Monday, August 15, 2016

URL shortening and resource resolution involving regex 


A common use case in AEM based content management, is to map a page to a shortened public URL, and correspondingly resolve a shortened URL to the resource.

While there exists multiple ways to achieve the same, this post discusses one particular option, with the possibility of using regular expressions.

Sample content structure


 /content
    |- sas-bp (blueprint)
        |- en
            |- ....
/content
    |- sas-se 
        |- en
            |- ....
/content
    |- sas-dk 
        |- en
            |- ....


Let's say country specific live copies are named as sas-xx as per editorial governance, where xx is the country code.

OSGI Configuration


In AEM 6.1, you can leverage the OSGI configuration for Apache Sling Resource Resolver Factory, in the publish environment.

But it needs two entries if the rule involves regex.



Entry 1 : /content/sas-$1/en$2>/([^/]+)/en(.*)

Entry 2: /content/sas-([^/]+)/en(.*)</$1/en$2

Result


As shown below, the shortened URL resolves to the corresponding page at /content/sas-se/en.html.
And links to internal pages (in this case the page itself) gets mapped to the corresponding shortened URL.



Posted by at No comments:
Labels: , , ,

Sunday, August 14, 2016

Custom and LDAP authentication in AEM 6.1 with Keep-me-logged-in feature

Sharing a solution approach on the following use case:


Enable authentication for a fully protected AEM site that needs user authentication from 2 different sources – AD for the company’s internal users and an external user base fronted by a web service for the external users (who would need to register prior to logging in). Additionally, the login screen would have a keep-me-logged-in feature.

Reference: http://www.wemblog.com/2013/03/how-to-create-custom-authentication.html

The following parts combine to form the solution. 

  • The usual out of the box facility to configure LDAP authentication
  • A pluggable Login module and Authentication handler that works on specific request method (POST) and user type (external users). 
    • The handler's extractCredentials method is used to do the authentication
    • Its authenticationSucceeded method is used to transform the AEM generated login-token from session to persistent cookie based on keep-me-logged-in. Then, the user is redirected to the resource (page) he/she original requested for.
  • A content structure with appropriate CUG configurations
  • A login page that submits the relevant parameters


Login page


At its basic form, it could look as shown below. 



Its rendering code is inspired from the author instance login screen, with additional input fields needed for the use case – the radio buttons for type of user, the checkbox for keep- me-logged-in feature. One can put the entire presentation logic in a login page component or put it in a login component which is hardwired into the login page component.


a) /apps/myapp/components/pages/login-page/login-page.html


<html>

  <body>

    <div data-sly-resource="${@path='login', resourceType='myapp/components/user/login'}" data-sly-unwrap></div>

  </body>

</html>


b) /apps/myapp/components/user/login/login.jsp 


<%@page session="false"

  contentType="text/html"

  pageEncoding="utf-8"

  import="com.adobe.granite.xss.XSSAPI,

      org.apache.sling.auth.core.AuthUtil"%>

<%@taglib prefix="sling" uri="http://sling.apache.org/taglibs/sling/1.0"%>

<%@ taglib prefix="ui" uri="http://www.adobe.com/taglibs/granite/ui/1.0" %>

<sling:defineObjects />

<%

final XSSAPI xssAPI = sling.getService(XSSAPI.class).getRequestSpecificAPI(slingRequest);

final String contextPath = slingRequest.getContextPath();

String redirect = request.getParameter("resource");

if (redirect == null || !AuthUtil.isRedirectValid(request, redirect)) {

  redirect = "/";

}

if (!redirect.startsWith(contextPath)) {

  redirect = contextPath + redirect;

}

String urlLogin = request.getContextPath() + resource.getPath() + ".html/j_security_check";

%>

<form method="post" action="<%= xssAPI.getValidHref(urlLogin) %>" novalidate="novalidate">

<label for="j_username">Username</label> <input type="text" name="j_username"><br>

<label for="j_password">Password</label> <input type="password" name="j_password"><br>

<input type="radio" name="userType" value="AD" checked> AD

<input type="radio" name="userType" value="CODS"> CODS <br>

<input type="checkbox" name="keepMeLoggedIn" value="true" checked> Keep me logged in<br>

<input type="hidden" name="resource" id="resource" value="<%= xssAPI.encodeForHTMLAttr(redirect) %>"/>

<button type="submit">Login</button>

</form>


Sample content structure


/content

  |- mysite-bp* (blueprint)

    |- en

      |- some-page

  |- mysite-country (live copy)

    |- en

      |- some-page

  |- signin


* The following CUG related configuration is done at site root. It can be done at the blueprint level and live copies will inherit them automatically.

  • CUG enabled for groups "contributor,administrators"
  • cugLoginPage property set to /content/signin – a page created with the login page template discussed in the previous point



Login Module and Authentication handler


a) Login Module


import java.security.Principal;
import java.util.Hashtable;
import java.util.Map;
import java.util.Set;

import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.security.auth.callback.CallbackHandler;

import org.apache.sling.jcr.jackrabbit.server.security.AuthenticationPlugin;
import org.apache.sling.jcr.jackrabbit.server.security.LoginModulePlugin;
import org.osgi.framework.BundleContext;
import org.osgi.framework.Constants;
import org.osgi.framework.ServiceRegistration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class SASLoginModule implements LoginModulePlugin{

private static final Logger LOGGER = LoggerFactory.getLogger(SASLoginModule.class);

private final SASAuthnHandler authHandler;

static ServiceRegistration register(
final SASAuthnHandler authHandler,
final BundleContext bundleContext) {
LOGGER.debug("SASLoginModule : register : start");
SASLoginModule plugin = new SASLoginModule(
authHandler);

Hashtable<String, Object> properties = new Hashtable<String, Object>();
properties.put(Constants.SERVICE_DESCRIPTION,
"SAS LoginModule plugin ");
properties.put(Constants.SERVICE_VENDOR, "TCS");

LOGGER.debug("SASLoginModule : register : before registering");
return bundleContext.registerService(LoginModulePlugin.class.getName(),
plugin, properties);
}

private SASLoginModule(
final SASAuthnHandler authHandler) {
LOGGER.debug("SASLoginModule : SASLoginModule : constructor");
this.authHandler = authHandler;
}

@SuppressWarnings("unchecked")
public void doInit(final CallbackHandler callbackHandler,
final Session session, final Map options) {
return;
}

public boolean canHandle(Credentials credentials) {
LOGGER.debug("SASLoginModule : canHandle : start");
return authHandler.canHandle(credentials);
}

public AuthenticationPlugin getAuthentication(final Principal principal,
final Credentials creds) {
LOGGER.debug("SASLoginModule : getAuthentication : start");
return new AuthenticationPlugin() {
public boolean authenticate(Credentials credentials)
throws RepositoryException {
return authHandler.authenticate(credentials);
}

};

}

public Principal getPrincipal(final Credentials credentials) {
LOGGER.debug("SASLoginModule : getPrincipal : start");
return null;
}

@SuppressWarnings("unchecked")
public void addPrincipals(final Set principals) {
LOGGER.debug("SASLoginModule : addPrincipals : start");
}

public int impersonate(final Principal principal,
final Credentials credentials) {
LOGGER.debug("SASLoginModule : impersonate : start");
return LoginModulePlugin.IMPERSONATION_DEFAULT;
}

}


b) Authentication Handler that will authenticate against external user base


import java.io.IOException;

import java.util.Dictionary;

import java.util.UUID;


import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;

import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.settings.SlingSettingsService;
import org.osgi.framework.ServiceRegistration;
import org.osgi.framework.Constants;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.day.crx.security.token.TokenCookie;
import com.day.crx.security.token.TokenUtil;

@Component(metatype = true, immediate = true, label = "SAS Authentication Handler", description = "Custom Authentication handler for SAS")
@Service
@Properties({
 @Property(name = AuthenticationHandler.PATH_PROPERTY, value = {
  "/content"
 }),
 @Property(name = Constants.SERVICE_RANKING, intValue = 10000),
 @Property(name = Constants.SERVICE_DESCRIPTION, value = "SAS Authentication Handler")
})
public class SASAuthnHandler extends DefaultAuthenticationFeedbackHandler
implements AuthenticationHandler {

 private static final Logger LOGGER = LoggerFactory.getLogger(SASAuthnHandler.class);

 private static final String REPO_DESC_ID = "crx.repository.systemid";
 private static final String REPO_DESC_CLUSTER_ID = "crx.cluster.id";

 // Standard params expected to support OotB login mechanism
 private static final String REQUEST_METHOD = "POST";
 private static final String USERNAME = "j_username";
 private static final String PASSWORD = "j_password";
 private static final String REQUEST_URL_SUFFIX = "/j_security_check";

 // Custom params expected to support extra features
 private static final String KEEP_ME_LOGGED_IN = "keepMeLoggedIn";
 private static final String USERTYPE = "userType";

 private ServiceRegistration loginModule;
 private String repositoryId;

 @Reference
 private SlingRepository slingRepository;

 @Reference
 private SlingSettingsService slingSettings;

 @Reference
 private CODSService codsService;

 @Activate
 protected void activate(ComponentContext componentContext) {
  LOGGER.debug("SASAuthnHandler : activate");

  this.repositoryId = slingRepository.getDescriptor(REPO_DESC_CLUSTER_ID);
  if (this.repositoryId == null || this.repositoryId.equalsIgnoreCase("")) {
   this.repositoryId = slingRepository.getDescriptor(REPO_DESC_ID);
  }
  if (this.repositoryId == null || this.repositoryId.equalsIgnoreCase("")) {
   this.repositoryId = slingSettings.getSlingId();
  }
  if (this.repositoryId == null || this.repositoryId.equalsIgnoreCase("")) {
   this.repositoryId = UUID.randomUUID().toString();
   LOGGER.warn("SASAuthnHandler : activate : Unable to get Repository ID; falling back to a random UUID.");
  }

  configure(componentContext.getProperties());

  this.loginModule = null;
  try {
   this.loginModule = SASLoginModule.register(this,
    componentContext.getBundleContext());
   LOGGER.debug("SASAuthnHandler : activate : Registered SAS Login Module");
  } catch (Throwable t) {
   LOGGER.error("SASAuthnHandler : activate : Error in activation", t);
  }

 }

 @Deactivate
 protected void deactivate(
  @SuppressWarnings("unused") ComponentContext componentContext) {
  LOGGER.debug("SASAuthnHandler : deactivate");
  if (loginModule != null) {
   loginModule.unregister();
   LOGGER.debug("SASAuthnHandler : deactivate : Unregistered SAS Login Module");
   loginModule = null;
  }
 }

 protected void configure(Dictionary < ? , ? > properties) {
 }


 public void dropCredentials(HttpServletRequest request,
  HttpServletResponse response) {
  LOGGER.debug("SASAuthnHandler : dropCredentials : start");

  // Remove the CRX Login Token cookie from the request
  TokenCookie.update(request, response, this.repositoryId, null, null, true);
 }

 public AuthenticationInfo extractCredentials(HttpServletRequest request,
  HttpServletResponse response) {

  LOGGER.debug("SASAuthnHandler : extractCredentials : start : " + request.getRequestURI());

  final String usertype = request.getParameter(USERTYPE);

  // Check if the request should be acted on
  if (!REQUEST_METHOD.equals(request.getMethod()) || !request.getRequestURI().endsWith(REQUEST_URL_SUFFIX) || usertype == null) {
   LOGGER.debug("SASAuthnHandler : extractCredentials : request ignored");
   return null;
  }

  final String username = request.getParameter(USERNAME);
  final String password = request.getParameter(PASSWORD);

  // Check for mandatory params, although these should be validated in front-end
  if (username == null || username.length() == 0 || password == null || password.length() == 0) {
   LOGGER.debug("SASAuthnHandler : extractCredentials : mandatory params missing, returning fail auth");
   return AuthenticationInfo.FAIL_AUTH;
  }

  if (!usertype.equalsIgnoreCase("CODS")) {
   LOGGER.debug("SASAuthnHandler : extractCredentials : usertype not CODS");
   return null;
  }

  LOGGER.info("SASAuthnHandler : extractCredentials : proceeding with authentication of [{}]", username);

  // Authenticate against CODS through a service facade
  boolean authenticated = false;
  try {
   authenticated = codsService.authenticate(username, password);
  } catch (CODSServiceException e) {
   LOGGER.error("SASAuthnHandler : extractCredentials : error authenticating against CODS : ", e);
  }


  if (authenticated) {
   LOGGER.info("SASAuthnHandler : extractCredentials : user [{}] authenticated externally", username);

   try {
    LOGGER.debug("SASAuthnHandler : extractCredentials : create token and return");
    AuthenticationInfo authnInfo = TokenUtil.createCredentials(request, response, slingRepository, username, true);
    return authnInfo;
   } catch (RepositoryException e) {
    LOGGER.error("SASAuthnHandler : extractCredentials : Repository error authenticating user: {} ~> {}", username, e);
   } finally {

   }
  }

  LOGGER.debug("SASAuthnHandler : extractCredentials : CODS user not authenticated, returning fail auth");
  return AuthenticationInfo.FAIL_AUTH;
 }



 public boolean requestCredentials(HttpServletRequest arg0,
  HttpServletResponse arg1) {
  LOGGER.debug("SASAuthnHandler : requestCredentials : start");
  return false;
 }


 public boolean canHandle(Credentials credentials) {
  LOGGER.debug("SASAuthnHandler : canHandle : start");
  return true;
 }

 public boolean authenticate(Credentials credentials) {
  LOGGER.debug("SASAuthnHandler : authenticate : start");
  return true;
 }




 @Override
 public boolean authenticationSucceeded(HttpServletRequest request, HttpServletResponse response, AuthenticationInfo authInfo) {

  LOGGER.debug("SASAuthnHandler : authenticationSucceeded : start");

  // Change the persistence mechanism
  if (request.getParameter(KEEP_ME_LOGGED_IN) != null && request.getParameter(KEEP_ME_LOGGED_IN).equalsIgnoreCase("true")) {
   LOGGER.info("SASAuthnHandler : authenticationSucceeded : keep the user logged-in");

   TokenCookie tokenCookie = TokenCookie.fromRequest(request);
   if (tokenCookie != null) {
    LOGGER.info("SASAuthnHandler : authenticationSucceeded : token : " + tokenCookie.toString());
    TokenCookie.setCookie(response, "login-token", tokenCookie.toString(), 63072000, "/", request.getServerName(), true, false);
   }

  }

  // Redirect to resource
  String resource = request.getParameter("resource");
  LOGGER.info("SASAuthnHandler : authenticationSucceeded : resource = " + resource);
  try {
   response.sendRedirect(resource);
  } catch (IOException e) {
   LOGGER.error("SASAuthnHandler : authenticationSucceeded : send redirect", e);
  }
  return true;
 }


}






LDAP Configuration

1) Apache Jackrabbit Oak LDAP Identity Provider





provider.name: Provide a suitable name

For the following, seek help from your AD admin:-
  • host.name
  • host.port
  • bind.dn: A service/system user account that will be used to connect to AD
  • bind.password: 
  • user.baseDN: The hierarchy under which the users exist in AD
  • user.idAttribute: The attribute that provides the unique userid for each user account

2) Apache Jackrabbit Oak Default Sync Handler



  • handler.name: Provide a suitable name
  • user.autoMembership: Provide a group to which the root page(s) in the protected site has been granted access to using the CUG option. This group needs to be available in the AEM server, although it is not necessary to assign any permission to it for the CUG mechanism to work 
  • user.propertyMapping: as-per-requirement
  • user.pathPrefix: Provide a path under /home/users under which these set of users will be created upon synch

3) Apache Jackrabbit Oak External Login Module





Use the identity provider and the synch handler names which were used in the previous 2 steps. It’s best to let the JAAS ranking remain at its default value.


4) (OPTIONAL step) Add logging for LDAP:


http://publish-host:port/system/console/slinglog

Click on Add new logger, and add a logger with the following detail
  • Log Level: DEBUG
  • Log file: logs\error.log
  • Logger:
    • org.apache.jackrabbit.oak.spi.security.authentication.external
    • org.apache.jackrabbit.oak.security.authentication.ldap

Posted by at 1 comment:
Labels: , , ,
Subscribe to: Posts (Atom)