Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ask the Experts – Building Login-Based Sites in AEM

Published byJennifer Oliver Modified over 6 years ago

Similar presentations

Presentation on theme: "Ask the Experts – Building Login-Based Sites in AEM"— Presentation transcript:

1 Ask the Experts – Building Login-Based Sites in AEM
Justin Edelson | AEM Evangelist

2 Agenda Overview of AEM (Sling) Security Architecture Adding Login
Adding Security Adding Personalization

3 The Players Authentication in AEM is a collaboration between three players: Sling Authentication interacts with the user’s HTTP request LoginModules validate credentials Repository Access Control determines if an action is allowed Developing AEM applications requires understanding all of these.

4 Sling Authentication Every request*… * With some exceptions

5 Sling Authentication – AuthenticationHandler
Each AuthenticationHandler can be assigned a path prefix. In practice, most of the time, the path is / AuthenticationHandlers are ordered based on service ranking For extractCredentials() – first non-null result wins For requestCredentials() – first true response wins For dropCredentials() – all handlers are called There is also a optional AuthenticationFeedbackHandler interface which AuthenticationHandler can implement to… get feedback.

6 OOTB AuthenticationHandlers
HttpBasicAuthenticationHandler Handles HTTP Basic Authentication CQ LoginSelectorHandler Handles path-specific login page redirects CRX TokenAuthenticationHandler Handles form based login and token cookies Granite OAuth Bearer AuthenticationHandler Facebook, Twitter, supported OOTB; others possible SAML Authentication Handler Supports SAML 2.0 SSO Authentication Handler Generic SSO Support – cookies, headers, parameters

7 Is Anonymous Access Allowed?
By default: Author – no Publish – yes Exceptions defined two ways: Configuration of the SlingAuthenticator OSGi component Don’t reconfigure this. Just be aware. Every OSGi service can have a sling.auth.requirements property For example, to allow anonymous access to /mypath @Property(name=“sling.auth.requirements” value=“-/mypath”) See /system/console/slingauth for the current aggregated configuration

8 LoginModule A LoginModule is responsible for validating credentials.
Defined by the JAAS specification. Multiple LoginModules can be configured. By default, AEM uses a single LoginModule Authenticates against the repository. For CRX2: Jackrabbit provides a base AbstractLoginModule specifically for working with Jackrabbit/CRX. Read: For Oak: Generally, you’ll use the new ExternalLoginModule by implementing External Identity Provider Note: Sling includes something called a LoginModulePlugin. Don’t use this. It was a bad idea and doesn’t work.

9 Token Authentication As part of login, CRX’s default LoginModule creates tokens in the repository which enables cookie- based login on subsequent requests. These tokens are stored in the repository, e.g. /home/users/a/admin/.tokens This is NOT the same as “Remember Me”. Tokens Expire: Cookies are session-bound. Tokens in the repository have an expiration date and are purged. Tokens present challenges with clustering. Login Request -> master, writes token to repository Request #2 (with login-token cookie) -> slave, tries to read token Fails if slave hasn’t sync’d yet

10 JCR Access Control ACLs are an integral part of the repository
In JCR not only the enforcement is specified, but also APIs to modify ACLs. Privileges include read, modify, create, remove, readAccessControl, writeAccessControl, and more.. Custom privileges are also possible. Example: AEM Replication ACL inheritance by path For all JCR API calls the ACLs are considered when returning the results: A JCR session is created for a specific user Only readable nodes are returned in “node.getNodes()” A search result only contains nodes visible to that user.

11 Do I Need To Write an AuthenticationHandler?
If… You need to support some custom type of credentials You need SSO and you don’t support SAML 2.0. You need SSO and your SSO system can’t work with the SSO Authentication Handler. This can happen when the header is encrypted in some way. Think about using a Filter instead of reimplementing the SSO Authentication Handler. You need to support “Remember Me”

12 Do I Need To Write a LoginModule (or External Identity Provider)?
If… You need to integrate with an external identity provider at the credentials level. For example: LDAP (except this is supported out of the box) You need custom authentication for CRX DE Lite, CRX Explorer, or OSGi Console These systems generally do not support Sling AuthenticationHandler. You need custom authentication for WebDAV or Adobe Drive These only support basic authentication. You need custom authentication for another JCR client application This will probably never be the case

13 “Live” Coding

14 Live Coding Based on AEM 6.0 SP2; tested on 5.6.1 Written in JSP
Users exist already Users are local Using Form Based Login

15 Form Based Login Logging in via a form requires two parameters:
j_username - username j_password – password POST to <anything>/j_security_check And two optional parameters: resource – the path to redirect to on a successful login j_validate– used for Ajax logins

16 Let’s Do This!

17 Resources Code: http://bit.ly/aem-ate-login-code
Permission Sensitive Caching Docs: Sling Authentication Docs: Oak External Login Module Docs:

18

19

Download ppt "Ask the Experts – Building Login-Based Sites in AEM"

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Different Approaches to Single-Sign-On Jeff Kahn, Verbena Consulting.

Different Approaches to Single-Sign-On Jeff Kahn, Verbena Consulting.
OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:
UAG Authentication and Authorization- part1

UAG Authentication and Authorization- part1
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
SharePoint 2010 Business Productivity: What's new for Developers in Microsoft SharePoint 2010 Matthew McDermott, MVP Aptillon, Able Blue

SharePoint 2010 Business Productivity: What's new for Developers in Microsoft SharePoint 2010 Matthew McDermott, MVP Aptillon, Able Blue
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Managing Identity and Permissions

Managing Identity and Permissions
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Authenticating REST/Mobile clients using LDAP and OERealm

Authenticating REST/Mobile clients using LDAP and OERealm
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation www.telerik.com.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.
RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.

RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.

Similar presentations

Ads by Google