Securing a Servlet w/o Resource

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Securing a Servlet w/o Resource

Andreas Schaefer
Hi

If I have a servlet that is not based on a resource how would
I secure access in Sling?

This is what I came up with on doPost():

userManager = AccessControlUtil.getUserManager(session);
Authorizable authorizable = userManager.getAuthorizable(request.getUserPrincipal());
if(authorizable == null) {
        // handle anonymous user
        return;
}
boolean ok = false;
if("admin".equals(authorizable.getID())) {
        ok = true;
} else {
        Iterator<Group> i = authorizable.declaredMemberOf();
        while(i.hasNext()) {
            Group group = i.next();
            if("sling-node".equals(group.getID())) {
                ok = true;
                break;
            }
        }
}
if(!ok) {
        // Handle wrong permissions
        return;
}
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Securing a Servlet w/o Resource

Bertrand Delacretaz
Hi,

On Mon, Apr 10, 2017 at 10:15 PM, Andreas Schaefer Sr. <[hidden email]> wrote:
> ...If I have a servlet that is not based on a resource how would
> I secure access in Sling?..

 IIUC in your code you check for membership in a specific group - that
would probably work but it might be more flexible and manageable to
check that the current user has access to a specific "permissions
shadow" resource.

You could have a /permissions resource with specific children for
various operations like /permissions/send-email-to-example_com, and
have your servlet check read access to those based on operations
names.

-Bertrand
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Securing a Servlet w/o Resource

Andreas Schaefer
Yeah, that might be a good idea.

That said I ran into an issue with JCR Package and Groups.

Having a group part of the package will replace the group
node during installation even when filter mode is set to update
or merge.

This is an issue because User Group Membership is stored on
the group and a redeployment will wipe that.

Is that by design?

Thanks - Andy Schaefer

> On Apr 11, 2017, at 12:27 AM, Bertrand Delacretaz <[hidden email]> wrote:
>
> Hi,
>
> On Mon, Apr 10, 2017 at 10:15 PM, Andreas Schaefer Sr. <[hidden email]> wrote:
>> ...If I have a servlet that is not based on a resource how would
>> I secure access in Sling?..
>
> IIUC in your code you check for membership in a specific group - that
> would probably work but it might be more flexible and manageable to
> check that the current user has access to a specific "permissions
> shadow" resource.
>
> You could have a /permissions resource with specific children for
> various operations like /permissions/send-email-to-example_com, and
> have your servlet check read access to those based on operations
> names.
>
> -Bertrand

Loading...