Forem: Theo Pendle The latest articles on Forem by Theo Pendle (@theopendle). https://forem.com/theopendle https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F415433%2F28921d8c-0149-482f-8a35-5f5c2c9a8aa7.jpg Forem: Theo Pendle https://forem.com/theopendle en Implementing Hash-Based Strict CSP on AEM Theo Pendle Sun, 23 Jun 2024 12:28:34 +0000 https://forem.com/theopendle/implementing-hash-based-strict-csp-on-aem-5621 https://forem.com/theopendle/implementing-hash-based-strict-csp-on-aem-5621 <blockquote> <p>As always, the full solution is available on Github. Scroll to the bottom of the article for the link.</p> </blockquote> <h2> Introduction to CSP </h2> <p>As a reminder, CSP stands for <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy</a>: a security standard that helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks by controlling what resources a user agent is allowed to load for a given page using the <code>Content-Security-Policy</code> header.</p> <p>Perhaps the most critical directive of CSP is the <code>script-src</code> directive, which controls what JS code the browser can load and execute.</p> <p>The highest level of protection is achieved by using the so-called 'strict' CSP. If you want to know more about strict vs non-strict CSPs, including examples and rationales, please visit these excellent resources:</p> <ol> <li><a href="https://deepsec.net/docs/Slides/2016/CSP_Is_Dead,_Long_Live_Strict_CSP!_Lukas_Weichselbaum.pdf">CSP Is Dead, Long Live Strict CSP</a></li> <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html#strict-csp">OWASP Content Security Policy Cheat Sheet</a></li> </ol> <p>There are two methods for implementing a strict CSP: <a href="https://web.dev/articles/strict-csp#nonce-vs-hash">nonces or hashes</a>. </p> <h2> Defining the requirements </h2> <p>Let's first list the features of the ideal CSP solution to help us pick the right approach:</p> <ol> <li>It should provide the highest level of security (ie: strict CSP)</li> <li>It should work for both author and publish instances (ie: it should not rely on a publish-only dispatcher)</li> <li>It should be easy to maintain</li> <li>It should be cacheable</li> <li>It should work for <code>&lt;script&gt;</code> tags that: <ol> <li>point to internal clientlibs</li> <li>contain inline JS</li> <li>point to external clientlibs (eg: external analytics script)</li> </ol> </li> </ol> <h2> Hashes vs Nonce-nse </h2> <p>While there are certainly cases where the nonce approach makes sense, in my opinion, hashes are a superior solution for most CMS use cases. That's because using nonces presents the following disadvantages:</p> <ol> <li>Because it requires the HTML document to contain these nonces that are unique to each <em>request</em>, it makes the result impossible to cache and fails requirement n.4. Since caching is a critical performance optimization, this is usually disqualifying.</li> <li>It's not a useful mechanism for protection against untrusted external scripts, so it fails requirement 5.iii. This kind of protection would require an integrity check which is, you guessed it, a hash (which we can re-use for our CSP!)</li> </ol> <p>Hashes, by comparison, can be cached because they are specific to the <em>script content</em>, which typically only changes with a software release and can be used to validate the integrity of scripts from untrusted sources.</p> <p>Therefore, we can conclude that a hash-based CSP is the best solution for most AEM use cases.</p> <blockquote> <p>If the above rationale doesn't apply to your use case, then <a href="https://medium.com/@bsaravanaprakash/implementing-csp-with-nonce-for-inline-scripts-in-aem-a-step-by-step-guide-65b1fc4c8ba3">this Medium article</a> by <a href="https://medium.com/@bsaravanaprakash">Saravana Prakash</a> can show you how to achieve nonce-based CSP this in AEM. </p> </blockquote> <h2> Solution design </h2> <p>Now that we know what approach to take, let's design the solution.</p> <h3> Where do scripts come from anyway? </h3> <p>There are typically 3 ways in which <code>&lt;script&gt;</code> tags are added to a page's HTML:</p> <ol> <li>Added directly via HTL files that make up the Page component (eg: <a href="https://github.com/adobe/aem-core-wcm-components/blob/main/content/src/content/jcr_root/apps/core/wcm/components/page/v3/page/customfooterlibs.html"><code>customfooterlibs.html</code></a> or <a href="https://github.com/adobe/aem-core-wcm-components/blob/main/content/src/content/jcr_root/apps/core/wcm/components/page/v3/page/customheaderlibs.html"><code>customheaderlibs.html</code></a>)</li> <li>Added indirectly via the Page Policy: <img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2kh1gfn5rmwh2g6rur70.png" alt="Page policy" width="800" height="496"> </li> <li>Added <a href="https://experienceleague.adobe.com/en/docs/experience-manager-65/content/implementing/developing/introduction/clientlibs#linking-to-dependencies">as dependencies to clientlibs</a> defined in points 1 and 2.</li> </ol> <p>So the sequence of events should be:</p> <ol> <li>Let AEM add all the <code>&lt;script&gt;</code> tags in the page HTML</li> <li>For each <code>&lt;script&gt;</code> tag: <ul> <li>Calculate the hash using one of the following: <ul> <li>The inline content of the script</li> <li>The content of the references clientlib</li> <li>The integrity attribute of the untrusted script</li> </ul> </li> </ul> </li> <li>Add it to the tag</li> <li>Add it to the CSP header</li> </ol> <h3> Transformers to the rescue! </h3> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkfshf97w2r056l6gm54i.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkfshf97w2r056l6gm54i.png" alt="transformer.png" width="800" height="336"></a></p> <blockquote> <p>Photo by <a href="https://unsplash.com/@aditya1702?utm_content=creditCopyText&amp;utm_medium=referral&amp;utm_source=unsplash">Aditya Vyas</a> on <a href="https://unsplash.com/photos/man-in-red-and-black-suit-statue-B9MULm2UZIk?utm_content=creditCopyText&amp;utm_medium=referral&amp;utm_source=unsplash">Unsplash</a></p> </blockquote> <p>Unfortunately I'm not talking about Optimus Prime, but rather a <a href="https://sling.apache.org/documentation/bundles/output-rewriting-pipelines-org-apache-sling-rewriter.html">SAX output pipeline</a> that will use a <a href="https://developer.adobe.com/experience-manager/reference-materials/6-4/javadoc/org/apache/sling/rewriter/Transformer.html">Transformer</a> to add the CSP hashes to the <code>&lt;script&gt;</code> tags on the HTML page.</p> <h2> Implementation </h2> <p>In this section I will highlight the most important parts of the solution. For a complete solution, see the Github link at the bottom of the article.</p> <h3> Creating the transformer </h3> <p>The transformer handles the following cases:</p> <p><strong>Inline scripts</strong></p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello, World!</span><span class="dl">'</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <p>If the <code>&lt;script&gt;</code> tag is inline, the hash can be calculated using the <code>innerText</code> of the element.</p> <p><strong>Clientlib scripts</strong></p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"/etc.clientlibs/demo/clientlibs/clientlib-site.min.js"</span><span class="nt">&gt;</span> </code></pre> </div> <p>If the <code>&lt;script&gt;</code> tag points to a clientlib served from AEM, the hash can be calculated using the content of the clientlib.</p> <p><strong>External scripts</strong></p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"</span> <span class="na">integrity=</span><span class="s">"sha384-YvpcrYf0tY3lHB60NNkmXc5s9fDVZLESaAA55NDzOxhy9GkcIdslK1eN7N6jIeHz"</span> <span class="na">crossorigin=</span><span class="s">"anonymous"</span><span class="nt">&gt;&lt;/script&gt;</span> </code></pre> </div> <p>Here is the code for the transformer. I've been very generous with the comments to explain the rationale behind each step. This snippet refers to some POJOs and configuration that you can see in the Github diff at the end of the article.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RequiredArgsConstructor</span> <span class="nd">@Slf4j</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">CspHashTransformer</span> <span class="kd">extends</span> <span class="nc">DefaultTransformer</span> <span class="o">{</span> <span class="nd">@Getter</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">hashingAlgorithm</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">HtmlLibraryManager</span> <span class="n">htmlLibraryManager</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">SlingHttpServletRequest</span> <span class="n">request</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">SlingHttpServletResponse</span> <span class="n">response</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">ContentSecurityPolicy</span> <span class="n">csp</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">TransformerElement</span> <span class="n">currentElement</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">(</span><span class="kd">final</span> <span class="nc">ProcessingContext</span> <span class="n">context</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">ProcessingComponentConfiguration</span> <span class="n">config</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span> <span class="o">{</span> <span class="kd">super</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="n">context</span><span class="o">,</span> <span class="n">config</span><span class="o">);</span> <span class="n">request</span> <span class="o">=</span> <span class="n">context</span><span class="o">.</span><span class="na">getRequest</span><span class="o">();</span> <span class="n">response</span> <span class="o">=</span> <span class="n">context</span><span class="o">.</span><span class="na">getResponse</span><span class="o">();</span> <span class="n">csp</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ContentSecurityPolicy</span><span class="o">();</span> <span class="c1">// We initialize the CSP with a strict-dynamic directive to allow for our trusted scripts to</span> <span class="c1">// load other scripts without being blocked by the browser.</span> <span class="n">csp</span><span class="o">.</span><span class="na">addScriptSrcElem</span><span class="o">(</span><span class="s">"'strict-dynamic'"</span><span class="o">);</span> <span class="o">}</span> <span class="cm">/** * Process the start of an element. If the element has a src attribute pointing to a clientlib, calculate the hash * and add it to the element as an integrity attribute and to the CSP header. * * @param namespaceUri the namespace URI of the element * @param localName the local name of the element * @param qualifiedName the qualified name of the element * @param attributes the attributes of the element * @throws SAXException if an error occurs during processing */</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">startElement</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span> <span class="n">namespaceUri</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">localName</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">qualifiedName</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">Attributes</span> <span class="n">attributes</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">SAXException</span> <span class="o">{</span> <span class="n">currentElement</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TransformerElement</span><span class="o">(</span><span class="n">namespaceUri</span><span class="o">,</span> <span class="n">localName</span><span class="o">,</span> <span class="n">qualifiedName</span><span class="o">,</span> <span class="n">attributes</span><span class="o">);</span> <span class="n">log</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"Start processing element {}"</span><span class="o">,</span> <span class="n">currentElement</span><span class="o">);</span> <span class="n">addIntegrityAttributeAndCspForSrc</span><span class="o">();</span> <span class="kd">super</span><span class="o">.</span><span class="na">startElement</span><span class="o">(</span><span class="n">currentElement</span><span class="o">.</span><span class="na">namespaceUri</span><span class="o">(),</span> <span class="n">currentElement</span><span class="o">.</span><span class="na">localName</span><span class="o">(),</span> <span class="n">currentElement</span><span class="o">.</span><span class="na">qualifiedName</span><span class="o">(),</span> <span class="n">currentElement</span><span class="o">.</span><span class="na">attributes</span><span class="o">());</span> <span class="o">}</span> <span class="cm">/** * Called by the SAX parser when it encounters character data. Used to append the character data to the inner text * of the current element. * * @param ch the character array being read * @param start the start index of the character array * @param length the length of the character array * @throws SAXException if an error occurs during processing */</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">characters</span><span class="o">(</span><span class="kd">final</span> <span class="kt">char</span><span class="o">[]</span> <span class="n">ch</span><span class="o">,</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">start</span><span class="o">,</span> <span class="kd">final</span> <span class="kt">int</span> <span class="n">length</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">SAXException</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">currentElement</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">currentElement</span><span class="o">.</span><span class="na">innerText</span><span class="o">().</span><span class="na">append</span><span class="o">(</span><span class="n">ch</span><span class="o">,</span> <span class="n">start</span><span class="o">,</span> <span class="n">length</span><span class="o">);</span> <span class="o">}</span> <span class="kd">super</span><span class="o">.</span><span class="na">characters</span><span class="o">(</span><span class="n">ch</span><span class="o">,</span> <span class="n">start</span><span class="o">,</span> <span class="n">length</span><span class="o">);</span> <span class="o">}</span> <span class="cm">/** * Process the end of an element. If the element has inner text, calculate the hash and add it to the CSP header. * * @param namespaceUri the namespace URI of the element * @param localName the local name of the element * @param qualifiedName the qualified name of the element * @throws SAXException if an error occurs during processing */</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">endElement</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span> <span class="n">namespaceUri</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">localName</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">qualifiedName</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">SAXException</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">currentElement</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="n">log</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"End processing element {}"</span><span class="o">,</span> <span class="n">currentElement</span><span class="o">);</span> <span class="n">addCspForInnerText</span><span class="o">();</span> <span class="kd">super</span><span class="o">.</span><span class="na">endElement</span><span class="o">(</span><span class="n">namespaceUri</span><span class="o">,</span> <span class="n">localName</span><span class="o">,</span> <span class="n">qualifiedName</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">addIntegrityAttributeAndCspForSrc</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// Get the source of the script</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">src</span> <span class="o">=</span> <span class="n">currentElement</span><span class="o">.</span><span class="na">attributes</span><span class="o">().</span><span class="na">getValue</span><span class="o">(</span><span class="s">"src"</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">src</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"No src attribute found for element {}"</span><span class="o">,</span> <span class="n">currentElement</span><span class="o">);</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="c1">// Attempt to find a clientlib associated with the src attribute</span> <span class="kd">final</span> <span class="nc">HtmlLibrary</span> <span class="n">clientlib</span> <span class="o">=</span> <span class="n">getHtmlLibrary</span><span class="o">(</span><span class="n">src</span><span class="o">);</span> <span class="c1">// Attempt to read the integrity attribute</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">integrity</span> <span class="o">=</span> <span class="n">currentElement</span><span class="o">.</span><span class="na">attributes</span><span class="o">().</span><span class="na">getValue</span><span class="o">(</span><span class="s">"integrity"</span><span class="o">);</span> <span class="c1">// If no clientlib can be found using the src, then assume the src is external</span> <span class="kd">final</span> <span class="kt">boolean</span> <span class="n">isExternal</span> <span class="o">=</span> <span class="n">clientlib</span> <span class="o">==</span> <span class="kc">null</span><span class="o">;</span> <span class="c1">// For security reasons, we consider that an external script without an integrity attribute is invalid. It will</span> <span class="c1">// not be added to the CSP and therefore will fail to load/execute in the browser.</span> <span class="k">if</span> <span class="o">(</span><span class="n">isExternal</span> <span class="o">&amp;&amp;</span> <span class="n">integrity</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Integrity attribute missing from external src &lt;{}&gt;. Hash cannot be calculated."</span><span class="o">,</span> <span class="n">src</span><span class="o">);</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="c1">// Re-use the integrity hash if possible, else calculate the hash from the clientlib content</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">hash</span> <span class="o">=</span> <span class="n">isExternal</span> <span class="o">?</span> <span class="n">integrity</span> <span class="o">:</span> <span class="n">getHashFromClientlib</span><span class="o">(</span><span class="n">clientlib</span><span class="o">);</span> <span class="c1">// If no hash can be calculated, then the script will not be added to the CSP and therefore will fail to load</span> <span class="k">if</span> <span class="o">(</span><span class="n">hash</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"No clientlib or external hash found for found for src &lt;{}&gt;. Hash cannot be calculated."</span><span class="o">,</span> <span class="n">src</span><span class="o">);</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="c1">// For internal script, add the integrity attribute containing the hash. Security-wise this does not provide any</span> <span class="c1">// benefit as the CSP will already enforce the hash, but it is good practice to include it so that you can</span> <span class="c1">// easily identify which script corresponds to which hash for debugging puposes.</span> <span class="k">if</span> <span class="o">(!</span><span class="n">isExternal</span><span class="o">)</span> <span class="o">{</span> <span class="n">addIntegrityAttribute</span><span class="o">(</span><span class="n">hash</span><span class="o">);</span> <span class="o">}</span> <span class="c1">// Finally, add the hash to the CSP</span> <span class="n">addHashToCsp</span><span class="o">(</span><span class="n">hash</span><span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">String</span> <span class="nf">getHashFromClientlib</span><span class="o">(</span><span class="kd">final</span> <span class="nc">HtmlLibrary</span> <span class="n">clientlib</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">InputStream</span> <span class="n">inputStream</span> <span class="o">=</span> <span class="n">clientlib</span><span class="o">.</span><span class="na">getInputStream</span><span class="o">(</span><span class="kc">true</span><span class="o">))</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">hash</span> <span class="o">=</span> <span class="n">calculateHashAndEncodeBase64</span><span class="o">(</span><span class="n">inputStream</span><span class="o">);</span> <span class="n">log</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"Hash for &lt;{}&gt;: &lt;{}&gt;"</span><span class="o">,</span> <span class="n">clientlib</span><span class="o">.</span><span class="na">getPath</span><span class="o">(),</span> <span class="n">hash</span><span class="o">);</span> <span class="k">return</span> <span class="n">hash</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">IOException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Could not read clientlib &lt;{}&gt;"</span><span class="o">,</span> <span class="n">clientlib</span><span class="o">.</span><span class="na">getPath</span><span class="o">(),</span> <span class="n">e</span><span class="o">);</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">addCspForInnerText</span><span class="o">()</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">innerText</span> <span class="o">=</span> <span class="n">currentElement</span><span class="o">.</span><span class="na">innerText</span><span class="o">().</span><span class="na">toString</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">innerText</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">())</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"Element {} has no inner text"</span><span class="o">,</span> <span class="n">currentElement</span><span class="o">);</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">hash</span> <span class="o">=</span> <span class="n">calculateHashAndEncodeBase64</span><span class="o">(</span><span class="n">innerText</span><span class="o">);</span> <span class="n">addHashToCsp</span><span class="o">(</span><span class="n">hash</span><span class="o">);</span> <span class="o">}</span> <span class="cm">/** * Adds the hash as an integrity attribute to the current element. * * @param hash the hash to add */</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">addIntegrityAttribute</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span> <span class="n">hash</span><span class="o">)</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">AttributesImpl</span> <span class="n">attributes</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AttributesImpl</span><span class="o">(</span><span class="n">currentElement</span><span class="o">.</span><span class="na">attributes</span><span class="o">());</span> <span class="n">attributes</span><span class="o">.</span><span class="na">addAttribute</span><span class="o">(</span><span class="n">currentElement</span><span class="o">.</span><span class="na">namespaceUri</span><span class="o">(),</span> <span class="s">"integrity"</span><span class="o">,</span> <span class="s">"integrity"</span><span class="o">,</span> <span class="s">"0"</span><span class="o">,</span> <span class="n">hash</span><span class="o">);</span> <span class="n">currentElement</span><span class="o">.</span><span class="na">attributes</span><span class="o">(</span><span class="n">attributes</span><span class="o">);</span> <span class="o">}</span> <span class="cm">/** * Adds the hash to the Content-Security-Policy header. * * @param hash the hash to add */</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">addHashToCsp</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span> <span class="n">hash</span><span class="o">)</span> <span class="o">{</span> <span class="n">csp</span><span class="o">.</span><span class="na">addScriptSrcElem</span><span class="o">(</span><span class="s">"'"</span> <span class="o">+</span> <span class="n">hash</span> <span class="o">+</span> <span class="s">"'"</span><span class="o">);</span> <span class="n">response</span><span class="o">.</span><span class="na">setHeader</span><span class="o">(</span><span class="s">"Content-Security-Policy"</span><span class="o">,</span> <span class="n">csp</span><span class="o">.</span><span class="na">toString</span><span class="o">());</span> <span class="o">}</span> <span class="cm">/** * Find the clientlib associated with the src attribute if such a clientlib exists. * * @param src the src attribute of the element * @return the clientlib associated with the src attribute, or null if no such clientlib exists */</span> <span class="kd">private</span> <span class="nc">HtmlLibrary</span> <span class="nf">getHtmlLibrary</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span> <span class="n">src</span><span class="o">)</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">path</span><span class="o">;</span> <span class="k">try</span> <span class="o">{</span> <span class="n">path</span> <span class="o">=</span> <span class="k">new</span> <span class="no">URI</span><span class="o">(</span><span class="n">src</span><span class="o">).</span><span class="na">getPath</span><span class="o">();</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">URISyntaxException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"src attribute element {} is not a valid URI"</span><span class="o">,</span> <span class="n">currentElement</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="c1">// Find true path of clientlib in /apps (or /libs, via overlay)</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">appsPath</span> <span class="o">=</span> <span class="n">path</span> <span class="o">.</span><span class="na">replace</span><span class="o">(</span><span class="s">"etc.clientlibs"</span><span class="o">,</span> <span class="s">"apps"</span><span class="o">)</span> <span class="o">.</span><span class="na">replace</span><span class="o">(</span><span class="s">".min.js"</span><span class="o">,</span> <span class="s">""</span><span class="o">);</span> <span class="kd">final</span> <span class="nc">Resource</span> <span class="n">resource</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getResourceResolver</span><span class="o">().</span><span class="na">resolve</span><span class="o">(</span><span class="n">appsPath</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">resource</span> <span class="k">instanceof</span> <span class="nc">NonExistingResource</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Could not find resource using path &lt;{}&gt;"</span><span class="o">,</span> <span class="n">path</span><span class="o">);</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="k">return</span> <span class="n">htmlLibraryManager</span><span class="o">.</span><span class="na">getLibrary</span><span class="o">(</span><span class="nc">LibraryType</span><span class="o">.</span><span class="na">JS</span><span class="o">,</span> <span class="n">resource</span><span class="o">.</span><span class="na">getPath</span><span class="o">());</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">String</span> <span class="nf">calculateHashAndEncodeBase64</span><span class="o">(</span><span class="kd">final</span> <span class="nc">InputStream</span> <span class="n">inputStream</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">MessageDigest</span> <span class="n">digest</span> <span class="o">=</span> <span class="nc">MessageDigest</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="n">hashingAlgorithm</span><span class="o">);</span> <span class="kd">final</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">buffer</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[</span><span class="mi">4096</span><span class="o">];</span> <span class="kt">int</span> <span class="n">bytesRead</span><span class="o">;</span> <span class="k">while</span> <span class="o">((</span><span class="n">bytesRead</span> <span class="o">=</span> <span class="n">inputStream</span><span class="o">.</span><span class="na">read</span><span class="o">(</span><span class="n">buffer</span><span class="o">))</span> <span class="o">!=</span> <span class="o">-</span><span class="mi">1</span><span class="o">)</span> <span class="o">{</span> <span class="n">digest</span><span class="o">.</span><span class="na">update</span><span class="o">(</span><span class="n">buffer</span><span class="o">,</span> <span class="mi">0</span><span class="o">,</span> <span class="n">bytesRead</span><span class="o">);</span> <span class="o">}</span> <span class="kd">final</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">hash</span> <span class="o">=</span> <span class="n">digest</span><span class="o">.</span><span class="na">digest</span><span class="o">();</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">hashString</span> <span class="o">=</span> <span class="nc">Base64</span><span class="o">.</span><span class="na">getEncoder</span><span class="o">().</span><span class="na">encodeToString</span><span class="o">(</span><span class="n">hash</span><span class="o">);</span> <span class="k">return</span> <span class="nf">hashAndAlgorithm</span><span class="o">(</span><span class="n">hashString</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">IOException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Error reading input stream for hashing"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">NoSuchAlgorithmException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Encryption algorithm not found"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">String</span> <span class="nf">calculateHashAndEncodeBase64</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span> <span class="n">string</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">MessageDigest</span> <span class="n">digest</span> <span class="o">=</span> <span class="nc">MessageDigest</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="n">hashingAlgorithm</span><span class="o">);</span> <span class="kd">final</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">hash</span> <span class="o">=</span> <span class="n">digest</span><span class="o">.</span><span class="na">digest</span><span class="o">(</span><span class="n">string</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="nc">StandardCharsets</span><span class="o">.</span><span class="na">UTF_8</span><span class="o">));</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">hashString</span> <span class="o">=</span> <span class="nc">Base64</span><span class="o">.</span><span class="na">getEncoder</span><span class="o">().</span><span class="na">encodeToString</span><span class="o">(</span><span class="n">hash</span><span class="o">);</span> <span class="k">return</span> <span class="nf">hashAndAlgorithm</span><span class="o">(</span><span class="n">hashString</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">NoSuchAlgorithmException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Encryption algorithm not found"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">String</span> <span class="nf">hashAndAlgorithm</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span> <span class="n">hash</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">hashingAlgorithm</span><span class="o">.</span><span class="na">toLowerCase</span><span class="o">().</span><span class="na">replace</span><span class="o">(</span><span class="s">"-"</span><span class="o">,</span> <span class="s">""</span><span class="o">)</span> <span class="o">+</span> <span class="s">"-"</span> <span class="o">+</span> <span class="n">hash</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Adding the transformer to the pipeline </h3> <p>To create a pipeline that includes our transformer, we need to create a <a href="https://sling.apache.org/documentation/bundles/output-rewriting-pipelines-org-apache-sling-rewriter.html">Rewriter</a> by adding node at <code>/apps/demo/config/rewriter/links-pipeline</code> with the following properties:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="cp">&lt;?xml version="1.0" encoding="UTF-8"?&gt;</span> <span class="nt">&lt;jcr:root</span> <span class="na">xmlns:jcr=</span><span class="s">"http://www.jcp.org/jcr/1.0"</span> <span class="na">xmlns:nt=</span><span class="s">"http://www.jcp.org/jcr/nt/1.0"</span> <span class="na">jcr:primaryType=</span><span class="s">"nt:unstructured"</span> <span class="na">contentTypes=</span><span class="s">"text/html"</span> <span class="na">generatorType=</span><span class="s">"htmlparser"</span> <span class="na">order=</span><span class="s">"1"</span> <span class="na">paths=</span><span class="s">"[/content]"</span> <span class="na">serializerType=</span><span class="s">"htmlwriter"</span> <span class="na">transformerTypes=</span><span class="s">"[csp-hash-transformer]"</span><span class="nt">&gt;</span> <span class="nt">&lt;generator-htmlparser</span> <span class="na">jcr:primaryType=</span><span class="s">"nt:unstructured"</span> <span class="na">includeTags=</span><span class="s">"[SCRIPT]"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/jcr:root&gt;</span> </code></pre> </div> <h2> The result </h2> <p>Now, if we load scripts onto our page using <code>customfooterlibs.html</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- This HTL include demonstrates the loading of a clientlib --&gt;</span> <span class="nt">&lt;sly</span> <span class="na">data-sly-use.clientlib=</span><span class="s">"core/wcm/components/commons/v1/templates/clientlib.html"</span><span class="nt">&gt;</span> <span class="nt">&lt;sly</span> <span class="na">data-sly-call=</span><span class="s">"${clientlib.js @ categories='demo.base', async=true}"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/sly&gt;</span> <span class="c">&lt;!-- This script element demonstrates the loading of an external script --&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"</span> <span class="na">integrity=</span><span class="s">"sha384-YvpcrYf0tY3lHB60NNkmXc5s9fDVZLESaAA55NDzOxhy9GkcIdslK1eN7N6jIeHz"</span> <span class="na">crossorigin=</span><span class="s">"anonymous"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="c">&lt;!-- This script element demonstrates the inline script hashing --&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">This was logged from an inline script!</span><span class="dl">'</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="c">&lt;!-- This inline script loads an external script to demonstrate the 'dynamic' principle --&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">script</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">script</span><span class="dl">'</span><span class="p">);</span> <span class="nx">script</span><span class="p">.</span><span class="nx">src</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://cdn.jsdelivr.net/npm/jquery@3.7.1/dist/jquery.min.js</span><span class="dl">'</span><span class="p">;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">script</span><span class="p">);</span> <span class="nf">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">load</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">jQuery version:</span><span class="dl">'</span><span class="p">,</span><span class="nf">$</span><span class="p">().</span><span class="nx">jquery</span><span class="p">));</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <p>We should receive a CSP like this (yours will vary depending on your clientlibs/dependencies):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Security-Policy: script-src-elem 'strict-dynamic' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-XjA+iLg5j0FvhFkZc7LcXfbQJ0b3gvw2c2jj9vv65q0=' 'sha256-Uv8dzRTPRZ2++L/ZWgfN9lPjdvzsDYVS4rEfvWCA0x0=' 'sha256-3dfW5u+XJXRPqcC3F8wewmnAr6oxejxP7ArjOE38P2Q=' 'sha256-5hrKOpQWBa1NuajxV3udxJCgNMQMD/lUApbmGxMmpuM=' 'sha256-wlCSQBL9yeqVFrMGUIlSAc0Wfb1JydFIkk8wiBq/o5M=' 'sha256-WJ3od+zqoblT5apcuXdUh4o1UWwVnb5AjQhmHWIu2OY=' 'sha384-YvpcrYf0tY3lHB60NNkmXc5s9fDVZLESaAA55NDzOxhy9GkcIdslK1eN7N6jIeHz' 'sha256-QFYsdZ/eGhCq89XHZ7IOsy5A9dTKeyvduAx2RnCqvAA=' 'sha256-Fb8sXaPGzkkQJOoKLIpn0I5s+VOOiBlZMYGgv8wHxZI=' 'sha256-g2cCN9gX44Hp5lFL/iomg3hI3LeG/LRkzeNJfQZjJGI='; </code></pre> </div> <p>And you should see that the demonstration scripts have executed as expected in the browser console:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>This was logged from an inline script! jQuery version: 3.7.1 </code></pre> </div> <h3> What about the other CSP directives? </h3> <p>Good question! There are indeed dozens of other directives you can use to fine-tune your CSP. </p> <p>This article will not give you a comprehensive strategy for dealing with all your CSP requirements, it only shows you how to automate the configuration<code>script-src-elem</code> directive.</p> <p>Thankfully, using multiple CSP headers is a valid approach, so you can add the rest of the directives anywhere you like as additional CSP headers. Just make sure you understand <a href="https://content-security-policy.com/examples/multiple-csp-headers/">how multiple CSP headers interact with each other</a> to avoid surprises.</p> <h2> Conclusion </h2> <p>As promised, all the code is available in one easy-to-read diff on Github. You can find it <a href="https://github.com/theopendle/aem-demo/compare/cd123fd4f766399887171f20bad0284014dd9f09...tutorial/csp-hash">here</a>.</p> <p>If you have any comments or ideas about this article, the topic matter or the format, don't hesitate to leave a comment or to reach out to me on <a href="https://www.linkedin.com/in/theo-pendle-1630a52a">LinkedIn</a>!</p> aem csp adobe java Four-eyes Validation in AEM Theo Pendle Sun, 14 Jan 2024 14:51:53 +0000 https://forem.com/theopendle/four-eyes-validation-in-aem-3f4i https://forem.com/theopendle/four-eyes-validation-in-aem-3f4i <h2> Prevent initiators from approving their own workflows </h2> <blockquote> <p>šŸ’” As always, scroll to bottom of the article to find all the source code on Github!</p> </blockquote> <h2> Pre-requisites </h2> <p>In order to get the most out of this article, make sure you are at least familiar with the following concepts:</p> <ul> <li>Workflows (see: <a href="https://experienceleague.adobe.com/docs/experience-manager-65/content/sites/authoring/workflows/workflows.html?lang=en#:~:text=AEM%20Workflows%20let%20you%20automate,site%20administrator%20activates%20the%20page." rel="noopener noreferrer">Work with Workflows</a>)</li> <li>Customizing workflows and steps (see: <a href="https://experienceleague.adobe.com/docs/experience-manager-65/content/implementing/developing/extending-aem/extending-workflows/workflows-step-ref.html?lang=en#or-split" rel="noopener noreferrer">Workflow Step Reference</a>, <a href="https://experienceleague.adobe.com/docs/experience-manager-learn/forms/adaptive-forms/custom-process-step-aem-workflow.html?lang=en" rel="noopener noreferrer">Custom Process Step</a>)</li> <li>Participant steps and choosers</li> </ul> <h2> Use cases </h2> <p>It is a common business process to include an approval of some kind before any corporate content is published, committed, filed or broadcasted. A four-eyes validation adds a certain level of confidence as it means that at least two individuals have seen a piece of content (the creator and an approver) before it goes live.</p> <p>Web content management is no exception, and AEM supports the ability to approve content before release using workflows. More specifically, I will be referring to the <code>Request for activation</code> workflow.</p> <blockquote> <p>As a reminder, the <code>Request for activation</code> workflow is used when a user who does not have <code>crx:replicate</code> permissions attempts to publish a page. By default, the content must be approved by a member of the <code>administrators</code> group:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frunw8wlv041g8nlcggcp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frunw8wlv041g8nlcggcp.png" alt="The default configuration of the Request for activation workflow"></a></p> </blockquote> <p>However, depending on how your organisation envisions its content delivery pipeline, the supported functionality may be not be sufficient. Let's look at some examples:</p> <h3> Centralized authoring </h3> <p>In this model, web content is managed by a centralized web team that receives briefs from business teams and converts them into AEM web pages.</p> <p>Once the content is ready, the team which issued the brief is asked to approve the content to make sure it meets their expectations.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4s6ah5dzhzu26h7hs5rm.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4s6ah5dzhzu26h7hs5rm.png" alt="Centralized web team diagram"></a></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Pros</th> <th>Cons</th> </tr> </thead> <tbody> <tr> <td>Content management stays in the hands of the expert AEM authors</td> <td>The whole organisation relies on the web team for any updates. This creates a bottleneck.</td> </tr> </tbody> </table></div> <h3> De-centralized authoring </h3> <p>In this model, some teams may be allowed to manage their own limited domain. For example, HR can publish new job offers while sales can maintain its own marketing materials.</p> <p>In this case, some team members are responsible for creating content, which then get approved by their managers before publication.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F187c0vl2dzxdjl90i1s9.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F187c0vl2dzxdjl90i1s9.png" alt="De-centralized authoring diagram"></a></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Pros</th> <th>Cons</th> </tr> </thead> <tbody> <tr> <td>Simpler content can be managed independently by the topic experts</td> <td>If a manager is busy or unavailable, delivery will slow down</td> </tr> <tr> <td></td> <td>Managers may end up doing a lot of little-value-added approval work</td> </tr> </tbody> </table></div> <h3> Democratized authoring </h3> <p>In this model, teams are empowered to deliver content for which they are responsible in the most independent and streamless manner. </p> <p>Content can be approved by any member of the team, except the creator.</p> <blockquote> <p>If you are reading this, you are probably a software engineer familiar with the concept of code review. This model follows the same principles!</p> </blockquote> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx1iggq4tdawt16nvq6bg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx1iggq4tdawt16nvq6bg.png" alt="Democratized authoring diagram"></a></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Pros</th> <th>Cons</th> </tr> </thead> <tbody> <tr> <td>Simpler content can be managed independently by the topic experts</td> <td></td> </tr> <tr> <td>Creator and approver roles are flexible</td> <td></td> </tr> <tr> <td>Delivery velocity is maximised. No need to call the manager in order to approve typo fixes or style changes, etc.</td> <td></td> </tr> </tbody> </table></div> <h3> Hybrid model </h3> <p>Of course, it is common to want to mix and match authoring models. Some content might be managed by the web team as per the Centralized model, whereas other content may be managed by the business teams as per the Democratized model. Yet other content might be deemed sensitive and require a manager-level approval as per the De-centralized model, etc.</p> <h2> Problem statement </h2> <p>The Centralized and De-centralized models described above are relatively easy to implement in AEM using the <code>Request for activation</code> workflow as the initiator (person who requests publication) and approver are in two distinct user groups. </p> <p>However, in the Democratized authoring model, the initiator and approver are in the <em>same</em> user group. This is not supported by AEM. The reason is that the <a href="https://developer.adobe.com/experience-manager/reference-materials/6-5/javadoc/com/adobe/granite/workflow/exec/ParticipantStepChooser.html" rel="noopener noreferrer"><code>ParticipantStepChooser</code></a> which is responsible for telling AEM which user should be assigned to a particular step <em>can only return a single participant ID (user or group)</em>.</p> <p>This means that (according to the diagram above), if <code>allan</code> requests the publication of a new job offer page, and the approval is assigned to the <code>hr</code> group, then <code>allan</code> could approve his own request.</p> <p>Obviously, this breaches the four-eyes principle. Let's look at how we can implement this use case.</p> <h2> Solution </h2> <blockquote> <p>šŸ’” The code below focuses on business logic. Some utility code has been abstracted. See the Github diff at the bottom of the article to see the exhaustive source code.</p> </blockquote> <h3> Concept </h3> <p>The solution design relies on the following idea: we can create a special group (an exclusion group) at runtime which includes all members of an existing group or groups, <em>minus</em> the initiator. Members of this exclusion group can then perform the approval, and finally the exclusion group is removed when the workflow ends.</p> <h3> Creating the exclusion group </h3> <p>To create the exclusion group, we will implement a custom workflow process step for that purpose, as per Adobe's documentation: <a href="https://experienceleague.adobe.com/docs/experience-manager-learn/forms/adaptive-forms/custom-process-step-aem-workflow.html?lang=en" rel="noopener noreferrer">Custom Process Step</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.WorkflowException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.WorkflowSession</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.exec.WorkItem</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.exec.WorkflowProcess</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.metadata.MetaDataMap</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.theopendle.core.workflow.WorkflowUtil</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.theopendle.core.workflow.queries.GroupWithId</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.theopendle.core.workflow.queries.UsersOfGroup</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">lombok.extern.slf4j.Slf4j</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.commons.lang.StringUtils</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.jackrabbit.api.security.user.Authorizable</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.jackrabbit.api.security.user.Group</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.jackrabbit.api.security.user.User</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.jackrabbit.api.security.user.UserManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.jackrabbit.value.StringValue</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.sling.api.resource.LoginException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.sling.api.resource.PersistenceException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.sling.api.resource.ResourceResolver</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.sling.api.resource.ResourceResolverFactory</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.osgi.framework.Constants</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.osgi.service.component.annotations.Component</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.osgi.service.component.annotations.Reference</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.jcr.RepositoryException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.*</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.stream.Collectors</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">static</span> <span class="n">com</span><span class="o">.</span><span class="na">theopendle</span><span class="o">.</span><span class="na">core</span><span class="o">.</span><span class="na">workflow</span><span class="o">.</span><span class="na">WorkflowUtil</span><span class="o">.</span><span class="na">setWorkflowVariable</span><span class="o">;</span> <span class="nd">@Slf4j</span> <span class="nd">@Component</span><span class="o">(</span><span class="n">property</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"process.label"</span> <span class="o">+</span> <span class="s">"=Create exclusion group"</span><span class="o">,</span> <span class="nc">Constants</span><span class="o">.</span><span class="na">SERVICE_DESCRIPTION</span> <span class="o">+</span> <span class="s">"=Workflow step to create exclusion groups created earlier in the workflow"</span><span class="o">,</span> <span class="nc">Constants</span><span class="o">.</span><span class="na">SERVICE_VENDOR</span> <span class="o">+</span> <span class="s">"=Theo Pendle"</span><span class="o">,</span> <span class="o">})</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">CreateExclusionGroup</span> <span class="kd">implements</span> <span class="nc">WorkflowProcess</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">USER_ID_ADMIN</span> <span class="o">=</span> <span class="s">"admin"</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">GROUP_ID_ADMIN</span> <span class="o">=</span> <span class="s">"administrators"</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">PN_EXCLUSION_GROUP_ID</span> <span class="o">=</span> <span class="s">"exclusionGroupId"</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">PN_GROUPS</span> <span class="o">=</span> <span class="s">"groups"</span><span class="o">;</span> <span class="nd">@Reference</span> <span class="kd">private</span> <span class="nc">ResourceResolverFactory</span> <span class="n">resourceResolverFactory</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">execute</span><span class="o">(</span><span class="kd">final</span> <span class="nc">WorkItem</span> <span class="n">workItem</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">WorkflowSession</span> <span class="n">workflowSession</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">MetaDataMap</span> <span class="n">metaDataMap</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">WorkflowException</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">initiatorId</span> <span class="o">=</span> <span class="n">workItem</span><span class="o">.</span><span class="na">getWorkflow</span><span class="o">().</span><span class="na">getInitiator</span><span class="o">();</span> <span class="c1">// In case the initiator is the admin user, allow them to self-approve</span> <span class="k">if</span> <span class="o">(</span><span class="n">initiatorId</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="no">USER_ID_ADMIN</span><span class="o">))</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Initiator is admin. No exclusion group will be created."</span><span class="o">);</span> <span class="n">setWorkflowVariable</span><span class="o">(</span><span class="n">workItem</span><span class="o">,</span> <span class="no">PN_EXCLUSION_GROUP_ID</span><span class="o">,</span> <span class="no">GROUP_ID_ADMIN</span><span class="o">);</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="kd">final</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="n">arguments</span> <span class="o">=</span> <span class="nc">WorkflowUtil</span><span class="o">.</span><span class="na">readArguments</span><span class="o">(</span><span class="n">metaDataMap</span><span class="o">);</span> <span class="k">if</span> <span class="o">(!</span><span class="n">arguments</span><span class="o">.</span><span class="na">containsKey</span><span class="o">(</span><span class="no">PN_GROUPS</span><span class="o">))</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"No &lt;%s&gt; argument passed to step"</span><span class="o">,</span> <span class="no">PN_GROUPS</span><span class="o">));</span> <span class="o">}</span> <span class="kd">final</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">groups</span> <span class="o">=</span> <span class="nc">Arrays</span><span class="o">.</span><span class="na">stream</span><span class="o">(</span><span class="n">arguments</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="no">PN_GROUPS</span><span class="o">).</span><span class="na">split</span><span class="o">(</span><span class="s">","</span><span class="o">))</span> <span class="o">.</span><span class="na">filter</span><span class="o">(</span><span class="nl">StringUtils:</span><span class="o">:</span><span class="n">isNotBlank</span><span class="o">)</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toSet</span><span class="o">());</span> <span class="k">if</span> <span class="o">(</span><span class="n">groups</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">())</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"&lt;%s&gt; argument contains an empty list"</span><span class="o">,</span> <span class="no">PN_GROUPS</span><span class="o">));</span> <span class="o">}</span> <span class="k">try</span> <span class="o">{</span> <span class="k">try</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">ResourceResolver</span> <span class="n">resolver</span> <span class="o">=</span> <span class="n">resourceResolverFactory</span><span class="o">.</span><span class="na">getServiceResourceResolver</span><span class="o">(</span><span class="nc">Map</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="nc">ResourceResolverFactory</span><span class="o">.</span><span class="na">SUBSERVICE</span><span class="o">,</span> <span class="s">"user-management"</span><span class="o">)))</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">UserManager</span> <span class="n">userManager</span> <span class="o">=</span> <span class="n">resolver</span><span class="o">.</span><span class="na">adaptTo</span><span class="o">(</span><span class="nc">UserManager</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">userManager</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Could not retrieve &lt;%s&gt;"</span><span class="o">,</span> <span class="nc">UserManager</span><span class="o">.</span><span class="na">class</span><span class="o">));</span> <span class="o">}</span> <span class="kd">final</span> <span class="nc">Authorizable</span> <span class="n">initiatorAuthorizable</span> <span class="o">=</span> <span class="n">userManager</span><span class="o">.</span><span class="na">getAuthorizable</span><span class="o">(</span><span class="n">initiatorId</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">initiatorAuthorizable</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Could not find initiator of the workflow with ID &lt;%s&gt; "</span><span class="o">,</span> <span class="n">initiatorId</span><span class="o">));</span> <span class="o">}</span> <span class="c1">// Find all users belonging to specified groups</span> <span class="kd">final</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">Authorizable</span><span class="o">&gt;</span> <span class="n">users</span> <span class="o">=</span> <span class="n">groups</span><span class="o">.</span><span class="na">stream</span><span class="o">()</span> <span class="c1">// If the initiator is not a member of the group provided, then discard it</span> <span class="o">.</span><span class="na">filter</span><span class="o">(</span><span class="n">groupId</span> <span class="o">-&gt;</span> <span class="n">userInGroup</span><span class="o">(</span><span class="n">userManager</span><span class="o">,</span> <span class="n">groupId</span><span class="o">,</span> <span class="n">initiatorAuthorizable</span><span class="o">))</span> <span class="c1">// Get all members of the eligible groups</span> <span class="o">.</span><span class="na">flatMap</span><span class="o">(</span><span class="n">groupId</span> <span class="o">-&gt;</span> <span class="n">getUsersOfGroup</span><span class="o">(</span><span class="n">userManager</span><span class="o">,</span> <span class="n">groupId</span><span class="o">).</span><span class="na">stream</span><span class="o">())</span> <span class="c1">// Remove the initiator</span> <span class="o">.</span><span class="na">filter</span><span class="o">(</span><span class="n">user</span> <span class="o">-&gt;</span> <span class="o">!</span><span class="n">user</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="n">initiatorAuthorizable</span><span class="o">))</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">toSet</span><span class="o">());</span> <span class="k">if</span> <span class="o">(</span><span class="n">users</span><span class="o">.</span><span class="na">isEmpty</span><span class="o">())</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"No other users found in groups &lt;%s&gt; (initiator &lt;%s&gt;)"</span><span class="o">,</span> <span class="n">groups</span><span class="o">,</span> <span class="n">initiatorAuthorizable</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">().</span><span class="na">getName</span><span class="o">()));</span> <span class="o">}</span> <span class="c1">// Create exclusion group</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">exclusionGroupId</span> <span class="o">=</span> <span class="s">"demo-exclusion-group-"</span> <span class="o">+</span> <span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">();</span> <span class="kd">final</span> <span class="nc">PrincipalImpl</span> <span class="n">exclusionPrincipal</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrincipalImpl</span><span class="o">(</span><span class="n">exclusionGroupId</span><span class="o">);</span> <span class="kd">final</span> <span class="nc">Group</span> <span class="n">exclusionGroup</span> <span class="o">=</span> <span class="n">userManager</span><span class="o">.</span><span class="na">createGroup</span><span class="o">(</span><span class="n">exclusionPrincipal</span><span class="o">,</span> <span class="s">"demo/exclusion"</span><span class="o">);</span> <span class="c1">// Add properties to group so it can easily be found and recognized</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">userIds</span> <span class="o">=</span> <span class="n">users</span><span class="o">.</span><span class="na">stream</span><span class="o">()</span> <span class="o">.</span><span class="na">map</span><span class="o">(</span><span class="n">user</span> <span class="o">-&gt;</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="k">return</span> <span class="n">user</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">().</span><span class="na">getName</span><span class="o">();</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">RepositoryException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">})</span> <span class="o">.</span><span class="na">filter</span><span class="o">(</span><span class="nl">Objects:</span><span class="o">:</span><span class="n">nonNull</span><span class="o">)</span> <span class="o">.</span><span class="na">collect</span><span class="o">(</span><span class="nc">Collectors</span><span class="o">.</span><span class="na">joining</span><span class="o">(</span><span class="s">", "</span><span class="o">));</span> <span class="k">for</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">Map</span><span class="o">.</span><span class="na">Entry</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="n">entry</span> <span class="o">:</span> <span class="nc">Map</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="s">"workflowInstance"</span><span class="o">,</span> <span class="n">workItem</span><span class="o">.</span><span class="na">getWorkflow</span><span class="o">().</span><span class="na">getId</span><span class="o">(),</span> <span class="s">"includesGroups"</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">join</span><span class="o">(</span><span class="s">","</span><span class="o">,</span> <span class="n">groups</span><span class="o">),</span> <span class="s">"excludesUser"</span><span class="o">,</span> <span class="n">initiatorAuthorizable</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">().</span><span class="na">getName</span><span class="o">(),</span> <span class="c1">// Name the group after the users that it contains so that authors know who is eligible to approve</span> <span class="c1">// without needing access to the AEM user/group admin interfaces</span> <span class="s">"profile/givenName"</span><span class="o">,</span> <span class="n">userIds</span> <span class="o">).</span><span class="na">entrySet</span><span class="o">())</span> <span class="o">{</span> <span class="n">exclusionGroup</span><span class="o">.</span><span class="na">setProperty</span><span class="o">(</span><span class="n">entry</span><span class="o">.</span><span class="na">getKey</span><span class="o">(),</span> <span class="k">new</span> <span class="nc">StringValue</span><span class="o">(</span><span class="n">entry</span><span class="o">.</span><span class="na">getValue</span><span class="o">()));</span> <span class="o">}</span> <span class="c1">// Add users to exclusion group</span> <span class="k">for</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">Authorizable</span> <span class="n">user</span> <span class="o">:</span> <span class="n">users</span><span class="o">)</span> <span class="o">{</span> <span class="n">exclusionGroup</span><span class="o">.</span><span class="na">addMember</span><span class="o">(</span><span class="n">user</span><span class="o">);</span> <span class="o">}</span> <span class="c1">// Commit the creation of the exclusion group</span> <span class="n">resolver</span><span class="o">.</span><span class="na">commit</span><span class="o">();</span> <span class="c1">// Store the group ID so it can easily be found later for deletion</span> <span class="n">setWorkflowVariable</span><span class="o">(</span><span class="n">workItem</span><span class="o">,</span> <span class="no">PN_EXCLUSION_GROUP_ID</span><span class="o">,</span> <span class="n">exclusionGroupId</span><span class="o">);</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Created exclusion group with ID &lt;{}&gt;"</span><span class="o">,</span> <span class="n">exclusionGroupId</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">LoginException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="s">"Could not log to service user."</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">RepositoryException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="s">"Unexpected error while fetching user and/group"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">PersistenceException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="s">"Unexpected error while saving exclusion group"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Unexpected error while running &lt;%s&gt;"</span><span class="o">,</span> <span class="k">this</span><span class="o">.</span><span class="na">getClass</span><span class="o">()),</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">boolean</span> <span class="nf">userInGroup</span><span class="o">(</span><span class="kd">final</span> <span class="nc">UserManager</span> <span class="n">userManager</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">groupId</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">Authorizable</span> <span class="n">userAuthorizable</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">GroupWithId</span> <span class="n">groupWithId</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">GroupWithId</span><span class="o">(</span><span class="n">groupId</span><span class="o">);</span> <span class="kd">final</span> <span class="nc">Iterator</span><span class="o">&lt;</span><span class="nc">Authorizable</span><span class="o">&gt;</span> <span class="n">iterator</span> <span class="o">=</span> <span class="n">userManager</span><span class="o">.</span><span class="na">findAuthorizables</span><span class="o">(</span><span class="n">groupWithId</span><span class="o">);</span> <span class="k">if</span> <span class="o">(!</span><span class="n">iterator</span><span class="o">.</span><span class="na">hasNext</span><span class="o">())</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Group &lt;{}&gt; passed to workflow via argument &lt;{}&gt; does not exist"</span><span class="o">,</span> <span class="n">groupId</span><span class="o">,</span> <span class="no">PN_GROUPS</span><span class="o">);</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="kd">final</span> <span class="nc">Authorizable</span> <span class="n">group</span> <span class="o">=</span> <span class="n">iterator</span><span class="o">.</span><span class="na">next</span><span class="o">();</span> <span class="k">if</span> <span class="o">(!</span><span class="n">group</span><span class="o">.</span><span class="na">isGroup</span><span class="o">())</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Principal &lt;{}&gt; passed to workflow via argument &lt;{}&gt; is not a group"</span><span class="o">,</span> <span class="n">groupId</span><span class="o">,</span> <span class="no">PN_GROUPS</span><span class="o">);</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="k">return</span> <span class="o">((</span><span class="nc">Group</span><span class="o">)</span> <span class="n">group</span><span class="o">).</span><span class="na">isMember</span><span class="o">(</span><span class="n">userAuthorizable</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">RepositoryException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Unexpected error while searching for Authorizables"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">User</span><span class="o">&gt;</span> <span class="nf">getUsersOfGroup</span><span class="o">(</span><span class="kd">final</span> <span class="nc">UserManager</span> <span class="n">userManager</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">groupName</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">UsersOfGroup</span> <span class="n">usersOfGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UsersOfGroup</span><span class="o">(</span><span class="n">groupName</span><span class="o">);</span> <span class="kd">final</span> <span class="nc">Iterator</span><span class="o">&lt;</span><span class="nc">Authorizable</span><span class="o">&gt;</span> <span class="n">iterator</span> <span class="o">=</span> <span class="n">userManager</span><span class="o">.</span><span class="na">findAuthorizables</span><span class="o">(</span><span class="n">usersOfGroup</span><span class="o">);</span> <span class="kd">final</span> <span class="nc">Set</span><span class="o">&lt;</span><span class="nc">User</span><span class="o">&gt;</span> <span class="n">users</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashSet</span><span class="o">&lt;&gt;();</span> <span class="k">while</span> <span class="o">(</span><span class="n">iterator</span><span class="o">.</span><span class="na">hasNext</span><span class="o">())</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">Authorizable</span> <span class="n">authorizable</span> <span class="o">=</span> <span class="n">iterator</span><span class="o">.</span><span class="na">next</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">authorizable</span><span class="o">.</span><span class="na">isGroup</span><span class="o">())</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Ignoring authorizable &lt;{}&gt;, member of group &lt;{}&gt; as it is not a user"</span><span class="o">,</span> <span class="n">authorizable</span><span class="o">.</span><span class="na">getPrincipal</span><span class="o">().</span><span class="na">getName</span><span class="o">(),</span> <span class="n">groupName</span><span class="o">);</span> <span class="k">continue</span><span class="o">;</span> <span class="o">}</span> <span class="n">users</span><span class="o">.</span><span class="na">add</span><span class="o">((</span><span class="nc">User</span><span class="o">)</span> <span class="n">authorizable</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="n">users</span><span class="o">;</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">RepositoryException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Unexpected error while searching for Authorizables"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="k">return</span> <span class="nc">Collections</span><span class="o">.</span><span class="na">emptySet</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Assigning the approval step </h3> <p>Now that the exclusion group has been created, we can create a dynamic participant step chooser that assigns the next step to the exclusion group (see <a href="https://experienceleague.adobe.com/docs/experience-manager-65/content/implementing/developing/extending-aem/extending-workflows/workflows-step-ref.html?lang=en#dynamic-participant-step-example-participant-chooser-service" rel="noopener noreferrer">Dynamic Participant Step - Example Participant Chooser Service<br> </a>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.WorkflowException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.WorkflowSession</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.exec.ParticipantStepChooser</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.exec.WorkItem</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.metadata.MetaDataMap</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">lombok.extern.slf4j.Slf4j</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.osgi.service.component.annotations.Component</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">static</span> <span class="n">com</span><span class="o">.</span><span class="na">theopendle</span><span class="o">.</span><span class="na">core</span><span class="o">.</span><span class="na">workflow</span><span class="o">.</span><span class="na">WorkflowUtil</span><span class="o">.</span><span class="na">getWorkflowVariable</span><span class="o">;</span> <span class="nd">@Slf4j</span> <span class="nd">@Component</span><span class="o">(</span><span class="n">service</span> <span class="o">=</span> <span class="nc">ParticipantStepChooser</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="n">property</span> <span class="o">=</span> <span class="o">{</span> <span class="nc">ParticipantStepChooser</span><span class="o">.</span><span class="na">SERVICE_PROPERTY_LABEL</span> <span class="o">+</span> <span class="s">"=Exclusion group"</span> <span class="o">})</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ExclusionGroupParticipantStepChooser</span> <span class="kd">implements</span> <span class="nc">ParticipantStepChooser</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getParticipant</span><span class="o">(</span><span class="kd">final</span> <span class="nc">WorkItem</span> <span class="n">workItem</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">WorkflowSession</span> <span class="n">workflowSession</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">MetaDataMap</span> <span class="n">metaDataMap</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">WorkflowException</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">exclusionGroupId</span> <span class="o">=</span> <span class="n">getWorkflowVariable</span><span class="o">(</span><span class="n">workItem</span><span class="o">,</span> <span class="nc">CreateExclusionGroup</span><span class="o">.</span><span class="na">PN_EXCLUSION_GROUP_ID</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">exclusionGroupId</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"No exclusion group found in workflow metadata map via property &lt;%s&gt;"</span><span class="o">,</span> <span class="nc">CreateExclusionGroup</span><span class="o">.</span><span class="na">PN_EXCLUSION_GROUP_ID</span><span class="o">));</span> <span class="o">}</span> <span class="k">return</span> <span class="n">exclusionGroupId</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Cleaning up the exclusion group </h3> <p>Of course, we don't want hundreds of exclusion groups to build up over time, so let's make sure to delete the group once the approval step is over.</p> <p>We can do this by implementing another custom process step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.WorkflowException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.WorkflowSession</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.exec.WorkItem</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.exec.WorkflowProcess</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.adobe.granite.workflow.metadata.MetaDataMap</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">lombok.extern.slf4j.Slf4j</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.jackrabbit.api.security.user.Authorizable</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.jackrabbit.api.security.user.UserManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.sling.api.resource.LoginException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.sling.api.resource.PersistenceException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.sling.api.resource.ResourceResolver</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.sling.api.resource.ResourceResolverFactory</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.osgi.framework.Constants</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.osgi.service.component.annotations.Component</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.osgi.service.component.annotations.Reference</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.jcr.RepositoryException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Map</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">static</span> <span class="n">com</span><span class="o">.</span><span class="na">theopendle</span><span class="o">.</span><span class="na">core</span><span class="o">.</span><span class="na">workflow</span><span class="o">.</span><span class="na">WorkflowUtil</span><span class="o">.</span><span class="na">getWorkflowVariable</span><span class="o">;</span> <span class="nd">@Slf4j</span> <span class="nd">@Component</span><span class="o">(</span><span class="n">property</span> <span class="o">=</span> <span class="o">{</span> <span class="s">"process.label"</span> <span class="o">+</span> <span class="s">"=Delete exclusion groups"</span><span class="o">,</span> <span class="nc">Constants</span><span class="o">.</span><span class="na">SERVICE_DESCRIPTION</span> <span class="o">+</span> <span class="s">"=Workflow step to delete exclusion groups created earlier in the workflow"</span><span class="o">,</span> <span class="nc">Constants</span><span class="o">.</span><span class="na">SERVICE_VENDOR</span> <span class="o">+</span> <span class="s">"=Theo Pendle"</span><span class="o">,</span> <span class="o">})</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">DeleteExclusionGroups</span> <span class="kd">implements</span> <span class="nc">WorkflowProcess</span> <span class="o">{</span> <span class="nd">@Reference</span> <span class="kd">private</span> <span class="nc">ResourceResolverFactory</span> <span class="n">resourceResolverFactory</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">execute</span><span class="o">(</span><span class="kd">final</span> <span class="nc">WorkItem</span> <span class="n">workItem</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">WorkflowSession</span> <span class="n">workflowSession</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">MetaDataMap</span> <span class="n">metaDataMap</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">WorkflowException</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">exclusionGroupId</span> <span class="o">=</span> <span class="n">getWorkflowVariable</span><span class="o">(</span><span class="n">workItem</span><span class="o">,</span> <span class="nc">CreateExclusionGroup</span><span class="o">.</span><span class="na">PN_EXCLUSION_GROUP_ID</span><span class="o">,</span> <span class="nc">String</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">exclusionGroupId</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"No exclusion group found in workflow metadata map via property &lt;%s&gt;"</span><span class="o">,</span> <span class="nc">CreateExclusionGroup</span><span class="o">.</span><span class="na">PN_EXCLUSION_GROUP_ID</span><span class="o">));</span> <span class="o">}</span> <span class="k">try</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">ResourceResolver</span> <span class="n">resolver</span> <span class="o">=</span> <span class="n">resourceResolverFactory</span><span class="o">.</span><span class="na">getServiceResourceResolver</span><span class="o">(</span><span class="nc">Map</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="nc">ResourceResolverFactory</span><span class="o">.</span><span class="na">SUBSERVICE</span><span class="o">,</span> <span class="s">"user-management"</span><span class="o">)))</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">UserManager</span> <span class="n">userManager</span> <span class="o">=</span> <span class="n">resolver</span><span class="o">.</span><span class="na">adaptTo</span><span class="o">(</span><span class="nc">UserManager</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">userManager</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Could not retrieve &lt;%s&gt;"</span><span class="o">,</span> <span class="nc">UserManager</span><span class="o">.</span><span class="na">class</span><span class="o">));</span> <span class="o">}</span> <span class="kd">final</span> <span class="nc">Authorizable</span> <span class="n">exclusionGroup</span> <span class="o">=</span> <span class="n">userManager</span><span class="o">.</span><span class="na">getAuthorizable</span><span class="o">(</span><span class="n">exclusionGroupId</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">exclusionGroup</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">format</span><span class="o">(</span><span class="s">"Could not find exclusion group with ID &lt;%s&gt;"</span><span class="o">,</span> <span class="n">exclusionGroupId</span><span class="o">));</span> <span class="o">}</span> <span class="n">exclusionGroup</span><span class="o">.</span><span class="na">remove</span><span class="o">();</span> <span class="n">resolver</span><span class="o">.</span><span class="na">commit</span><span class="o">();</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Deleted exclusion group &lt;{}&gt;"</span><span class="o">,</span> <span class="n">exclusionGroupId</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">LoginException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="s">"Could not log to service user."</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">RepositoryException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="s">"Unexpected error while fetching user and/group"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">PersistenceException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">WorkflowException</span><span class="o">(</span><span class="s">"Unexpected error while saving exclusion group"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Updating the workflow model </h3> <p>Now that we have the steps we need, let's put them together in the <code>Request for activation</code> workflow model. </p> <p>Here is an image of the updated workflow model. See the Github link at the bottom of the article for the exact configuration:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftwefnerw6d4daezcpybq.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftwefnerw6d4daezcpybq.png" alt="The updated Request for activation workflow model"></a></p> <h3> Result </h3> <p>Once the workflow model is updated and synchronized, the use case should be satisfied.</p> <p>For the purposes of the demo, I have created some test groups and users, see the Github link at the bottom of the article for details.</p> <p>Watch me demo the feature in the GIF below:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftqpw383j8yffnrhgd29j.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftqpw383j8yffnrhgd29j.gif" alt="A demo of the functionality"></a></p> <p>Steps in the demo: </p> <ol> <li>We log in as <code>allan</code> and start the <code>Request for activation</code> workflow on a page</li> <li>We confirm that <code>allan</code> is <strong>not</strong> notified of the approval step (he cannot approve his own request)</li> <li>We log in as <code>betty</code> </li> <li>We confirm that <code>betty</code> has received a notification about the approval step</li> <li>We approve the content</li> <li>We log back in as <code>allan</code> and confirm that the content was indeed published</li> </ol> <h2> Conclusion </h2> <p>You should now be able to create four-eyes approvals in workflows for colleagues within the same AEM user group! </p> <p>This article focused on the popular use case of page activation, but of course the principle is applicable to any approval you might need to implement.</p> <p>You can view the source code for the implementation and the demo on <a href="https://github.com/theopendle/aem-demo/tree/tutorial/4-eyes-validation" rel="noopener noreferrer">Github</a>.</p> <p>I've created a diff so you can see just the changes to make this feature work <a href="https://github.com/theopendle/aem-demo/compare/cd123fd4f766399887171f20bad0284014dd9f09...tutorial/4-eyes-validation" rel="noopener noreferrer">here</a>.</p> <p>Donā€™t hesitate to contact me on <a href="https://www.linkedin.com/in/theo-pendle-1630a52a" rel="noopener noreferrer">LinkedIn</a> if you have any questions/ideas!</p> aem adobe workflow cms AEM: Connect AEM to an External database (Oracle example) Theo Pendle Sat, 22 Apr 2023 08:43:05 +0000 https://forem.com/theopendle/aem-connect-aem-to-an-external-database-oracle-example-2oao https://forem.com/theopendle/aem-connect-aem-to-an-external-database-oracle-example-2oao <p>It can happen when implementing AEM that you suddenly realize that the JCR database is not the best solution to store certain types of data. </p> <p>For example, the JCR-SQL2 dialect is missing a lot of features that you'd expect from an typical database, so queries can become cumbersome. These limitations can be a real bummer if you're trying to store thousands of products, blog posts or whatnot. For that reason, you may want to store certain data in an external database such as Oracle, MySQL, Neo4J, etc. </p> <p>In enterprise environments, Oracle is often favored for RDBMS needs due its advanced features and support. With that in mind, I've decided to use Oracle as the basis for this tutorial, but the principles apply to any other external database.</p> <p>There are essentially 3 components required to integrate AEM with an external database:</p> <ol> <li>A JDBC driver bundle, which lets Java communicate with the database</li> <li>A data source configuration, which represents the connection details of your database</li> <li>A client, some Java class which actually runs a query</li> </ol> <p>Follow this tutorial to find out how to set this all up. I've provided a Github link at the bottom of the article if you want to see a concrete implementation of this tutorial.</p> <h2> Wrapping the oracle JDBC driver </h2> <p>I've seen many articles online that simply mention "create an OJDBC wrapper bundle" or give step-by-step instructions to manually create the bundle using Eclipse plugins. I would prefer to have an automated wrapper that can easily be changed and/or bundled with the rest of your AEM application, so let's use Maven to create our bundle.</p> <p>Here is a POM file to wrap the <code>ojdbc8</code> driver:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="cp">&lt;?xml version="1.0" encoding="UTF-8"?