A

Anonymous

Solved

Sling Script Resolution in publish instance for anonymous user

Forum|Forum|9 years ago
April 4, 2016
5 replies
1951 views

How does component's jsp gets executed on aem publish instance for anonymous user when anonymous does not have access to '/apps' folder.

- content page gets rendered properly for anonymous user even when it does not have access to /apps, as per sling script resolution; the script is searched under 'apps' or 'libs'

http://dev.day.com/content/ddc/blog/2010/08/understanding_howsc.html

How does the script gets resolved when the anonymous user does not have access to apps in publish instance?

Does the jsp script gets compiled at a place and loaded from there?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by joerghoh

I think, that it depends a bit on your AEM/Sling version; in versions including AEM 6.0 it's using an admin session, but I guess, sooner or later there will be a service user for this. The process as described on the sling site is correct and it works this way on author and publish, the only drawback you could see is that it doesn't mention the sessions being involved in this.

removing any privilege for the "admin" user doesn't have any effect.

Jörg

smacdonald2008

Level 10

"How does component's jsp gets executed on aem publish instance for anonymous user when anonymous does not have access to '/apps' folder"

If you want anonymous users to be able to run code, extend the correct rights. See:

https://docs.adobe.com/docs/en/cq/5-6-1/administering/security.html

joerghoh

Adobe Employee

Hi,

the script resolution process is not using the ResourceResolver attached to the request, but using a different one (with elevated privileges).

Jörg

A

Anonymous

Hi Jörg,

Thanks for your reply. Could you please elaborate a bit more? Is there a user with elevated privileges with whose permissions the script gets resolved on publish? Does the sling resolution process https://sling.apache.org/documentation/the-sling-engine/url-to-script-resolution.html work this way only on author?

If we remove the permissions of 'apps' for admin user from author; will the page not work there as well?

Pritam

joerghoh

Accepted solution

Adobe Employee

I think, that it depends a bit on your AEM/Sling version; in versions including AEM 6.0 it's using an admin session, but I guess, sooner or later there will be a service user for this. The process as described on the sling site is correct and it works this way on author and publish, the only drawback you could see is that it doesn't mention the sessions being involved in this.

removing any privilege for the "admin" user doesn't have any effect.

Jörg

A

Anonymous

Thanks Jörg, i tested it by removing the /apps folder permission for a user on author, the page got rendered successfully so i understand that sling script resolution internally uses the admin session to resolve the script and it's does not use the slingRequest user session.

I appreciate it.

Cheers

Pritam

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded