Ask the Experts – Building Login-Based Sites in AEM Justin Edelson | AEM Evangelist

Agenda Overview of AEM (Sling) Security Architecture Adding Login Adding Security Adding Personalization

The Players Authentication in AEM is a collaboration between three players: Sling Authentication interacts with the user’s HTTP request LoginModules validate credentials Repository Access Control determines if an action is allowed Developing AEM applications requires understanding all of these.

Sling Authentication Every request*… * With some exceptions

Sling Authentication – AuthenticationHandler Each AuthenticationHandler can be assigned a path prefix. In practice, most of the time, the path is / AuthenticationHandlers are ordered based on service ranking For extractCredentials() – first non-null result wins For requestCredentials() – first true response wins For dropCredentials() – all handlers are called There is also a optional AuthenticationFeedbackHandler interface which AuthenticationHandler can implement to… get feedback.

OOTB AuthenticationHandlers HttpBasicAuthenticationHandler Handles HTTP Basic Authentication CQ LoginSelectorHandler Handles path-specific login page redirects CRX TokenAuthenticationHandler Handles form based login and token cookies Granite OAuth Bearer AuthenticationHandler Facebook, Twitter, supported OOTB; others possible SAML Authentication Handler Supports SAML 2.0 SSO Authentication Handler Generic SSO Support – cookies, headers, parameters

Is Anonymous Access Allowed? By default: Author – no Publish – yes Exceptions defined two ways: Configuration of the SlingAuthenticator OSGi component Don’t reconfigure this. Just be aware. Every OSGi service can have a sling.auth.requirements property For example, to allow anonymous access to /mypath @Property(name=“sling.auth.requirements” value=“-/mypath”) See /system/console/slingauth for the current aggregated configuration

LoginModule A LoginModule is responsible for validating credentials. Defined by the JAAS specification. Multiple LoginModules can be configured. By default, AEM uses a single LoginModule Authenticates against the repository. For CRX2: Jackrabbit provides a base AbstractLoginModule specifically for working with Jackrabbit/CRX. Read: http://bit.ly/18blUI2 For Oak: Generally, you’ll use the new ExternalLoginModule by implementing External Identity Provider Note: Sling includes something called a LoginModulePlugin. Don’t use this. It was a bad idea and doesn’t work.

Token Authentication As part of login, CRX’s default LoginModule creates tokens in the repository which enables cookie- based login on subsequent requests. These tokens are stored in the repository, e.g. /home/users/a/admin/.tokens This is NOT the same as “Remember Me”. Tokens Expire: Cookies are session-bound. Tokens in the repository have an expiration date and are purged. Tokens present challenges with clustering. Login Request -> master, writes token to repository Request #2 (with login-token cookie) -> slave, tries to read token Fails if slave hasn’t sync’d yet

JCR Access Control ACLs are an integral part of the repository In JCR not only the enforcement is specified, but also APIs to modify ACLs. Privileges include read, modify, create, remove, readAccessControl, writeAccessControl, and more.. Custom privileges are also possible. Example: AEM Replication ACL inheritance by path For all JCR API calls the ACLs are considered when returning the results: A JCR session is created for a specific user Only readable nodes are returned in “node.getNodes()” A search result only contains nodes visible to that user.

Do I Need To Write an AuthenticationHandler? If… You need to support some custom type of credentials You need SSO and you don’t support SAML 2.0. You need SSO and your SSO system can’t work with the SSO Authentication Handler. This can happen when the header is encrypted in some way. Think about using a Filter instead of reimplementing the SSO Authentication Handler. You need to support “Remember Me”

Do I Need To Write a LoginModule (or External Identity Provider)? If… You need to integrate with an external identity provider at the credentials level. For example: LDAP (except this is supported out of the box) You need custom authentication for CRX DE Lite, CRX Explorer, or OSGi Console These systems generally do not support Sling AuthenticationHandler. You need custom authentication for WebDAV or Adobe Drive These only support basic authentication. You need custom authentication for another JCR client application This will probably never be the case

“Live” Coding

Live Coding Based on AEM 6.0 SP2; tested on 5.6.1 Written in JSP Users exist already Users are local Using Form Based Login

Form Based Login Logging in via a form requires two parameters: j_username - username j_password – password POST to <anything>/j_security_check And two optional parameters: resource – the path to redirect to on a successful login j_validate– used for Ajax logins

Let’s Do This!

Resources Code: http://bit.ly/aem-ate-login-code Permission Sensitive Caching Docs: http://adobe.ly/1vSCs3v Sling Authentication Docs: http://bit.ly/1zl0e3Z Oak External Login Module Docs: http://bit.ly/1FnkNUw