AEM 6.3 - Bundle Whitelisting - Deprecation of administrative authentication
I stumbled on an issue when I was using neab with AEM 6.3. I created few neba ResourceModels and when I tried to access neba Model Registry, I got an error (java.lang.IllegalStateException: org.apache.sling.api.resource.LoginException: Bundle org.eclipse.gemini.blueprint.extender is NOT whitelisted):
Image: neba Model Registry Menu
Image: Error Screen
NOTE: Neba team has already fixed it on their development branch and we don’t need to explicitly add whitelisting configuration for neba bundle.
Here is the reason for error
Originally the ResourceResolverFactory.getAdministrativeResourceResolver and SlingRepository.loginAdministrative methods have been defined to provide access to the resource tree and JCR Repository. These methods proved to be inappropriate because they allow for much too broad access.
Consequently these methods are being deprecated and will be removed in future releases of the service implementations.
The following methods are deprecated:
- ResourceResolverFactory.getAdministrativeResourceResolver
- ResourceProviderFactory.getAdministrativeResourceProvider
- SlingRepository.loginAdministrative
The implementations we have in Sling's bundle will remain implemented in the near future. But there will be a configuration switch to disable support for these methods: If the method is disabled, a LoginException is always thrown from these methods. The JavaDoc of the methods is extended with this information.
Whitelisting bundles for administrative login
In order to be able to manage few (hopefully legit) uses of the above deprecated methods, a whitelisting mechanism was introduced with SLING-5153 (JCR Base 2.4.2).
The recommended way to whitelist a bundle for administrative login is via a whitelist fragment configuration. It can be created as an OSGi factory configuration with the factoryPID org.apache.sling.jcr.base.internal.LoginAdminWhitelist.fragment.
E.g. a typical configuration file might be called org.apache.sling.jcr.base.internal.LoginAdminWhitelist.fragment-myapp.config and could look as follows:
whitelist.name="myapp"
whitelist.bundles=[
"com.myapp.core",
"com.myapp.commons"
]
whitelist.bundles=[
"com.myapp.core",
"com.myapp.commons"
]
In general try to avoid using administrative login if you are writing code in your bundle but, let’s say you are using some third party bundle then in that case you can add a configuration to get it working as explained above.
Hope this information will save your time. Thanks for reading!!!
Comments