Adobe Experience Manager Sites & More

SunilBansal17 · 10/14/22

I am looking to understand the way to have Token/key based authentication in Post sling servlet to secure the service. what are ways we can include to enhance the security of servlet.

Jörg_Hoh · 10/21/22

That depends on the authentication model you have in place. For example on publish /content is readable from anonymous so you do not need to get authenticated, while on author you need to be authenticated.

View solution in original post

TarunKumar · 10/14/22

Hi @SunilBansal17
One of the ways that I could suggest is to bind the servlet with resource Type and can restrict access to the page by either using CUG or ACLs. With this approach any custom authentication logic is not required and will be handled by AEM itself.

SunilBansal17 · 10/14/22

Thanks for your response.

How we can ensure that unauthorized users are not hitting or entertained for the POST servlet with passing some raw input data. this is kind of Rest and anyone can try to hit the URL.

malay_dube · 10/14/22

Hi @SunilBansal17

While doing the post call, send user related data such as employeeId as request parameter and have the validation logic in backend to validate the employeeId, whether it's correct or not (Either you can store all Ids inside generic list and check whether it belongs to that list or not). This leverage the access of URL from actual user.

SunilBansal17 · 10/14/22

Can you please elaborate with example, you mean we need to expose one dedicated user to the actual users who all can hit the servlet and same they can send as request parameter and can be validated at backend login as soon there is request.

malay_dube · 10/14/22

If you are using resource based servlet, create a usergroup with setup valid user and give them permission for that specific resource.
Then only those valid user can access the servlet.

If it's a path based servlet, send some user specific data such as emoployee ID in request. In backend use validation logic to validate the employee Id, whether it's correct or not.

SunilBansal17 · 10/14/22

Thanks for your response.

Do we see any way to have Token/key based authentication for the Post servlet.

SunilBansal17 · 10/19/22

Thanks for your response.
Can you please write up the sequence of steps.

1. How the third party will call post servlet in case of both resource and path based.

2. Do they need to pass any credentials while calling the servlet, if yes then how.

TarunKumar · 10/14/22

HI @SunilBansal17

Sling Engine will take care of permissions if you register servlet using Resource Type. Users who cannot access a particular resource will not be able to invoke the servlet.

Also you can use JAVA Filter to intercept a request and do some pre-processing of the request, here you can authorize the user as well.

SunilBansal17 · 10/14/22

User can pass the input data in the forms of JSON to the post servlet and hit and based upon the changes will be applied to Node/properties level. I am trying to understand if resource type servlet can be utilized here.

Jörg_Hoh · 10/14/22

A servlet is a resource, so it is covered implicitly by the Sling Authentication model; in AEM (and other JCR-based systems based on Sling) this normally means, that you authenticate against the repository.

So, first rule of thumb: Bind your servlet to a resourcetype.
Because then it can only be invoked on a resource (=node) which has that resourcetype set. And for that the authorization can be defined using JCR, typically by Oak access control mechanism.

For example:

* you bind your servlet to the resourcetype myapp/servlets/myservlet

* you set the on the node /content/functions/myfunction the property "resourceType" to "myapp/servlets/myservlet"

* then you can call the servlet via (content/functions/myfunction).

If you don't do that and bind the servlet directly to a path, only the Sling Authentication takes place; and if you pass that authentication you can execute that servlet; there is no additional authorization check done.

Next: You should use the authorization model of Oak to restrict access to that resource, which has that specific resourcetype set. That means you should the correct permissions to /content/functions/myfunction to the group which should be able to invoke that servlet.

All that is done without writing any code.

SunilBansal17 · 10/17/22

Thanks Jorg for your response.

If we set the on the node /content/functions/myfunction the property "resourceType" to "myapp/servlets/myservlet then if anyone will try to access the page inside location /content/functions/myfunction then this servlet will not invoked ?

I mean one way we will invoke the servlet like

https://localhost:port/content/functions/myfunction?post query parameter

and other way if anyone tried to access page inside this location (https://localhost:port/content/functions/myfunction/test.html) will also invoke this servlet. is this statement not true?

Jörg_Hoh · 10/17/22

If someone is doing a POST to /content/functions/myfunction, then access control of /content/functions/myfunction will be used to determine if this principal is allowed to invoke the servlet.

The resource /content/functions/myfunction/test.html is totally independent of that.

SunilBansal17 · 10/17/22

Thanks for your response.

If third party will try to access the servlet from code, then do they need to pass credentials along with post request to access this servlet.

Jörg_Hoh · 10/21/22

That depends on the authentication model you have in place. For example on publish /content is readable from anonymous so you do not need to get authenticated, while on author you need to be authenticated.

Adobe Experience Manager Sites & More

How can we have Token/key based authentication in AEM Sling post servlet

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe