Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.

AEM content services - secure json exported

Avatar

Level 10

Want to hear thoughts around , on a publish instance, What’s the best way to secure the json exported via content services - .model.json and the custom exporter framework (using the annotation) ? I tend to consider json exported using exporter json as well to be an extension of content services and hence part of content services.

For the latter, (exporter annotations),  I understand one can customize the exported json to have what is needed to be exported , but is there a way to secure the json exported to have only certain folks access it ? Is it based on the resource type set within annotation that security is added? 


Typically, when one exposes a servlet ,the res type is something that enables security as I gather among other ways such as service amended user account and api checks.

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

5 Replies

Avatar

Community Advisor

Hi @NitroHazeDev ,

Another thought , you can have ACL enabled for the particular page/resource and restrict the access to certain users/groups.  Content services should respect the ACLs OOTB .

 

If your requirement is to access enabled for particular host then sling referrer filter is the way forward as mentioned in other comment.

 

Thanks,

Somen

Avatar

Level 10

Thanks @Imran__Khan and @somen-sarkar . Without updating host , my query is inclined towards exposing of say model.json and having exposed the data in a secure fashion. Given the host I still want to restrict the model json access by general public and retain for few. Ofcourse one could have just the required data exposed using exporter framework and thus via model.json but securing the json I would imagine is via the resource type that the exporter framework looks at ? Or is there is any other way like exposing via custom servlet(not exported) and use of service user accounts   ? Naturally model.json should not be something the general public sees

i am considering use of exporter annotation as part of content services unless someone feels otherwise

Avatar

Community Advisor

@NitroHazeDev 

If you want to restrict access to the model.json data in a secure fashion without updating the host, you have a few options. Here are a couple of approaches you could consider:

Restrict Access at the Servlet Level: You can create a custom servlet that serves the JSON data and then implement access control within the servlet code. This way, you have full control over who can access the JSON data. You can authenticate users using service user accounts or any other authentication mechanism of your choice. Once authenticated, you can verify whether the user has the necessary permissions to access the data before returning it. This approach gives you fine-grained control over access to the data.

Use the Exporter Framework with Access Controls: You mentioned considering the Exporter annotation as part of content services. This is a good approach as well. You can use the Exporter framework to expose only the required data via the model.json, ensuring that sensitive information is not exposed to the general public. Additionally, you can implement access controls within your model classes or the exporter itself to restrict access to certain users or groups. This approach allows you to leverage AEM's built-in security mechanisms while still exposing data via the model.json.

 

In both cases, you should ensure that access controls are implemented properly to prevent unauthorized access to the JSON data. Choose the approach that best fits your project requirements and security considerations.

Avatar

Level 10

Thanks for the details , my question would be how would one design the model json to be secure ? Using exporter one would use the res type - does that help provide secure access or are we suggesting we use service user accounts to restrict. Can we also restrict model json to only certain subset of users ?