Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Temporarily bypass a closed user group page within a servlet

Avatar

Level 2

Hello,

I have a page, which is protected with a closed user group. Now I need to get the HTML-Markup of this (protected) page via a servlet.

The difficulty here is, that the user should not need to be logged in. I know it sounds weird, to protect a page just to make it vulnerable again through a servlet, but it is the customers wish. :)

My first step to solve this, was to create this servlet and use a RequestDispatcher object, which calls the "/content/.../targetpage.html":

StringWrapper responseWrapped = new StringWrapper(response); RequestDispatcher dispatcher = request.getRequestDispatcher("/content/blah/protectedsection/targetpage.html"); dispatcher.include(request, responseWrapped); String markup = responseWrapped.toString();

This works as expected: The RequestDispatcher calls the given resource and delivers the constructed HTML into my String object which I then can use for things to come.

But this works just as long as I am logged in. As soon as I logout, i.e. lose my sling authentication, the RequestDispatcher does not deliver anything. This is because it is just using the actual request of the user calling the servlet (who is not authenticated).

What I need, would be something like an internal "RequestDispatcherWithCredentials" (which does not exist, of course) which can access at least the pages I need.

Maybe there is a possibility to get administrative privileges temporarily within the servlet? For example, I know how to get an admin session and how to access any node within the jcr - independently from the credentials of the actual user. So there should be also a way to bypass closed user groups to get final HTML markup... I hope.

Has anyone an idea how I could solve this?

Thanks in advance for your help!

Florian

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi Florian,

First off, let's just get this out of the way - this is a bad idea. You shouldn't do it. But you know that already smiley

The way to handle this requirement is using the SlingRequestProcessor interface (http://sling.apache.org/apidocs/sling6/org/apache/sling/engine/SlingRequestProcessor.html). You'll also want to use the RequestResponseFactory to create synthetic request and response objects (http://dev.day.com/docs/en/cq/current/javadoc/com/day/cq/contentsync/handler/util/RequestResponseFac...).

The code would look like this (ignoring service injections and error handling):

HttpServletRequest request = requestResponseFactory.createRequest("GET", "/content/blah/protectedsection/targetpage.html"); ByteArrayOutputStream baos = new ByteArrayOutputStream(); HttpServletResponse response = rrFactory.createResponse(baos); ResourceResolver resolver = resourceResolverFactory.getAdministrativeResourceResolver(null); requestProcessor.processRequest(request, response, resolver); resolver.close();

HTH,

Justin

P.S. Don't do this smiley

View solution in original post

3 Replies

Avatar

Correct answer by
Employee

Hi Florian,

First off, let's just get this out of the way - this is a bad idea. You shouldn't do it. But you know that already smiley

The way to handle this requirement is using the SlingRequestProcessor interface (http://sling.apache.org/apidocs/sling6/org/apache/sling/engine/SlingRequestProcessor.html). You'll also want to use the RequestResponseFactory to create synthetic request and response objects (http://dev.day.com/docs/en/cq/current/javadoc/com/day/cq/contentsync/handler/util/RequestResponseFac...).

The code would look like this (ignoring service injections and error handling):

HttpServletRequest request = requestResponseFactory.createRequest("GET", "/content/blah/protectedsection/targetpage.html"); ByteArrayOutputStream baos = new ByteArrayOutputStream(); HttpServletResponse response = rrFactory.createResponse(baos); ResourceResolver resolver = resourceResolverFactory.getAdministrativeResourceResolver(null); requestProcessor.processRequest(request, response, resolver); resolver.close();

HTH,

Justin

P.S. Don't do this smiley

Avatar

Level 2

Hi Justin,

thanks for your help! I am still in the process of trying it out, but not yet getting it to run. (NullPointerException for any reason) ;)

I have to take more time on friday (tomorrow are holidays in Germany).

I'll update this post then.

Thanks again!

Florian

Avatar

Level 2

Hi again,

it worked. Somehow I feel bad, but it worked... devil

Right now I am implementing some security mechanisms to harden this construction at least a little bit.

Thanks again!

Florian