Hi All,
I have scenario where I want to process and transform the user groups received in SAML response post authentication to the format that matches with AEM groups and assign the users to the groups. Our application is running on Cloud Service.
@component(name = "CustomAuthenticationInfoPostProcessor", service = AuthenticationInfoPostProcessor.class, immediate = true)
public class CustomAuthenticationInfoPostProcessor implements AuthenticationInfoPostProcessor {
public static final Logger LOG = LoggerFactory.getLogger(CustomAuthenticationInfoPostProcessor.class);
@reference
private SlingSettingsService slingSettingsService;
@reference
private ResourceResolverFactory resolverFactory;
private ResourceResolver resolver;
@Override
public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response) {
//HttpServletRequest httpRequest = null;
LOG.info("CustomAuthenticationInfoPostProcessor invoked");
LOG.info("HttpServletRequest data"+request.getAuthType()+","+request.getContextPath()+","+request.getHeaderNames().toString()+","+request.getRequestURL());
//httpRequest = request;
String requestURL = request.getRequestURL().toString();
Set<String> runModes = slingSettingsService.getRunModes();
LOG.info("runModes : "+runModes);
if (runModes.contains("publish") && requestURL.contains("custompath/saml_login")
) {
if (info != null) {
LOG.info("info not null ");
Map<String, Object> params = new HashMap<>();
params.put(ResourceResolverFactory.SUBSERVICE, "userManagerService");
LOG.info("params : "+params);
try {
LOG.debug("resolverFactory:"+resolverFactory);
resolver = resolverFactory.getServiceResourceResolver(params);
LOG.debug("resolver:"+resolver);
String userID = info.getUser();
LOG.info("userID : "+userID);
if (StringUtils.isNotEmpty(userID)) {
Session session = resolver.adaptTo(Session.class);
UserManager userManager = resolver.adaptTo(UserManager.class);
Authorizable user;
try {
user = userManager.getAuthorizable(userID);
if (user != null) {
LOG.info("user is available");
Set<String> userGroupsToAdd = getGroupsFromAttributes(user);
if (user != null && userGroupsToAdd != null) {
LOG.info("Syncing user groups: " + user.getID() + " " + userGroupsToAdd.toString());
}
Set<String> existingGroupNames = new HashSet<>();
Iterator<Authorizable> iter = userManager.findAuthorizables("jcr:primaryType","rep:Group");
while (iter.hasNext()) {
Authorizable authorizable = iter.next();
if (authorizable.getPath().startsWith("/home/groups/customerpath")) {
LOG.info("authorizable.getID().toLowerCase(): "+authorizable.getID().toLowerCase());
existingGroupNames.add(authorizable.getID().toLowerCase());
}
}
for (String existingGroupName : existingGroupNames) {
LOG.info("existingGroupName: "+existingGroupName);
if (userManager.getAuthorizable(existingGroupName) != null) {
if (userGroupsToAdd.contains(existingGroupName)) {
((Group) userManager.getAuthorizable(existingGroupName)).addMember(user);
} else {
((Group) userManager.getAuthorizable(existingGroupName)).removeMember(user);
}
}
}
session.save();
}
} catch (RepositoryException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
} catch (LoginException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
}
I dont see code getting executed after LOG.info("params : "+params); is there any auto terminate that will happen if certain condition is not met in the Authentication framework.
Can you suggest the best approach to solve this problem.
Thanks all in advance
Solved! Go to Solution.
Views
Replies
Total Likes
Looks like issue was with System user ACL . I had to set Principal and the ACLs worked correctly . Hope this post helps others with similar issue.
Views
Replies
Total Likes
@priya_cr May be the resource resolver created with "userManagerService" service user doesn't have access to read/write to /home/users and /home/groups path in repo. Please check the error log since the rest of code wrapped in try catch and fails.
No I dont see any exception
Yes it was system user creation error which is solved and now facing a different issue. I see that the user synced through saml is not getting assigned to the groups.
Looks like issue was with System user ACL . I had to set Principal and the ACLs worked correctly . Hope this post helps others with similar issue.
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies