Expand my Community achievements bar.

SOLVED

Sling Servlet Filter to verify user group access

Avatar

Level 4

Hi Team,

 

I have a requirement for my servlets where I need to verify the end user access in AEM user group. If he is part of some xyz AEM group then only I want to allow him/her to access some /content resource. If he is not part of xyz group then I want to to reject the user request saying unauthorized. 

 

I have 10 servlets created and for all the servlets I need to create a one Servlet FILTER as a pre-processer to verify him/her against user group access.

 

I want to create a single filter for all servlets where I need to verify the user for AEM user group access in the FILTER itself. If he is part of XYZ group then allow him to access the original servlet and content. If he is not reject the request in filter itself by giving 401.

 

Now how can I create the Servlet Filter for this use case?

 

@lukasz-m @anchal 

 

Thanks,

Ramesh

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @Uppari_Ramesh 

 

When you create Servlet Filter, You get an option to specify the requests for which the filter should be called like

@Component(
        service = Filter.class,
        property = { EngineConstants.SLING_FILTER_SCOPE + "=REQUEST",
                EngineConstants.SLING_FILTER_PATTERN + "="
                        + "/content(/dam)?/myproject/(\\w{2})/(\\w{2})(/.*)?",
                Constants.SERVICE_RANKING + ":Integer=1" })
public class RequestFilter implements Filter {

  

 

You can always specify regex as shown above to specify all servlet paths for which the filter should be called.

There are other as well like sling.filter.resource.pattern, sling.filter.selectors, sling.filter.extensions mentioned in https://sling.apache.org/documentation/the-sling-engine/filters.html which can help you specify your requests better.

If you register servlets by resourceType, you can use property sling.filter.resourceTypes where you can specify the whole list of all resourceTypes of servlet.

Hope it helps!

Thanks

Nupur

View solution in original post

3 Replies

Avatar

Community Advisor

Hi @Uppari_Ramesh ,

you can target all of your servlets with the resourceType mentioned in the filter declaration "sling.filter.resourceTypes" or other filter patterns no?

documentation: https://sling.apache.org/documentation/the-sling-engine/filters.html

Regards,

Sravan

Avatar

Correct answer by
Community Advisor

Hi @Uppari_Ramesh 

 

When you create Servlet Filter, You get an option to specify the requests for which the filter should be called like

@Component(
        service = Filter.class,
        property = { EngineConstants.SLING_FILTER_SCOPE + "=REQUEST",
                EngineConstants.SLING_FILTER_PATTERN + "="
                        + "/content(/dam)?/myproject/(\\w{2})/(\\w{2})(/.*)?",
                Constants.SERVICE_RANKING + ":Integer=1" })
public class RequestFilter implements Filter {

  

 

You can always specify regex as shown above to specify all servlet paths for which the filter should be called.

There are other as well like sling.filter.resource.pattern, sling.filter.selectors, sling.filter.extensions mentioned in https://sling.apache.org/documentation/the-sling-engine/filters.html which can help you specify your requests better.

If you register servlets by resourceType, you can use property sling.filter.resourceTypes where you can specify the whole list of all resourceTypes of servlet.

Hope it helps!

Thanks

Nupur

Avatar

Level 5

Assuming these are custom servlets not bound by resource type, but are registered by paths, I suggest having a custom config attached to the filter where you can manage servlet paths and allowed groups, so inside your code one filter can validate different paths against the groups associated for authorization. However do remember that this works only for author and not publisher as publisher exposes content in anonymous fashion by default. Hope this insight helps. Thanks