&gt;</span> <span class="nt">&lt;project</span> <span class="na">xmlns=</span><span class="s">"http://maven.apache.org/POM/4.0.0"</span> <span class="na">xmlns:xsi=</span><span class="s">"http://www.w3.org/2001/XMLSchema-instance"</span> <span class="na">xsi:schemaLocation=</span><span class="s">"http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"</span><span class="nt">&gt;</span> <span class="nt">&lt;modelVersion&gt;</span>4.0.0<span class="nt">&lt;/modelVersion&gt;</span> <span class="nt">&lt;parent&gt;</span> <span class="nt">&lt;groupId&gt;</span>com.theopendle<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>demo<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.0.0-SNAPSHOT<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;relativePath&gt;</span>../pom.xml<span class="nt">&lt;/relativePath&gt;</span> <span class="nt">&lt;/parent&gt;</span> <span class="nt">&lt;artifactId&gt;</span>demo.ojdbc-bundle<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;packaging&gt;</span>bundle<span class="nt">&lt;/packaging&gt;</span> <span class="nt">&lt;name&gt;</span>Demo - OJDBC bundle<span class="nt">&lt;/name&gt;</span> <span class="nt">&lt;description&gt;</span>OSGi wrapper for Oracle JDBC jar.<span class="nt">&lt;/description&gt;</span> <span class="nt">&lt;build&gt;</span> <span class="nt">&lt;plugins&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.apache.felix<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>maven-bundle-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>3.5.0<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;extensions&gt;</span>true<span class="nt">&lt;/extensions&gt;</span> <span class="nt">&lt;configuration&gt;</span> <span class="nt">&lt;instructions&gt;</span> <span class="nt">&lt;Bundle-License&gt;</span>non-free<span class="nt">&lt;/Bundle-License&gt;</span> <span class="nt">&lt;Bundle-Vendor&gt;</span>Oracle<span class="nt">&lt;/Bundle-Vendor&gt;</span> <span class="nt">&lt;_exportcontents&gt;</span>*<span class="nt">&lt;/_exportcontents&gt;</span> <span class="nt">&lt;Export-Package&gt;</span> oracle.core.*;version="${project.version}", oracle.jdbc.*;version="${project.version}", oracle.jpub.*;version="${project.version}", oracle.net.*;version="${project.version}", oracle.security.*;version="${project.version}", oracle.sql.*;version="${project.version}" <span class="nt">&lt;/Export-Package&gt;</span> <span class="nt">&lt;Import-Package&gt;</span>*;resolution:=optional<span class="nt">&lt;/Import-Package&gt;</span> <span class="nt">&lt;Private-Package&gt;</span>!*<span class="nt">&lt;/Private-Package&gt;</span> <span class="nt">&lt;Embed-Dependency&gt;</span>*;scope=compile|runtime;type=!pom;inline=true<span class="nt">&lt;/Embed-Dependency&gt;</span> <span class="nt">&lt;/instructions&gt;</span> <span class="nt">&lt;/configuration&gt;</span> <span class="nt">&lt;/plugin&gt;</span> <span class="nt">&lt;/plugins&gt;</span> <span class="nt">&lt;/build&gt;</span> <span class="nt">&lt;dependencies&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>com.oracle.database.jdbc<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>ojdbc8<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>21.7.0.0<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;/dependencies&gt;</span> <span class="nt">&lt;/project&gt;</span> </code></pre> </div> <p>If you're not familiar with the <code>maven-bundle-plugin</code> plugin, here are some pointers:</p> <ul> <li>The <code>&lt;Export-Package&gt;</code> tag contains the list of packages in the <code>ojdbc8</code> JAR file that you might conceivably need to call from your Java code. We are making the classes from those packages available in OSGi so they can be imported by your Java code.</li> <li>The <code>&lt;Import-Package&gt;*;resolution:=optional&lt;/Import-Package&gt;</code> marks all imports as optional so we <a href="https://bnd.bndtools.org/chapters/920-faq.html#remove-unwanted-imports-">aren't forced to satisfy them with another bundle</a>.</li> <li>The <code>&lt;Embed-Dependency&gt;*;scope=compile|runtime;type=!pom;inline=true&lt;/Embed-Dependency&gt;</code> tag tells Maven to embed all compile or runtime dependencies (in this case our only dependency is <code>ojdbc8</code>) into this bundle.</li> </ul> <p>If you add this POM to your project as a Maven submodule, and embed it in your <code>all</code>package, you can easily deploy this bundle to AEM as a part of your application. See the Git diff at the bottom of the article for specifics.</p> <p>The end result should be a new bundle running in the OSGi container, like so: </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--U8-P6rrw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/2tplbxbi0ng39miu9q8t.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--U8-P6rrw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/2tplbxbi0ng39miu9q8t.png" alt="OJDBC bundle present in OSGi" width="512" height="59"></a></p> <p>Now that the diver is available in OSGi, let's use it to open a database connection.</p> <h2> Configuring the DataSourcePool </h2> <p>The <code>com.day.commons.datasource.poolservice.DataSourcePool</code> Java class is used to to create connections to a database. It pulls its configuration from the <code>com.day.commons.datasource.jdbcpool.JdbcPoolService</code> configuration factory. </p> <p>You can configure your datasource by going to <code>/system/console/configMgr/com.day.commons.datasource.jdbcpool.JdbcPoolService</code> but here is my version as <code>cfg.json</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"jdbc.password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"test"</span><span class="p">,</span><span class="w"> </span><span class="nl">"jdbc.driver.class"</span><span class="p">:</span><span class="w"> </span><span class="s2">"oracle.jdbc.driver.OracleDriver"</span><span class="p">,</span><span class="w"> </span><span class="nl">"datasource.name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"oracle"</span><span class="p">,</span><span class="w"> </span><span class="nl">"jdbc.connection.uri"</span><span class="p">:</span><span class="w"> </span><span class="s2">"jdbc:oracle:thin:@localhost:1521:test"</span><span class="p">,</span><span class="w"> </span><span class="nl">"jdbc.validation.query"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SELECT 1 FROM DUAL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"default.readonly"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"default.autocommit"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"jdbc.username"</span><span class="p">:</span><span class="w"> </span><span class="s2">"test"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pool.max.wait.msec"</span><span class="p">:</span><span class="w"> </span><span class="mi">1000</span><span class="p">,</span><span class="w"> </span><span class="nl">"pool.size"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Testing the connection </h2> <p>Now everything should be ready for you to start making queries to the database, so let's give it a go.</p> <p>In your <code>core</code> java module, write a class that opens a connection to the database. If you used my configuration above, you can run use the <code>Connection::isValid</code> method to run the validation query, in my case <code>SELECT 1 FROM DUAL</code>.</p> <p>Here is an example of an service that will let us easily open connections in the future. For now it does nothing but check the validity of the connection on startup.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Slf4j</span> <span class="nd">@Component</span><span class="o">(</span><span class="n">service</span> <span class="o">=</span> <span class="nc">OracleDataSource</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="n">immediate</span> <span class="o">=</span> <span class="kc">true</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">OracleDataSource</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">DATA_SOURCE_NAME</span> <span class="o">=</span> <span class="s">"oracle"</span><span class="o">;</span> <span class="nd">@Reference</span> <span class="kd">private</span> <span class="nc">DataSourcePool</span> <span class="n">dataSourcePool</span><span class="o">;</span> <span class="nd">@Activate</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">activate</span><span class="o">()</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="kd">final</span> <span class="nc">DataSource</span> <span class="n">dataSource</span> <span class="o">=</span> <span class="o">(</span><span class="nc">DataSource</span><span class="o">)</span> <span class="n">dataSourcePool</span><span class="o">.</span><span class="na">getDataSource</span><span class="o">(</span><span class="no">DATA_SOURCE_NAME</span><span class="o">);</span> <span class="k">try</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">Connection</span> <span class="n">connection</span> <span class="o">=</span> <span class="n">dataSource</span><span class="o">.</span><span class="na">getConnection</span><span class="o">())</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">connection</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Could not establish connection to &lt;{}&gt;"</span><span class="o">,</span> <span class="no">DATA_SOURCE_NAME</span><span class="o">);</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Connection is valid: &lt;{}&gt;"</span><span class="o">,</span> <span class="n">connection</span><span class="o">.</span><span class="na">isValid</span><span class="o">(</span><span class="mi">1000</span><span class="o">));</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">SQLException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Could not establish connection to &lt;{}&gt;"</span><span class="o">,</span> <span class="no">DATA_SOURCE_NAME</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="kd">final</span> <span class="nc">DataSourceNotFoundException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Could not find data source with name &lt;{}&gt;"</span><span class="o">,</span> <span class="no">DATA_SOURCE_NAME</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Now if you build and install your <code>core</code> bundle, you should see a log like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>11.03.2023 14:00:28.568 *INFO* [OsgiInstallerImpl] com.theopendle.core.services.OracleDataSource Connection is valid: &lt;true&gt; </code></pre> </div> <h2> Conclusion </h2> <p>In this tutorial you learned how to bundle a JDBC driver and use it to open a connection to an Oracle database. </p> <p>I usually like to tackle specific use cases in my tutorials to make them more engaging and because I try to anticipate what developers will be Googling šŸ˜‰</p> <p>However, there are several general takeaways in this article:</p> <ol> <li>Bundling a JAR at build-time using a POM file in a Maven submodule is applicable for any dependency, not just a JDBC driver. And it is much easier and better practice than for your applications to realy on bundles that must be built by hand and deployed to OSGi as an installation step of your AEM instances.</li> <li>Using a OSGi service to represent your data source and provide methods like opening and validating connections, handling timeouts, connection pool maintenance, etc. is a much better practice than to have those elements implemented in business logic.</li> </ol> <p>See <a href="https://github.com/theopendle/aem-demo/compare/622836a8401a49c6fa884046ec1eefa811929a62...tutorial/oracle">this link to a Git diff</a> to see all the changes that make this feature possible.</p> <p>I hope this was useful for you! If you liked it, don't hesitate to follow me here or <a href="https://www.linkedin.com/in/theo-pendle-1630a52a/">on LinkedIn</a> šŸ˜€</p> aem oracle sql osgi Custom Sling Injector With Annotations Theo Pendle Sat, 19 Nov 2022 20:13:52 +0000 https://forem.com/theopendle/custom-sling-injector-with-annotations-3l1p https://forem.com/theopendle/custom-sling-injector-with-annotations-3l1p <h2> How to inject anything anywhere with Sling </h2> <p>In this article I will show you how to build a custom injector for your Sling models with a real use-case. The source code is available on Github if you scroll to the bottom of the article.</p> <h3> The use case: hungry for cookies </h3> <p>One common use case I've seen is the need to read cookies in order to determine some behaviour in a set of components. Let's have a look at how we can use injection to write a re-usable solution to this requirement.</p> <p>The objective will be to achieve something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="o">...</span> <span class="c1">// Read the cookie value here</span> <span class="nd">@CookieValue</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">sessionId</span><span class="o">;</span> <span class="nd">@PostConstruct</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">()</span> <span class="o">{</span> <span class="c1">// Use the cookie value here</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"Session ID &lt;{}&gt;"</span><span class="o">,</span> <span class="n">sessionId</span><span class="o">);</span> <span class="o">}</span> <span class="o">...</span> </code></pre> </div> <p>There are essentially three parts to a custom injector:</p> <ol> <li>The annotation which you will use to inject an object into a field (or somewhere else)</li> <li>An annotation processor which will feed the attributes of your annotation to the Sling framework</li> <li>The injector itself, which is responsible for providing the object</li> </ol> <p>Let's start by creating our annotation. I will give code examples with an extra-generous serving of comments to explain each line šŸ‘</p> <h3> Creating the annotation </h3> <p>To create your annotation, write the following Java <code>@interface</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="c1">// This annotation belongs on a method (eg: getter), field or parameter (eg: constructor parameter)</span> <span class="nd">@Target</span><span class="o">({</span><span class="nc">ElementType</span><span class="o">.</span><span class="na">FIELD</span><span class="o">,</span> <span class="nc">ElementType</span><span class="o">.</span><span class="na">PARAMETER</span><span class="o">})</span> <span class="c1">// Retained at runtime, as opposed to the Lombok @Getter which is discarded for example</span> <span class="nd">@Retention</span><span class="o">(</span><span class="nc">RetentionPolicy</span><span class="o">.</span><span class="na">RUNTIME</span><span class="o">)</span> <span class="c1">// Declares an annotation as a custom inject annotation.</span> <span class="nd">@InjectAnnotation</span> <span class="c1">// This string will tell Sling which injector to use for this value</span> <span class="nd">@Source</span><span class="o">(</span><span class="s">"cookie-value"</span><span class="o">)</span> <span class="kd">public</span> <span class="nd">@interface</span> <span class="nc">CookieValue</span> <span class="o">{</span> <span class="c1">// Default to OPTIONAL injection strategy as we cannot rely on the cookie being present</span> <span class="nc">InjectionStrategy</span> <span class="nf">injectionStrategy</span><span class="o">()</span> <span class="k">default</span> <span class="nc">InjectionStrategy</span><span class="o">.</span><span class="na">OPTIONAL</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <h3> Processing the annotation </h3> <p>Now that we have an annotation to indicate that a value should by read from a cookie, we must tell the Sling framework how to interpret it.</p> <p>The most important piece of information for Sling to know is the <code>injectionStrategy</code> should, by default be <code>OPTIONAL</code>. If not, then any Sling model that attempts to read a cookie and fails, would throw an exception. </p> <p>To create our annotation processor, we must implement the <code>InjectAnnotationProcessor2</code> interface.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@AllArgsConstructor</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">CookieValueProcessor</span> <span class="kd">implements</span> <span class="nc">InjectAnnotationProcessor2</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">CookieValue</span> <span class="n">annotation</span><span class="o">;</span> <span class="c1">// This is the only we wish to take from the CookieValue annotation</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">InjectionStrategy</span> <span class="nf">getInjectionStrategy</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">annotation</span><span class="o">.