Expand my Community achievements bar.

SOLVED

Servlet using resourceType

Avatar

Level 6
Level 6
1/21/25 6:11:30 AM

Servlet using resourceType when we get resourceResolver by request how secure the servlet is if we get resourceResolver by request and request has what user permissions?

Views

321

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
1/21/25 7:00:04 AM

Hi @Keerthi0555,

Assuming you're getting resourceResolver like below:

request.getResourceResolver();

The permission level will depend on the user that you are currently logged in, if you are not logged in than permission set of Anonymous user will be used.

View solution in original post

Views

306

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Correct answer by
Community Advisor
Community Advisor
1/21/25 7:00:04 AM

Hi @Keerthi0555,

Assuming you're getting resourceResolver like below:

request.getResourceResolver();

The permission level will depend on the user that you are currently logged in, if you are not logged in than permission set of Anonymous user will be used.

Views

307

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 5
Level 5
1/21/25 12:14:10 PM

1. How secure the servlet is - It depends on what access the node which has that resoucetype, has.

2. Request has what user permissions - The permissions of the user who is accessing that node, which triggered this servlet.

Views

269

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
1/21/25 6:05:51 PM

A servlet using resourceType and obtaining a ResourceResolver via request.getResourceResolver() operates with the permissions of the user tied to the request. This ensures actions are constrained by the user's permissions (public users will be anonymous user), adhering to AEM's security model. The servlet inherently inherits the user's access scope, making it as secure as the requesting user's permissions. However, risks arise if the servlet doesn't validate or sanitize inputs properly, potentially exposing sensitive operations or data. To maintain security, ensure the servlet implements robust input validation, adheres to the principle of least privilege, and limits actions to only what is necessary for the servlet's purpose.

anonymous user or everyone group typically can read nodes in the repository based on the permissions granted to the everyone group. If this user calls the servlet, and the request is adapting to the ResourceResolver object, the everyone group typically has no write permissions

Views

265

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
1/21/25 6:45:28 PM

If the servlet is called from author, then will have current logged-in user permissions.
If it called from publish(live site), then will only have read access to /content

Views

255

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
JCR-SQL-2 query - How do we combine results for different result types using JCR-SQL-2 query? Solved

Views

177

Likes

0

Replies

3
Servlet as resource type works in DEV Publish but not in Stage Publish - AEM as a Cloud Service Solved

Views

246

Likes

0

Replies

4
Generate a report of all the assets that have been modified using smartCrop Solved

Views

196

Likes

0

Replies

2
CDN proxy redirect using selectOrigin not working Solved

Views

207

Likes

0

Replies

3
Not able to use the section tag in RTE Field using the source edit option Solved

Views

169

Likes

0

Replies

1