Hi all,
I have gone through all the forum posts, and documentation related to Authentication, CUG and all related to GraphQL Endpoint. But my case here is, is it possible for restricting the users to be able to access only a certain GraphQL endpoint and not any other one.? Here the situation is, we are unsure of the users and the application is facing public users(means no login for the system to establish a CUG based on the users). Or would that make sense by restricting the system itself ? Not sure if this works, but open to your thoughts. By the way, we are on AEC.
Thanks,
Arvind
Solved! Go to Solution.
Views
Replies
Total Likes
@kautuk_sahni - here you go with the details.
For establishing authentication on Publish end where we will expose data to the systems, when the systems hit the GraphQL end point. Below mentioned are the steps involved, sequentially as-is, for CUG Implementation.
1. Create a custom folder under "/content/dam", and can create any sample content fragments under that folder.
2. Create a custom user group local to AEM instance, push it through repo-init config, on Author and Publish. We have only Author repo-init configuration in the beginning. So, for this need, we added a repo-init config for Publish as well.
Example code for both Author and Publish:
create group <custom_group> with path /home/groups/xyz/
3. Apply permissions to this custom group only on Publish side, so it has access to custom folder that holds the CF data for that respective need. Example code:
set ACL for <custom_group>
remove * on /content/dam/<custom_folder>
##Permissions for <custom_group> group
allow jcr:all on /content/dam/<custom_folder>
allow jcr:all on /conf/<cf_model_config_folder>
allow jcr:all on /content/cq:graphql/<endpoint>
end
4. Remove read permissions from everyone group, for that respective custom folder so it doesn’t expose that data to “everyone” through GraphQL. Example:
set ACL for everyone
remove * on /content/dam/<custom_folder>
##Deny Rules of everyone
deny jcr:all on /content/dam/<custom_folder>
end
5. Add the above sample code from Step 2-4 in repoinit config on Publish side, where all the restriction is needed.
6. Create a technical service user account from AdminConsole for the respective environment.
7. This will now show up in AEM Author Users console. Add the custom group that was created through repo-init to the user and Publish the User.
8. Now generate an Access Token or JWT-Token for hitting the GraphQL endpoint to validate the authentication.
9. User the generated Access Token in the above step to establish authentication via Postman of type “Bearer token” and we should see a response.
Hi Arvind,
GraphQL endpoit can be restricted so that it can be accessed by only legitimate users. First you deny access to that particular endpoint for all and then then enable the access for a particular user.
Assuming you are consuming the headless content by another application . You will not be able to access the endpoint anonymously now on. You need to pass configured user authentication details to access the endpoint. Hope this helps.
Thanks,
Somen
Thanks @somen-sarkar .. Theoretically you are right. the CUG has also been a hiccup here. The permissions have been messing up the folder access on Publish side and thats the one holding up the CF content. Reached out to Adobe, should see how that goes.
@somen-sarkar - Just so to post an update to you, CUG is an existing issue with AEM currently. Reported to Adobe support team and they are able to replicate that and investigating it.
@arvindk091986 Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.
Views
Replies
Total Likes
I have the details, will post it shortly. AEM Engineering team shared a few set of steps that needs to go as-is mentioned. @kautuk_sahni
@kautuk_sahni - here you go with the details.
For establishing authentication on Publish end where we will expose data to the systems, when the systems hit the GraphQL end point. Below mentioned are the steps involved, sequentially as-is, for CUG Implementation.
1. Create a custom folder under "/content/dam", and can create any sample content fragments under that folder.
2. Create a custom user group local to AEM instance, push it through repo-init config, on Author and Publish. We have only Author repo-init configuration in the beginning. So, for this need, we added a repo-init config for Publish as well.
Example code for both Author and Publish:
create group <custom_group> with path /home/groups/xyz/
3. Apply permissions to this custom group only on Publish side, so it has access to custom folder that holds the CF data for that respective need. Example code:
set ACL for <custom_group>
remove * on /content/dam/<custom_folder>
##Permissions for <custom_group> group
allow jcr:all on /content/dam/<custom_folder>
allow jcr:all on /conf/<cf_model_config_folder>
allow jcr:all on /content/cq:graphql/<endpoint>
end
4. Remove read permissions from everyone group, for that respective custom folder so it doesn’t expose that data to “everyone” through GraphQL. Example:
set ACL for everyone
remove * on /content/dam/<custom_folder>
##Deny Rules of everyone
deny jcr:all on /content/dam/<custom_folder>
end
5. Add the above sample code from Step 2-4 in repoinit config on Publish side, where all the restriction is needed.
6. Create a technical service user account from AdminConsole for the respective environment.
7. This will now show up in AEM Author Users console. Add the custom group that was created through repo-init to the user and Publish the User.
8. Now generate an Access Token or JWT-Token for hitting the GraphQL endpoint to validate the authentication.
9. User the generated Access Token in the above step to establish authentication via Postman of type “Bearer token” and we should see a response.