Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Scheduled OOTB workflow on author does not run due to javax.jcr.AccessDeniedException: Access denied.

Avatar

Level 2

Hi,
I am currently facing the following issue. I have created a scheduled job which runs every night and collects assets which have failed and re-uploads them using "dynamic-media-reupload" workflow. When I ran the same code in a test Servlet all worked as expected, the problem comes when the workflow gets executed by the scheduler job. Is there a specific way the Workflowsession needs to be instantiated, do I need to provide some additional privileges / metadata info. I am attaching the error in the error log

com.adobe.granite.workflow.core.jcr.WorkflowBucketManager Error creating unique instance id: /var/workflow/instances/server1901/2023-02-19/dynamic-media-reupload_131
javax.jcr.AccessDeniedException: Access denied.
at org.apache.jackrabbit.oak.jcr.security.AccessManager.checkPermissions(AccessManager.java:71) [org.apache.jackrabbit.oak-jcr:1.44.0.T20221206170501-6d59064]
at org.apache.jackrabbit.oak.jcr.session.NodeImpl$5.perform(NodeImpl.java:320) [org.apache.jackrabbit.oak-jcr:1.44.0.T20221206170501-6d59064]
at org.apache.jackrabbit.oak.jcr.session.NodeImpl$5.perform(NodeImpl.java:289) [org.apache.jackrabbit.oak-jcr:1.44.0.T20221206170501-6d59064]
at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:210) [org.apache.jackrabbit.oak-jcr:1.44.0.T20221206170501-6d59064]
at org.apache.jackrabbit.oak.jcr.session.ItemImpl.perform(ItemImpl.java:112) [org.apache.jackrabbit.oak-jcr:1.44.0.T20221206170501-6d59064]
at org.apache.jackrabbit.oak.jcr.session.NodeImpl.addNode(NodeImpl.java:289) [org.apache.jackrabbit.oak-jcr:1.44.0.T20221206170501-6d59064]
at com.adobe.granite.workflow.core.jcr.WorkflowBucketManager.createWorkflowInstanceNode(WorkflowBucketManager.java:206) [com.adobe.granite.workflow.core:2.1.84]
at com.adobe.granite.workflow.core.jcr.WorkflowManager.createWorkflowInstance(WorkflowManager.java:366) [com.adobe.granite.workflow.core:2.1.84]
at com.adobe.granite.workflow.core.WorkflowSessionImpl.startWorkflow(WorkflowSessionImpl.java:2025) [com.adobe.granite.workflow.core:2.1.84]
at com.adobe.granite.workflow.core.WorkflowSessionImpl.startWorkflow(WorkflowSessionImpl.java:543) [com.adobe.granite.workflow.core:2.1.84]

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @oligawen ,

How are getting the workflow session?

Try to get the workflow session from the system user with proper permission to the system user.

private static final String SYSTEM_USER = "system_user";
//Getting ResourceResolver and Session using System Users
Map<String, Object> param = new HashMap<>();
param.put(ResourceResolverFactory.SUBSERVICE, SYSTEM_USER);
resourceResolver = resourceResolverFactory.getServiceResourceResolver(param);

// Get the workflow session from the resource resolver
final WorkflowSession workflowSession = resourceResolver.adaptTo(WorkflowSession.class);

 The rest of the code for workflow initialization can follow as below:

// Workflow model path
final String model = "/var/workflow/models/version-creation";

// Get the workflow model object
final WorkflowModel workflowModel = Objects.requireNonNull(workflowSession).getModel(model);

// Create a workflow payload object pointing to a resource via JCR(asset path)
final WorkflowData workflowData = workflowSession.newWorkflowData("JCR_PATH", payloadPath);

Map<String, Object> workflowMetadata = new HashMap<>();
workflowMetadata.put("startDate", new Date());

//start the workflow
workflowSession.startWorkflow(workflowModel, workflowData, workflowMetadata);

Hope this could help you!!!

Regards,

Shiv

 

Shiv Prakash

View solution in original post

6 Replies

Avatar

Correct answer by
Community Advisor

Hi @oligawen ,

How are getting the workflow session?

Try to get the workflow session from the system user with proper permission to the system user.

private static final String SYSTEM_USER = "system_user";
//Getting ResourceResolver and Session using System Users
Map<String, Object> param = new HashMap<>();
param.put(ResourceResolverFactory.SUBSERVICE, SYSTEM_USER);
resourceResolver = resourceResolverFactory.getServiceResourceResolver(param);

// Get the workflow session from the resource resolver
final WorkflowSession workflowSession = resourceResolver.adaptTo(WorkflowSession.class);

 The rest of the code for workflow initialization can follow as below:

// Workflow model path
final String model = "/var/workflow/models/version-creation";

// Get the workflow model object
final WorkflowModel workflowModel = Objects.requireNonNull(workflowSession).getModel(model);

// Create a workflow payload object pointing to a resource via JCR(asset path)
final WorkflowData workflowData = workflowSession.newWorkflowData("JCR_PATH", payloadPath);

Map<String, Object> workflowMetadata = new HashMap<>();
workflowMetadata.put("startDate", new Date());

//start the workflow
workflowSession.startWorkflow(workflowModel, workflowData, workflowMetadata);

Hope this could help you!!!

Regards,

Shiv

 

Shiv Prakash

Avatar

Level 2

Hi @Shiv_Prakash_Patel ,
Thank you very, very much for the detailed answer and code snippet. I was getting the workflow session like this

WorkflowSession workflowSession = resourceResolver.adaptTo(WorkflowSession.class);

 and the resource resolver I got like this

final ResourceResolver resourceResolver = resourceResolverService.createReader().get()

 where resourceResolverService is 

@Reference

 

Avatar

Community Advisor

Please check if the implementation of createReader() method has read and writes permission to the var folder or just get resource resolver from the system user with read & write permission to the var folder.

 

Shiv Prakash

Avatar

Level 2

Yeah, that is what I neglected to check, createReader had only the read rights, I now provided the createWriter, who has both read and write permissions. Question is where do I check the permissions for specific folders ? I was not able to find a system_user locally 

Avatar

Community Advisor

You can check the system user associated with your bundle in the config manager. It will give you an idea about this and once will know the system user you can check the permission from the user admin console.

please check - https://unlocklearning.in/resource-resolver-in-aem/ 

 

 

Shiv Prakash

Avatar

Level 2

@Shiv_Prakash_Patel  once again thank you very much for your time and detailed explanations.