SOLVED
Service user cannot access resources tagged with CUG policy
Background: I have pages that are tagged with CUG policy to allow read access to the page to the user who belongs to a specific group. The access for the end-user works as expected. However, I would like the service user to have access to all the nodes in JCR tree regardless of if the resource has CUG policy set or not.
I have added the service user to exclude from CUG evalution using following config. However, the service user still does have access to the resources that are tagged with CUG policy (group).
Below is CUG exclude OSGI config that I updated to exclude the service user. (Adding service user principal to the list)
org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugExcludeImpl
However, the service user still does not have access to the resources that are tagged with CUG policy. Would appreciate any input, suggestion, recommendation from the AEM experts in the community.
1 Accepted Solution
Correct answer by
Below approach resolved the issue for me.
If the service user has access to the content through rep:policy then rep:cugPolicy wont apply to the service user. Service user should still be able to access the nodes that has CUG policy applied to it.
If you are injecting OSGI component into a POJO using bundle context, in the example below, injecting ResourceResolverFactory you would need to add the service user to user mapper amendment
org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended
config to allow the service user to access content through a particular bundle
BundleContext bundleContext = FrameworkUtil.getBundle(ResourceResolverFactory.class).getBundleContext();
ServiceReference serviceReference = bundleContext
.getServiceReference(ResourceResolverFactory.class.getName());
ResourceResolverFactory resourceResolverFactory = (ResourceResolverFactory) bundleContext
.getService(serviceReference);
Map<String, Object> param = new HashMap<>();
param.put(ResourceResolverFactory.SUBSERVICE, "service-user");
Add the following config to user mapper amendment
The above approach worked for me
Hi @zaddm98685815
Ideally, this should work. A silly question to ask, have you deployed this OSGI configuration on the publish instance? Additionally, try adding the service user to the respective CUG group to see if it works.
Is the system user part of everyone group?
Arun Patidar
Correct answer by
Below approach resolved the issue for me.
If the service user has access to the content through rep:policy then rep:cugPolicy wont apply to the service user. Service user should still be able to access the nodes that has CUG policy applied to it.
If you are injecting OSGI component into a POJO using bundle context, in the example below, injecting ResourceResolverFactory you would need to add the service user to user mapper amendment
org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended
config to allow the service user to access content through a particular bundle
BundleContext bundleContext = FrameworkUtil.getBundle(ResourceResolverFactory.class).getBundleContext();
ServiceReference serviceReference = bundleContext
.getServiceReference(ResourceResolverFactory.class.getName());
ResourceResolverFactory resourceResolverFactory = (ResourceResolverFactory) bundleContext
.getService(serviceReference);
Map<String, Object> param = new HashMap<>();
param.put(ResourceResolverFactory.SUBSERVICE, "service-user");
Add the following config to user mapper amendment
The above approach worked for me
@arunpatidar Did you find the suggestion helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!
Kautuk Sahni
Related Conversations
