Expand my Community achievements bar.

Query about custom authentication handler , how to apply CUG like functionality


Level 5

If I am using a custom Authentication handler and my users reside in some database.

In extract Credentials method I authenticate my user from request i.e. j_username check that it exists and password is correct probably from database, I ask TokenUtil to create credentials to create necessary login token for that user to have access to aem.

But in such cases, how / who decides if user has access to that particular cases, which in crx based login would be done by group /CUG associated to that user.

Here since I would not have any user created in crx how the authorization should happen to see if that user has access to that page?

any help is welcome.



5 Replies


Level 7

Below here is one documentation I made for internal use. Hope this helps.

To configure such a area within follow the below steps:



To apply the CUG to a page:


    • Navigate to the root page of the restricted section you want to assign to your CUG.

    • Open the Page Properties (from the Page tab in the Sidekick).

    • Open the Advanced tab.

    • Expand the Closed User Group pane.

    • Click Enabled to define that this page (and any child pages) belong to a CUG.

    • Specify the Login Page that members of the group will use; for example:
      This is optional, if left blank the standard login page will be used.

    • Add the Admitted Groups. Use + to add groups or - to remove. Only members of these groups will be allowed to log in and access the pages.

    • Assign a Realm (a name for the groups of pages) if required. Leave empty to use the page title.

    • Click OK to save the specification.


Level 5

HI Tuhin,

Thanks for the reply.

But this will be possible when I have groups and users in AEM . I am talking about not having users and groups in AEM but have them store outside of AEM.

How / who would be doing the authorization part in that case?





with a custom authentication handler, after you authenticate against the external system, you must have/create a user in AEM. If you look at the LDAP and SAML authentication mechanisms, there is always the option to use an existing user or create a new user. You cannot get a login token in AEM without a user that exists in AEM.




Level 5

Thanks Opkar,

There is an option with SAML not to create users/groups .That means if I choose not to create them in AEM It should be possible right?

Moreover If there are millions of user , should we be really duplicating those many users to burden repository?





Hi Allhad, 

the option to not create users means you will import the users yourself into AEM. The same goes for LDAP. So, you either create users on the fly or you import them beforehand. 

You bring up a good question about duplicating user profiles, however, remember that no personal information will be stored in AEM about these users, they are basically a placeholder in AEM for users authenticated against the backend system and it allows the user to log in and AEM to resolve permissions for that user(You would of course add them to a group).

An approach you could use to deal with millions of users is to purge inactive users on a regular basis.