</span><span class="na">injectionStrategy</span><span class="o">();</span> <span class="o">}</span> <span class="c1">// We can leave all these as default</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getName</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getVia</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">hasDefault</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">false</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">Object</span> <span class="nf">getDefault</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">Boolean</span> <span class="nf">isOptional</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Injecting the cookie value </h3> <p>Finally we are ready to write the logic to read a value from a cookie. To do that, we must write the injector. This class will also server to bind the annotation to the processor from the previous steps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="cm">/** * Injects the value of a cookie derived from a SlingHttpServletRequest. */</span> <span class="nd">@Slf4j</span> <span class="nd">@Component</span><span class="o">(</span><span class="n">service</span> <span class="o">=</span> <span class="o">{</span><span class="nc">Injector</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="nc">StaticInjectAnnotationProcessorFactory</span><span class="o">.</span><span class="na">class</span><span class="o">})</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">CookieValueInjector</span> <span class="kd">implements</span> <span class="nc">Injector</span><span class="o">,</span> <span class="nc">StaticInjectAnnotationProcessorFactory</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">getName</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="s">"cookie-value"</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">Object</span> <span class="nf">getValue</span><span class="o">(</span><span class="kd">final</span> <span class="nc">Object</span> <span class="n">adaptable</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">name</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">Type</span> <span class="n">type</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">AnnotatedElement</span> <span class="n">element</span><span class="o">,</span> <span class="kd">final</span> <span class="nc">DisposalCallbackRegistry</span> <span class="n">callbackRegistry</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Injectors are cycled through, so it is important to perform this check.</span> <span class="c1">// We only want to trigger our code if the annotation being processed is indeed CookieValue</span> <span class="kd">final</span> <span class="nc">CookieValue</span> <span class="n">annotation</span> <span class="o">=</span> <span class="n">element</span><span class="o">.</span><span class="na">getAnnotation</span><span class="o">(</span><span class="nc">CookieValue</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">annotation</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="c1">// We cannot get a cookie from a resource adaptable, so let's make sure we indeed have a request to read from</span> <span class="k">if</span> <span class="o">(!(</span><span class="n">adaptable</span> <span class="k">instanceof</span> <span class="nc">SlingHttpServletRequest</span><span class="o">))</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Cannot adapt &lt;{}&gt; to cookie value"</span><span class="o">,</span> <span class="n">adaptable</span><span class="o">.</span><span class="na">getClass</span><span class="o">().</span><span class="na">getSimpleName</span><span class="o">());</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="kd">final</span> <span class="nc">SlingHttpServletRequest</span> <span class="n">request</span> <span class="o">=</span> <span class="o">(</span><span class="nc">SlingHttpServletRequest</span><span class="o">)</span> <span class="n">adaptable</span><span class="o">;</span> <span class="kd">final</span> <span class="nc">Cookie</span> <span class="n">cookie</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getCookie</span><span class="o">(</span><span class="n">name</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">cookie</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">log</span><span class="o">.</span><span class="na">debug</span><span class="o">(</span><span class="s">"Could not read value from cookie &lt;{}&gt; as no such cookie exists"</span><span class="o">,</span> <span class="n">name</span><span class="o">);</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="k">return</span> <span class="n">cookie</span><span class="o">.</span><span class="na">getValue</span><span class="o">();</span> <span class="o">}</span> <span class="c1">// This rather clunky method in conjunction with CookieValueProcessor to pass the values of the annotation to the</span> <span class="c1">// Sling framework. Especially critical for the InjectionStrategy!</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">InjectAnnotationProcessor2</span> <span class="nf">createAnnotationProcessor</span><span class="o">(</span><span class="kd">final</span> <span class="nc">AnnotatedElement</span> <span class="n">element</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Check if the element has the expected annotation</span> <span class="kd">final</span> <span class="nc">CookieValue</span> <span class="n">annotation</span> <span class="o">=</span> <span class="n">element</span><span class="o">.</span><span class="na">getAnnotation</span><span class="o">(</span><span class="nc">CookieValue</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">annotation</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">CookieValueProcessor</span><span class="o">(</span><span class="n">annotation</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>And there you have it! Now lets use what we've just created in a Sling model.</p> <h3> Using our injector </h3> <p>In order to test our work so far, I'll inject a cookie value into a very basic Sling Model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="nd">@Model</span><span class="o">(</span><span class="n">adaptables</span> <span class="o">=</span> <span class="nc">SlingHttpServletRequest</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">HelloWorldImpl</span> <span class="kd">implements</span> <span class="nc">HelloWorld</span> <span class="o">{</span> <span class="c1">// Here we use our injector to tell Sling to read the value of the "sessionId" cookie.</span> <span class="nd">@CookieValue</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">sessionId</span><span class="o">;</span> <span class="nd">@Getter</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">message</span><span class="o">;</span> <span class="nd">@PostConstruct</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">init</span><span class="o">()</span> <span class="o">{</span> <span class="n">message</span> <span class="o">=</span> <span class="s">"Session ID: "</span> <span class="o">+</span> <span class="n">sessionId</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Deploy this component to your local instance, place it on a page and you should see the following result:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvpmszi1lachnfrekhhk9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvpmszi1lachnfrekhhk9.png" alt="Session ID is null" width="515" height="143"></a></p> <p>No worries! The cookie doesn't exist yet. Let's create it by running the following code in the console of your browser:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">sessionId=123456789</span><span class="dl">"</span> </code></pre> </div> <p>Refresh your page and you should see the value of <code>sessionId</code>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frq8qzyhgvjx52782lp8o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frq8qzyhgvjx52782lp8o.png" alt="Session id is correct" width="482" height="120"></a></p> <p>And that's how you write a custom injector! šŸ’‰</p> <h3> Kicking it up a notch </h3> <p>But what if we want to de-couple the field name from the cookie name? And what if we want to inject not a String but rather a boolean value, such as a marketing consent flag? </p> <p>Well stick around to find out.</p> <h3> Injecting a custom type </h3> <p>Changing the type of the injected value is relatively easy. Since the <code>getValue()</code> method of the <code>Injector</code> interface returns an <code>Object</code>, Sling basically casts the return value to the type of the field into which the injection happens.</p> <p>However, it is our job to find out which type <em>should</em> be returned. So let's add this piece of logic before to our injector class:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// Check which type we should return, and convert accordingly</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">stringValue</span> <span class="o">=</span> <span class="n">cookie</span><span class="o">.</span><span class="na">getValue</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">type</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="nc">String</span><span class="o">.</span><span class="na">class</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="n">stringValue</span><span class="o">;</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="n">type</span><span class="o">.</span><span class="na">equals</span><span class="o">(</span><span class="nc">Boolean</span><span class="o">.</span><span class="na">class</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">Boolean</span><span class="o">.</span><span class="na">parseBoolean</span><span class="o">(</span><span class="n">stringValue</span><span class="o">);</span> <span class="o">}</span> <span class="c1">// If the type of the field is not something we expect, then return null</span> <span class="n">log</span><span class="o">.</span><span class="na">error</span><span class="o">(</span><span class="s">"Cookie value can only be injected as type &lt;{}&gt;"</span><span class="o">,</span> <span class="n">type</span><span class="o">.</span><span class="na">getClass</span><span class="o">());</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> </code></pre> </div> <h3> Reading a custom cookie name </h3> <p>To make it possible to specify the name of the cookie to read from, we will have to give our annotation another attribute. Add this method to the <code>CookieValue</code> annotation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="cm">/** * The name of the cooke to read the value from */</span> <span class="nc">String</span> <span class="nf">cookie</span><span class="o">()</span> <span class="k">default</span> <span class="s">""</span><span class="o">;</span> </code></pre> </div> <p>Then add the following logic to the injector:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="c1">// Use the cookie name if provided, else use the name of the annotated element (eg: field name)</span> <span class="kd">final</span> <span class="nc">String</span> <span class="n">cookieName</span> <span class="o">=</span> <span class="nc">StringUtils</span><span class="o">.</span><span class="na">isNotBlank</span><span class="o">(</span><span class="n">annotation</span><span class="o">.</span><span class="na">cookie</span><span class="o">())</span> <span class="o">?</span> <span class="n">annotation</span><span class="o">.</span><span class="na">cookie</span><span class="o">()</span> <span class="o">:</span> <span class="n">name</span><span class="o">;</span> </code></pre> </div> <p>Finally, we can use the injector in our model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@CookieValue</span><span class="o">(</span><span class="n">cookie</span> <span class="o">=</span> <span class="s">"demo_marketing_consent"</span><span class="o">)</span> <span class="kd">private</span> <span class="nc">Boolean</span> <span class="n">marketingConsent</span><span class="o">;</span> </code></pre> </div> <p>Deploy and run the following line of code to create the cookie:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">demo_marketing_consent=true</span><span class="dl">"</span> </code></pre> </div> <p>And now your boolean value is injected too:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsejtf3bo990n40tmmw9d.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsejtf3bo990n40tmmw9d.png" alt="Marketing consent cookie is true" width="503" height="138"></a></p> <h3> More examples </h3> <p>The source code for this tutorial is on <a href="https://github.com/theopendle/aem-demo/tree/tutorial/custom-injector" rel="noopener noreferrer">GitHub</a>.</p> <p>I've created <a href="https://github.com/theopendle/aem-demo/compare/7cc5255302f6348d1118e5b8ccfc9e7499023fc8...da69a98c" rel="noopener noreferrer">a diff here</a> so you can see exactly what changes to make. It includes another example of a custom annotation that lets you do this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code> <span class="c1">// Inject the tags associated to the page on which this component is placed</span> <span class="nd">@PageTag</span> <span class="kd">private</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">Tag</span><span class="o">&gt;</span> <span class="n">tags</span><span class="o">;</span> <span class="c1">// Inject a single tag from a custom page property</span> <span class="nd">@PageTag</span><span class="o">(</span><span class="n">name</span> <span class="o">=</span> <span class="s">"customTag"</span><span class="o">)</span> <span class="kd">private</span> <span class="nc">Tag</span> <span class="n">customTag</span><span class="o">;</span> </code></pre> </div> <p>Donā€™t hesitate to contact me on <a href="https://www.linkedin.com/in/theo-pendle-1630a52a" rel="noopener noreferrer">LinkedIn</a> if you have any questions/ideas or if you just want to discuss all things Sling or AEM! šŸ‘</p> ai discuss AEM: Deploying replication agents asĀ code Theo Pendle Sun, 02 Oct 2022 09:38:38 +0000 https://forem.com/theopendle/aem-deploying-replication-agents-as-code-3n92 https://forem.com/theopendle/aem-deploying-replication-agents-as-code-3n92 <h2> Use case </h2> <p>Let's imagine you want to install AEM with a pretty standard, simple topology. You may have 4 environments (local, dev, uat, prod) and each environments consists of one author replicating to two publishers.Ā </p> <p>That means you have 8 replication agents to set up, 12 if you add a dispatcher, 20 if you want reverse-replication, etc.</p> <p>Configuring these replication agents can start to become a bit of a chore, especially if you are using custom replication and transport (receiver) users. You should btw, it's <a href="https://experienceleague.adobe.com/docs/experience-manager-64/administering/security/security-checklist.html?lang=en#configure-replication-and-transport-users" rel="noopener noreferrer">in the security checklist</a>.</p> <p>I've often seen AEM customers configure the replication agents manually as if it's some sort of AEM right-of-passage. But actually, you can add the replication agents into your git repository and then deploy them like anything else.Ā </p> <p>So let's give it a go šŸ˜€</p> <h2> Using a runĀ mode </h2> <p>The first thing is to make sure that your AEM instances are running with run modes that allows us to distinguish by environment. If you don't know what a run mode is, please read <a href="https://experienceleague.adobe.com/docs/experience-manager-65/deploying/configuring/configure-runmodes.html?lang=en" rel="noopener noreferrer">this official documentation</a>.</p> <p>For example:</p> <ul> <li>Your local Author might run with <code>author,local</code> </li> <li>Your DEV Author might run with <code>author,dev</code> </li> </ul> <p>We will attach our replication agents to these environment run modes, so make sure you have them active.</p> <h2> Creating a localĀ agent </h2> <p>Now let's create the agents. </p> <p>Let's start with the local environment. Here we'll create just one agent, which replicates from your local <code>author</code> instance to your local <code>publish</code> instance.</p> <p>The easiest way to go about this is probably to start by copying the <code>/etc/replication/agents.author</code> node to <code>/etc/replication/agents.local</code>, then delete the agents you're not interested in. In this case, we'll remove everything except <code>publish</code>:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9yk0bzzt9612ogq4f4e3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9yk0bzzt9612ogq4f4e3.png" alt="Creating a new agent in CRX DE"></a></p> <p>As you can see in the screenshot, I also renamed the <code>agents.local</code> <code>jcr:title</code>.</p> <p>Now, if you navigate to <code>/etc/replication</code>, you will see a new addition to the list!</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7cf6cteloo0sby5686g1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7cf6cteloo0sby5686g1.png" alt="The new replication agent is deployed"></a></p> <p>This interface is quite handy for configuring the agent, so you can do so now. In my case I'm going to start off basic, using the <code>admin</code> user everywhere (yes, it's naughty, I know, we'll fix it later).Ā </p> <p>Make sure to test your agent (<a href="http://localhost:4502/etc/replication/agents.local/publish.test.html" rel="noopener noreferrer">http://localhost:4502/etc/replication/agents.local/publish.test.html</a>) once you've configured it to guarantee that it all works as expected:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1nbk782o7eyl3j28o401.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1nbk782o7eyl3j28o401.png" alt="Successful replication test"></a></p> <p>If you pull the <code>/etc/replication/agents.local</code> node into your repo, you should have an XML file that represents the replication agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="cp">&lt;?xml version="1.0" encoding="UTF-8"?&gt;</span> <span class="nt">&lt;jcr:root</span> <span class="na">xmlns:sling=</span><span class="s">"http://sling.apache.org/jcr/sling/1.0"</span> <span class="na">xmlns:cq=</span><span class="s">"http://www.day.com/jcr/cq/1.0"</span> <span class="na">xmlns:jcr=</span><span class="s">"http://www.jcp.org/jcr/1.0"</span> <span class="na">xmlns:nt=</span><span class="s">"http://www.jcp.org/jcr/nt/1.0"</span> <span class="na">xmlns:rep=</span><span class="s">"internal"</span> <span class="na">jcr:mixinTypes=</span><span class="s">"[rep:AccessControllable]"</span> <span class="na">jcr:primaryType=</span><span class="s">"cq:Page"</span><span class="nt">&gt;</span> <span class="nt">&lt;jcr:content</span> <span class="na">cq:template=</span><span class="s">"/libs/cq/replication/templates/agent"</span> <span class="na">jcr:description=</span><span class="s">"Agent that replicates to the default publish instance."</span> <span class="na">jcr:primaryType=</span><span class="s">"nt:unstructured"</span> <span class="na">jcr:title=</span><span class="s">"Publish"</span> <span class="na">sling:resourceType=</span><span class="s">"cq/replication/components/agent"</span> <span class="na">enabled=</span><span class="s">"true"</span> <span class="na">logLevel=</span><span class="s">"info"</span> <span class="na">retryDelay=</span><span class="s">"60000"</span> <span class="na">serializationType=</span><span class="s">"durbo"</span> <span class="na">ssl=</span><span class="s">"default"</span> <span class="na">transportPassword=</span><span class="s">"\{ba9f6a513c4aba03b33bd50d23a2032e6326c84d8a1d72fadfad8ee4301a2e5a}"</span> <span class="na">transportUri=</span><span class="s">"http://localhost:4503/bin/receive?sling:authRequestLogin=1"</span> <span class="na">transportUser=</span><span class="s">"admin"</span> <span class="na">userId=</span><span class="s">"admin"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/jcr:root&gt;</span> </code></pre> </div> <p>Great! šŸ™‚ With this, your fellow developers can deploy the replication agent to their local instances!Ā </p> <blockquote> <h3> Creating a newĀ module </h3> <p>I've opted to create a new module called <code>ui.replication</code> to host the replication agents.</p> <p>I'll let you decide if you want to do the same. If you just want to get to the end of this tutorial to prove a concept, then you can skip this step.</p> <p>I will not explain how this is done as it's simple Maven stuff, but scroll to the end of this article for a Github link if you want to see what it looks like.</p> </blockquote> <h2> Creating agents for other environments </h2> <p>Imagine you now want the same <code>publish</code> replication agent on other environments. For example, you'd like to be able to publish pages from from your DEV Author instance to your DEV Publish instance.Ā </p> <p>Simply copy <code>/etc/replication/agents.local</code> to <code>/etc/replication/agents.dev</code> and replace:</p> <ul> <li>The <code>jcr:title</code> property of <code>/etc/replication/agents.dev/.content.xml</code> </li> <li>The <code>transportUri</code> and <code>transportPassword</code> of <code>/etc/replication/agents.dev/publish/.content.xml</code> </li> </ul> <p>Here is an example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="cp">&lt;?xml version="1.0" encoding="UTF-8"?&gt;</span> <span class="nt">&lt;jcr:root</span> <span class="na">xmlns:sling=</span><span class="s">"http://sling.apache.org/jcr/sling/1.0"</span> <span class="na">xmlns:cq=</span><span class="s">"http://www.day.com/jcr/cq/1.0"</span> <span class="na">xmlns:jcr=</span><span class="s">"http://www.jcp.org/jcr/1.0"</span> <span class="na">xmlns:nt=</span><span class="s">"http://www.jcp.org/jcr/nt/1.0"</span> <span class="na">xmlns:rep=</span><span class="s">"internal"</span> <span class="na">jcr:mixinTypes=</span><span class="s">"[rep:AccessControllable]"</span> <span class="na">jcr:primaryType=</span><span class="s">"cq:Page"</span><span class="nt">&gt;</span> <span class="nt">&lt;jcr:content</span> <span class="na">cq:template=</span><span class="s">"/libs/cq/replication/templates/agent"</span> <span class="na">jcr:description=</span><span class="s">"Agent that replicates to the default publish instance."</span> <span class="na">jcr:primaryType=</span><span class="s">"nt:unstructured"</span> <span class="na">jcr:title=</span><span class="s">"Publish"</span> <span class="na">sling:resourceType=</span><span class="s">"cq/replication/components/agent"</span> <span class="na">enabled=</span><span class="s">"true"</span> <span class="na">logLevel=</span><span class="s">"info"</span> <span class="na">retryDelay=</span><span class="s">"60000"</span> <span class="na">serializationType=</span><span class="s">"durbo"</span> <span class="na">ssl=</span><span class="s">"default"</span> <span class="na">transportPassword=</span><span class="s">"\{8621078f9b44db113fd091bc3e1bbbf39f2775907f227d726f1bd301f2198be9}"</span> <span class="na">transportUri=</span><span class="s">"http://dev.publish:4503/bin/receive?sling:authRequestLogin=1"</span> <span class="na">transportUser=</span><span class="s">"admin"</span> <span class="na">userId=</span><span class="s">"admin"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/jcr:root&gt;</span> </code></pre> </div> <p>Deploy to your local instance again and go to <code>/etc/replication</code>. You should now see the LOCAL and DEV agents:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe9k2b32bx0t7i21bnhzs.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe9k2b32bx0t7i21bnhzs.png" alt="DEV agent deployed"></a></p> <p>This is normal. All agents will be deployed, but only the agents that match your run modes will be active. For example, here is my local Author:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffq7qgnyww2ihbbh3bg34.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffq7qgnyww2ihbbh3bg34.gif" alt="Only local agent active on local environment"></a></p> <p>The principle is the same for UAT, PROD or any environment you like. Just make sure that those instances also have matching run modes.</p> <h2> āš ļø Combining runĀ modes </h2> <p>Of course, we only want our replication agent to be active on the <code>author</code> instance. Therefore we would need to distinguish which agent is active on the <code>author</code> and which is on the <code>publish</code>. This is possible, but a bit tricky.</p> <p>Typically in AEM, you can combine run modes with an AND logical operator. For example for configurations:</p> <ul> <li> <code>/apps/demo/osgiconfig/config.author</code> applies to all <code>author</code> instances</li> <li> <code>/apps/demo/osgiconfig/config.dev</code> applies to all <code>dev</code> instances</li> <li> <code>/apps/demo/osgiconfig/config.author.dev</code> applies to an instance if it has <strong>both</strong> the <code>author</code> and the <code>dev</code> run mode</li> </ul> <p>However, replication agents combine run modes with an OR logical operator (don't ask me why). For example:</p> <ul> <li> <code>/etc/replication/agents.author</code> applies to all <code>author</code> instances</li> <li> <code>/etc/replication/agents.dev</code> applies to all <code>dev</code> instances</li> <li> <code>/etc/replication/agents.author.dev</code> applies to an instance if it has <strong>either</strong> the <code>author</code> or the <code>dev</code> run mode</li> </ul> <p>Unfortunately, this leaves you with these two options:</p> <ol> <li>If you only want replication agents on <code>author</code>, then deploy the replication agents only to <code>author</code>. This is the approach I use for this tutorial, by not including the <code>ui.replication</code> module in the <code>all</code> package (see Github link at the bottom of the article).</li> <li>If you want some agents on <code>author</code> and other on <code>publish</code>, then you must create a separate run modes, (eg: <code>author-dev</code>, <code>publish-dev</code>) and use those in your replication agents (eg: <code>/etc/replication/agents.author-dev</code>).</li> </ol> <h2> Using replication users </h2> <p>At this point you should have working, environment-specific replication agents.Ā </p> <p>The problem now is that we are using full <code>admin</code> privileges for replication, which can lead to security vulnerabilities. As mentioned before, Adobe considers this important enough to publish in the <a href="https://experienceleague.adobe.com/docs/experience-manager-64/administering/security/security-checklist.html?lang=en#configure-replication-and-transport-users" rel="noopener noreferrer">security checklist</a>.</p> <p>To paraphrase Adobe's explanation, there are two users that work to replication content:</p> <ol> <li>The replication user, which reads content from the source instance (eg: <code>author</code>).Ā </li> <li>The transport user that writes content to the target instance (eg: <code>publish</code>)</li> </ol> <p>Both users should have permissions only on the content that is eligible for replication.</p> <p>I'll let you decide what those permissions will be for your application. But for the purpose of this article, let's imagine you have two users:</p> <ul> <li> <code>replication-user</code> on the <code>author</code> instance</li> <li> <code>transport-user</code> on the <code>publish</code> instance</li> </ul> <h2> Password encryption </h2> <p>The <code>replication-user</code> is the easiest to use. You can do so by setting the following property in your replication agent XML file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>userId="replication-user" </code></pre> </div> <p>For the <code>transport-user</code>, its a bit more complicated. Since the <code>author</code> instance will have to authenticate on the <code>publish</code> instance, we need to provide the password in the XML file.Ā </p> <p>In order to avoid exposing the password when it is pushed to your code repository, it must first be encrypted.Ā </p> <p>To do this, go to <code>/system/console/crypto</code> on your <code>author</code> instance and encrypt the password for <code>transport-user</code>, or use the following curl command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-u</span> admin:admin <span class="nt">-F</span><span class="s2">"datum=password-goes-here"</span> http://localhost:4502/system/console/crypto/.json </code></pre> </div> <p>Take resulting encrypted value (curly braces included) and set the <code>transportPassword</code> property, like so:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>transportPassword="{String}{537dc0a2c2de05f46fa9d65fb884c5b243fb2948e2f4b0ab4826c0912dc2154e}" </code></pre> </div> <p>The <code>{String}</code> prefix tells AEM to consider the decrypted value as a string.</p> <p>The end result looks like this:</p> <p><code>/etc/replication/agents.local</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="cp">&lt;?xml version="1.0" encoding="UTF-8"?&gt;</span> <span class="nt">&lt;jcr:root</span> <span class="na">xmlns:sling=</span><span class="s">"http://sling.apache.org/jcr/sling/1.0"</span> <span class="na">xmlns:cq=</span><span class="s">"http://www.day.com/jcr/cq/1.0"</span> <span class="na">xmlns:jcr=</span><span class="s">"http://www.jcp.org/jcr/1.0"</span> <span class="na">xmlns:nt=</span><span class="s">"http://www.jcp.org/jcr/nt/1.0"</span> <span class="na">xmlns:rep=</span><span class="s">"internal"</span> <span class="na">jcr:mixinTypes=</span><span class="s">"[rep:AccessControllable]"</span> <span class="na">jcr:primaryType=</span><span class="s">"cq:Page"</span><span class="nt">&gt;</span> <span class="nt">&lt;jcr:content</span> <span class="na">cq:template=</span><span class="s">"/libs/cq/replication/templates/agent"</span> <span class="na">jcr:description=</span><span class="s">"Agent that replicates to the default publish instance."</span> <span class="na">jcr:primaryType=</span><span class="s">"nt:unstructured"</span> <span class="na">jcr:title=</span><span class="s">"Publish"</span> <span class="na">sling:resourceType=</span><span class="s">"cq/replication/components/agent"</span> <span class="na">enabled=</span><span class="s">"true"</span> <span class="na">logLevel=</span><span class="s">"info"</span> <span class="na">retryDelay=</span><span class="s">"60000"</span> <span class="na">serializationType=</span><span class="s">"durbo"</span> <span class="na">ssl=</span><span class="s">"default"</span> <span class="na">transportPassword=</span><span class="s">"{String}{537dc0a2c2de05f46fa9d65fb884c5b243fb2948e2f4b0ab4826c0912dc2154e}"</span> <span class="na">transportUri=</span><span class="s">"http://localhost:4503/bin/receive?sling:authRequestLogin=1"</span> <span class="na">transportUser=</span><span class="s">"transport-user"</span> <span class="na">userId=</span><span class="s">"replication-user"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/jcr:root&gt;</span> </code></pre> </div> <p><code>/etc/replication/agents.dev</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="cp">&lt;?xml version="1.0" encoding="UTF-8"?&gt;</span> <span class="nt">&lt;jcr:root</span> <span class="na">xmlns:sling=</span><span class="s">"http://sling.apache.org/jcr/sling/1.0"</span> <span class="na">xmlns:cq=</span><span class="s">"http://www.day.com/jcr/cq/1.0"</span> <span class="na">xmlns:jcr=</span><span class="s">"http://www.jcp.org/jcr/1.0"</span> <span class="na">xmlns:nt=</span><span class="s">"http://www.jcp.org/jcr/nt/1.0"</span> <span class="na">xmlns:rep=</span><span class="s">"internal"</span> <span class="na">jcr:mixinTypes=</span><span class="s">"[rep:AccessControllable]"</span> <span class="na">jcr:primaryType=</span><span class="s">"cq:Page"</span><span class="nt">&gt;</span> <span class="nt">&lt;jcr:content</span> <span class="na">cq:template=</span><span class="s">"/libs/cq/replication/templates/agent"</span> <span class="na">jcr:description=</span><span class="s">"Agent that replicates to the default publish instance."</span> <span class="na">jcr:primaryType=</span><span class="s">"nt:unstructured"</span> <span class="na">jcr:title=</span><span class="s">"Publish"</span> <span class="na">sling:resourceType=</span><span class="s">"cq/replication/components/agent"</span> <span class="na">enabled=</span><span class="s">"true"</span> <span class="na">logLevel=</span><span class="s">"info"</span> <span class="na">retryDelay=</span><span class="s">"60000"</span> <span class="na">serializationType=</span><span class="s">"durbo"</span> <span class="na">ssl=</span><span class="s">"default"</span> <span class="na">transportPassword=</span><span class="s">"{String}{9ceef3f083eb276082f17a81dcaf9b241ec79767df44ebf8d32a3d894c333652}"</span> <span class="na">transportUri=</span><span class="s">"http://dev.publish:4503/bin/receive?sling:authRequestLogin=1"</span> <span class="na">transportUser=</span><span class="s">"transport-user"</span> <span class="na">userId=</span><span class="s">"replication-user"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/jcr:root&gt;</span> </code></pre> </div> <h2> Conclusion </h2> <p>Congratulations, you can now deploy your replication agents as code! šŸ˜€</p> <p>The source code for this tutorial is <a href="https://github.com/theopendle/aem-demo/compare/tutorial/replication-agents" rel="noopener noreferrer">on Github</a>.</p> <p>I've created a diff so you can see just the changes to make this feature work <a href="https://github.com/theopendle/aem-demo/compare/ff945f4dd7012fc904b48e89d08a693aca34744c...fd623eff08c9ae5b7a5e33dfac241562d3984d12" rel="noopener noreferrer">here</a>.</p> <p>Donā€™t hesitate to contact me on <a href="https://www.linkedin.com/in/theo-pendle-1630a52a" rel="noopener noreferrer">LinkedIn</a> if you have any questions/ideas!</p> aem devops adobe