Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
SOLVED

Sling Servlet expsoing as JSON Content Services

Avatar

Level 4

I have AEM 5.6.1 implementation which is heavily content based application and implemented single sign on using Some Central authentication Services and Publish server has URL protected like  /content, /etc, /dam /bin etc.

So anybody try to access CQ Content path mostly will be redirected to CAS …Browser gets Auth token after successful login and then CQ5 publish let you go into the system.

Requirement is want to expose some of the content as Json Service and I can expose content i.e. /content/xyz.6.json. or I can write a Sling servlet and dump any content path into JSON Reponses.

CQ5 is running in domain x1.x.com. while Other client is running x2.x.xom . both are under the same CAS and understand Auth Cookies very well ..so in the same browser session if I am logged in, I can access  cq5 CONTENT OR servlet like this  http://x1.x.com/content/xyz.6.json or . http://x1.x.com/bin/jsonContentService so accessing CQ5 any Content URL in the same browser is not an issue.

Where is the Problem?

When I try to make a ajax call in JS code in x2.x.xom to http://x1.x.com/content/xyz.6.json I get several issue.

  1. Cors… so I put this in the IIS web.config  in cq5 side “Access-Control-Allow-Origin *” so this is taken care.
  2. Auth Cookies are available in browser and when content URL is called from AJAX call/restful Cookies are being passed to CQ5 SSO code but Custom Client SSO in Publish does not understand the Auth Cookies and redirect to CAS Login URL.

If you try to access the Same Content URL in browser then Custom SSO on Publish able to reads the Auth cookies and let you go..I understand this is very vague situation people talks a lot on this in several blogs and forum.  Anybody can share some thoughts?

My primary question is why Auth works in Browser access but not in Ajax call?

Regards,
Chandra

1 Accepted Solution

Avatar

Correct answer by
Level 4

Both domains are running on https..i am not getting your point.

I did it differently.. I created a anonymous Sling servlet which has Auth cookies...I verify that cookies was issued by right authority if yes then i expose the relevant Content as JSON in browser response.

View solution in original post

5 Replies

Avatar

Level 4

Are you trying to access servet using Ajax fom AEM JSP?

Avatar

Level 4

.Application is Angular JS code in x2.x.xom  is making call to AEM sling Servlet which is in x1.x.com. Remember .x.com is common domain. and both domain are under CAS for Authentication.

Avatar

Level 2
Check the type of auth cookie. If it is https and secured then , cross domain, it won't be visible to client side scripts (js), but would be sever side.

Avatar

Correct answer by
Level 4

Both domains are running on https..i am not getting your point.

I did it differently.. I created a anonymous Sling servlet which has Auth cookies...I verify that cookies was issued by right authority if yes then i expose the relevant Content as JSON in browser response.

Avatar

Level 4

These are finally needed to be setup on Server side either in servelt or on IIS..

        final ResourceResolver resourceResolver = request.getResourceResolver();
        response.addHeader("Access-control-Allow-Origin", "http://source domain");
        response.addHeader("Access-Control-Allow-Credentials", "true");
        response.addHeader("Access-Control-Allow-Headers", "timestamp,X-XSRF-TOKEN,Referer,sourceSystem,transactionId");