Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Sling Authentication Service locking up threads and spiking CPU in AEM 5.6.1

Avatar

Level 3

I need to allow unauthenticated access to certain JCR paths. So I added a path exception to the Sling Authentication Service configuration under "authentication requirements". In the attached screenshot the path is /test1.

If I then POST to that path (via curl -X POST http://localhost:4502/test1) the request handler thread gets locked up forever and the CPU spikes.

I'm assuming there's something else I need to configure somewhere. Or maybe there's a hotfix that would help? Any thoughts?

The entire stack trace of the locked-up thread is attached. Below are the first few frames:

Thread 33287: (state = IN_VM) - java.lang.Throwable.fillInStackTrace(int) @bci=0 (Compiled frame; information may be imprecise) - java.lang.Throwable.fillInStackTrace() @bci=16, line=783 (Compiled frame) - java.lang.Throwable.<init>(java.lang.String) @bci=24, line=265 (Compiled frame) - java.lang.Exception.<init>(java.lang.String) @bci=2, line=66 (Compiled frame) - javax.jcr.RepositoryException.<init>(java.lang.String) @bci=2, line=28 (Compiled frame) - javax.jcr.security.AccessControlException.<init>(java.lang.String) @bci=2, line=32 (Compiled frame) - javax.jcr.AccessDeniedException.<init>(java.lang.String) @bci=2, line=28 (Compiled frame) - org.apache.jackrabbit.core.ItemManager.createItemData(org.apache.jackrabbit.core.state.ItemState, org.apache.jackrabbit.spi.Path, boolean) @bci=86, line=849 (Compiled frame) - org.apache.jackrabbit.core.ItemManager.getItemData(org.apache.jackrabbit.core.id.ItemId, org.apache.jackrabbit.spi.Path, boolean) @bci=91, line=391 (Compiled frame) - org.apache.jackrabbit.core.ItemManager.itemExists(org.apache.jackrabbit.core.id.ItemId, org.apache.jackrabbit.spi.Path) @bci=21, line=304 (Compiled frame) - org.apache.jackrabbit.core.ItemManager.itemExists(org.apache.jackrabbit.spi.Path) @bci=22, line=476 (Compiled frame) - org.apache.jackrabbit.core.session.SessionItemOperation$1.perform(org.apache.jackrabbit.core.ItemManager, org.apache.jackrabbit.spi.Path) @bci=2, line=49 (Compiled frame)

Thanks in advance for any comments.

David Frenkiel

1 Reply

Avatar

Level 6

Hi,

how is the ACL setup on that node that you are trying to post to? Even if you have set the - on the path, you still need to set the priviliges on the /test1 node to include the "everyone" user with, in this case rwm rights, or use the check the "allow anonymous access" (not recommended). Sling Authentication is still in use even if you state that the path -/test1 is to be excluded in the authentication.

IMHO, you should not allow for anonymous access to your author to create content.

/Ove

Avatar

Level 3

Thanks, Ove! I think that fixes it.

This is part of getting SAML authentication configured at a specific path (not the default /). So we won't actually be allowing anonymous POSTs.

If I have the SAML path set to /content/geometrixx, for example, then I need to configure Sling authentication to ignore requests to /saml_login. And thus, as per your suggestion, I have to allow everyone write access to /saml_login.

I still need to get the entire configuration going to see if the full SAML flow works, but it looks promising at the moment.

Thanks again.

David Frenkiel

Avatar

Level 3

As it turns out it looks like I didn't need to go down this path to get SAML working at specific paths.

I just needed to add /saml_login to the list of repository paths in the SAML configuration.

All mysteries solved I think/pray.

Thanks!

David Frenkiel

Avatar

Level 6

Good that you found that out yourself. I did exactly the same "roundtrip" over the Sling authenticator when I was doing a PoC on the SAML login.

/Ove