in the forms of JSON to the post servlet and hit and based upon the changes will be applied to Node/properties level. I am trying to understand if resource type servlet can be utilized here.

Avatar

Employee Advisor

A servlet is a resource, so it is covered implicitly by the Sling Authentication model; in AEM (and other JCR-based systems based on Sling) this normally means, that you authenticate against the repository.

 

So, first rule of thumb: Bind your servlet to a resourcetype.
Because then it can only be invoked on a resource (=node) which has that resourcetype set. And for that the authorization can be defined using JCR, typically by Oak access control mechanism.

For example:

* you bind your servlet to the resourcetype myapp/servlets/myservlet

* you set the on the node /content/functions/myfunction the property "resourceType" to "myapp/servlets/myservlet"

* then you can call the servlet via (content/functions/myfunction).

 

If you don't do that and bind the servlet directly to a path, only the Sling Authentication takes place; and if you pass that authentication you can execute that servlet;  there is no additional authorization check done.

 

 

Next: You should use the authorization model of Oak to restrict access to that resource, which has that specific resourcetype set. That means you should the correct permissions to /content/functions/myfunction to the group which should be able to invoke that servlet.

 

All that is done without writing any code.

 

 

 

 

Avatar

Level 2

Thanks Jorg for your response.

If we set the on the node /content/functions/myfunction the property "resourceType" to "myapp/servlets/myservlet then if anyone will try to access the page inside location /content/functions/myfunction then this servlet will not invoked ?

I mean one way we will invoke the servlet like 

https://localhost:port/content/functions/myfunction?post query parameter

and other way if anyone tried to access page inside this location (https://localhost:port/content/functions/myfunction/test.html) will also invoke this servlet. is this statement not true?

 

Avatar

Employee Advisor

If someone is doing a POST to /content/functions/myfunction, then access control of /content/functions/myfunction will be used to determine if this principal is allowed to invoke the servlet.

 

The resource /content/functions/myfunction/test.html is totally independent of that. 

 

 

Avatar

Level 2

Thanks for your response.

If third party will try to access the servlet from code, then do they need to pass credentials along with post request to access this servlet.

Avatar

Correct answer by
Employee Advisor

That depends on the authentication model you have in place. For example on publish /content is readable from anonymous so you do not need to get authenticated, while on author you need to be authenticated.