Use Case: As per http://sling.apache.org/documentation/the-sling-engine/service-authentication.html and http://docs.adobe.com/content/docs/en/aem/6-0/develop/ref/diff-previous/changes/changes-summary.html using admin session and admin resource resolver through ResourceresolverFactory is now deprecated. Using Service based Authentication for Resourceresolver and Respository session solves problem like (Directly From Sling Doc),
- Prevent over-use and abuse of administrative ResourceResolvers and/or JCR Sessions
- Allow services access to ResourceResolvers and/or JCR Sessions without requiring to hard-code or configure passwords
- Allow services to use service users which have been specially configured for service level access (as is usually done on unixish systems)
- Allow administrators to configure the assignment of service users to services
Solution:
NOTE: Use Service Accounts for alice and bob users [jcr:primaryType=rep:SystemUser] instead of regular accounts.
Lets see we have two user "alice" and "bob", with following property,
- "alice" only have READ access to document under /content/somepath path
- "bob" has both read and write access to document under /content/somepath path
Now we have two service "ReadService" and "WriteService", with following property
- ReadService should only be allowed to read anything under /content/somepath path
- WriteService should be allowed for both read and write under /content/somepath path
Assume your package name is blog.wemblog.com
Step 1: Create ReadService and WriteService using resourceResolver Or adminSession using new Authentication Service based API
Step 2: Create ReadService same wayStep 3: Update org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl config by creating osgi:config node under /apps/<your-apps>/config.<Place where you want to run this>/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.xml you can directly go to osgi config through Felix console and change this as well look for “Apache Sling Service User Mapper Service” for that.
Syntax for service mapping to user is ‘serviceName [ ":" subServiceName ] “=” username’.
and Entry of OSGI config will look like this,
After installing the bundle and configuration and code, You would see something like this in log
*INFO* blog.wemblog.com.ReadServiceImpl alice
*INFO* blog.wemblog.com.ReadServiceImpl <node type of somepath>
*INFO* blog.wemblog.com.WriteServiceImpl bob
*INFO* blog.wemblog.com.WriteServiceImpl <node type of somepath>
*INFO* blog.wemblog.com.WriteServiceImpl Successfully saved
If you need to use admin session for the configuration you can do something like blog.wemblog.com:WriteService=admin in osgi config above. Good practice is to have these session based on groups depending upon which group have access to what service.
You might need following dependencies in your POM for api to be available
Please check http://stackoverflow.com/questions/31350548/resourceresolverfactory-getserviceresourceresolver-throws-exception-in-aem-6-1 with some of the changes in AEM6.1 of how to use this.
As always feel free to ask any question you might have.
As always feel free to ask any question you might have.
Hi Yogesh,
ReplyDeleteHow can we take necessary measures in AEM 5.6.1 to transition from usage of administrative resource resolver to Service based Authentication for Resourceresolver? Please advice.
If API does not support that then it is difficult. What you can do is, instead of using null (Which is admin) when you initialize resource resolver, you can use UserInfo. Something like this,
DeleteMap authInfo = new HashMap();
//Change this code in future to use read only user
authInfo.put(ResourceResolverFactory.USER_IMPERSONATION,"some restricted user");
ResourceResolver rr=null;
try{
rr = rrfac.getAdministrativeResourceResolver(authInfo);
....
Awesome. Thanks a lot!
ReplyDeleteJust a quick note, this changes in AEM 6.1
ReplyDeleteYou will have to use Service Accounts for alice and bob users [jcr:primaryType=rep:SystemUser] instead of regular accounts.
Hello Sridhar,
ReplyDeleteThanks a lot for your feedback. I have updated documentation with your note.
Yogesh
Hi Yogesh,
ReplyDeleteI am trying to unlock page which is locked by any user. for this I am using this:
adminSession = repository.loginAdministrative(null);
userSession = adminSession.impersonate(new SimpleCredentials(lockedByUser, "".toCharArray()));
Is there any other to avoid loginAdministrative as it is deprecated. Please suggest