Thursday, August 28, 2014

How to Use Sessions and Resource Resolver through Service Authentication In AEM6

Use Case: As per http://sling.apache.org/documentation/the-sling-engine/service-authentication.html and http://docs.adobe.com/content/docs/en/aem/6-0/develop/ref/diff-previous/changes/changes-summary.html using admin session and admin resource resolver through ResourceresolverFactory is now deprecated. Using Service based Authentication for Resourceresolver and Respository session solves problem like (Directly From Sling Doc),
  • Prevent over-use and abuse of administrative ResourceResolvers and/or JCR Sessions
  • Allow services access to ResourceResolvers and/or JCR Sessions without requiring to hard-code or configure passwords
  • Allow services to use service users which have been specially configured for service level access (as is usually done on unixish systems)
  • Allow administrators to configure the assignment of service users to services

Solution:

NOTE: Use Service Accounts for alice and bob users [jcr:primaryType=rep:SystemUser] instead of regular accounts.

Lets see we have two user "alice" and "bob", with following property,
  • "alice" only have READ access to document under /content/somepath path
  • "bob" has both read and write access to document under /content/somepath path
Now we have two service "ReadService" and "WriteService", with following property
  • ReadService should only be allowed to read anything under /content/somepath path
  • WriteService should be allowed for both read and write under /content/somepath path

Assume your package name is blog.wemblog.com

Step 1: Create ReadService and WriteService using resourceResolver Or adminSession using new Authentication Service based API
Step 2: Create ReadService same way
Step 3: Update org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl config by creating osgi:config node under /apps/<your-apps>/config.<Place where you want to run this>/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.xml you can directly go to osgi config through Felix console and change this as well look for  “Apache Sling Service User Mapper Service” for that.

Syntax for service mapping to user is ‘serviceName [ ":" subServiceName ] “=” username’.
and Entry of OSGI config will look like this,

After installing the bundle and configuration and code, You would see something like this in log

*INFO*  blog.wemblog.com.ReadServiceImpl alice
*INFO*  blog.wemblog.com.ReadServiceImpl <node type of somepath>

*INFO*  blog.wemblog.com.WriteServiceImpl bob
*INFO*  blog.wemblog.com.WriteServiceImpl <node type of somepath>
*INFO*  blog.wemblog.com.WriteServiceImpl Successfully saved


If you need to use admin session for the configuration you can do something like blog.wemblog.com:WriteService=admin in osgi config above. Good practice is to have these session based on groups depending upon which group have access to what service.

You might need following dependencies in your POM for api to be available


Please check http://stackoverflow.com/questions/31350548/resourceresolverfactory-getserviceresourceresolver-throws-exception-in-aem-6-1 with some of the changes in AEM6.1 of how to use this.

As always feel free to ask any question you might have.

6 comments:

  1. Hi Yogesh,

    How can we take necessary measures in AEM 5.6.1 to transition from usage of administrative resource resolver to Service based Authentication for Resourceresolver? Please advice.

    ReplyDelete
    Replies
    1. If API does not support that then it is difficult. What you can do is, instead of using null (Which is admin) when you initialize resource resolver, you can use UserInfo. Something like this,

      Map authInfo = new HashMap();
      //Change this code in future to use read only user
      authInfo.put(ResourceResolverFactory.USER_IMPERSONATION,"some restricted user");
      ResourceResolver rr=null;
      try{
      rr = rrfac.getAdministrativeResourceResolver(authInfo);

      ....

      Delete
  2. Just a quick note, this changes in AEM 6.1

    You will have to use Service Accounts for alice and bob users [jcr:primaryType=rep:SystemUser] instead of regular accounts.

    ReplyDelete
  3. Hello Sridhar,

    Thanks a lot for your feedback. I have updated documentation with your note.

    Yogesh

    ReplyDelete
  4. Hi Yogesh,
    I am trying to unlock page which is locked by any user. for this I am using this:
    adminSession = repository.loginAdministrative(null);
    userSession = adminSession.impersonate(new SimpleCredentials(lockedByUser, "".toCharArray()));

    Is there any other to avoid loginAdministrative as it is deprecated. Please suggest

    ReplyDelete