Expand my Community achievements bar.

Join us in celebrating the outstanding achievement of our AEM Community Member of the Year!
SOLVED

What's the correct way of storing passwords in AEM?

Avatar

Level 9

I have an OSGI service/service implementation combo to store the GTM codes.

I have some passwords that's stored in .java files at the moment. To make it more secure, I followed the same technique used on the GTM codes to create an OSGI config (acessible via configMgr). I have no problems accessing it on my component class (com.myhost.core.impl.view.component.mycomponent).

The issue I have is I cannot access the password config in a servlet.

This lead me to believe that perhaps I'm doing it wrong.

So I searched the net and came across this article (https://aemhq.com/posts/aem-encryption-101-how-to-encrypt-a-shared-secret/).

3 questions

  1. Is what I originally did best practice?
  2. If yes, how can I access the OSGI config from a servlet?
  3. How do I know which filename to use for the XML if I were to use the techniques mentioned in the link? Can I arbitrarily used whatever filename I want?

I actually have tried question 3. I followed the article. I created a new XML (filename=com.myhost.core.services.impl.whatever.xml) file inside ui.apps/src/main/content/jcr_root/apps/myhost/configs/config.author.localhost and used the xml below as the contents of the file. I installed the compiled maven package (.zip) but I cannot see the new XML in CRXDE (/apps/myhost/configs/config.author.localhost).

<?xml version="1.0" encoding="UTF-8"?>

<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0"

xmlns:jcr="http://www.jcp.org/jcr/1.0" jcr:primaryType="sling:OsgiConfig"

username="mySampleUsername"

encryptedpassword="{89cb4befeb375b865332fed9bbde85b8842a2318be4901851c3b5a0495c49f13dad8b4cfd38a6fa26f07ea361ea4994e}"/>

Thanks for the help!

1 Accepted Solution

Avatar

Correct answer by
Level 7

1. I think Crypto Support provided by Adobe, so it should according to a standard guideline. in addition to your article, you can also read more about crypto support https://www.argildx.com/crypto-support-aem/

2. You can read configurations in servlet via ConfigurationAdmin.

  @Reference
   private ConfigurationAdmin configAdmin;

   private static final String LOGGER_FACTORY_PID = "org.apache.sling.commons.log.LogManager.factory.config";

  @Override
   protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException {

                  Configuration loggerFactoryConfig = configAdmin.getConfiguration(LOGGER_FACTORY_PID);

  }

I would recommend creating OSGi service along with the OSGi configuration of the same name and use that service in servlet.

3. Name of the configurations file can be the arbitrary name but if you have created OSGi service then the configurations file name should be same as the service name.  Read here more about OSGi configurations Configuring OSGi.

4. Check your filter package filter.xml, you might have forgotten to add xml file

View solution in original post

4 Replies

Avatar

Community Advisor

Hi,

Yes you can use OOTB encryption to store password.

To access any factory or service configuration you can check below: aem63app-repo/ReadOsgiRepoConfImpl.java at master · arunpatidar02/aem63app-repo · GitHub

but you can access encryption configs as mentioned in the article

you can create sling:OsgiConfig osgi config inside repo with node name of PID for your service and to access its configs you should use service reference.



Arun Patidar

Avatar

Correct answer by
Level 7

1. I think Crypto Support provided by Adobe, so it should according to a standard guideline. in addition to your article, you can also read more about crypto support https://www.argildx.com/crypto-support-aem/

2. You can read configurations in servlet via ConfigurationAdmin.

  @Reference
   private ConfigurationAdmin configAdmin;

   private static final String LOGGER_FACTORY_PID = "org.apache.sling.commons.log.LogManager.factory.config";

  @Override
   protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException {

                  Configuration loggerFactoryConfig = configAdmin.getConfiguration(LOGGER_FACTORY_PID);

  }

I would recommend creating OSGi service along with the OSGi configuration of the same name and use that service in servlet.

3. Name of the configurations file can be the arbitrary name but if you have created OSGi service then the configurations file name should be same as the service name.  Read here more about OSGi configurations Configuring OSGi.

4. Check your filter package filter.xml, you might have forgotten to add xml file

Avatar

Level 9

Thanks for the response. With question 2, what sort of reference do I need to import to get it work?

I'm currently using "org.osgi.service.component.annotations.Reference" and

have the following Java code in my servlet

@Reference
private ConfigurationAdmin configAdmin;

private static final String LOGGER_FACTORY_PID = "org.apache.sling.commons.log.LogManager.factory.config";

@Override
protected void doGet(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException {

  Configuration loggerFactoryConfig = configAdmin.getConfiguration(LOGGER_FACTORY_PID);

configAdmin is null and this results in an NPE error.

Any ideas what I could be doing wrong? Thanks

Avatar

Level 7

Hi,

You might be missing Service User Mapping configure for the bundle.

Check your erro.log and see if you have below error:

" org.apache.sling.jcr.resource.internal.JcrSystemUserValidator The provided service user id 'serviceuser--Lab2019.core' is not a known JCR system user id and therefore not allowed in the Sling Service User Mapper."

Read here for service user configurations Service Users in AEM