April 26, 2020
Estimated Post Reading Time ~

Creating a System User in AEM

AEM System User:
Till AEM 6 we have the liberty to use any user as service user, for invoking and executing any service. But from AEM 6.1 there was a slight change on how to define the ServiceUserMapping and how the service user or system user has to be created.

If we try to assign any arbitrary user as service user in AEM 6.1 we would face below error : org.apache.sling.api.resource.LoginException: Cannot derive user name for bundle ch.inside.cqblog-bundle [452] and sub service readService Note:- From AEM 6.1 service users can only be mapped to system users (jcr:primaryType = rep:SystemUser).

In AEM 6.1, you must create an AEM System User to successfully get a session using code such as:

Why System User?
Use of admin session and admin resource resolver through ResourceresolverFactory is now deprecated, that’s why from AEM 6.1 Adobe forces developers to create system users and map them to Service User Mapper in Felix Console.

Prevent excessive use of administrative JCR Sessions and ResourceResolvers.
Allow services access to ResourceResolvers and JCR Sessions without requiring to hard-code or configure passwords.
Allow services to use service users and/or system users which are specially configured for service level access.

import javax.jcr.Session;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
....
@Reference
private ResourceResolverFactory factory;
private ResourceResolver resourceResolver;
private static Session adminSession;
...
...
Map<String, Object> param = new HashMap<String, Object>();        
    param.put(ResourceResolverFactory.SUBSERVICE, "writeService");
try {
  resourceResolver = factory.getServiceResourceResolver(param);            
  adminSession = resourceResolver.adaptTo(Session.class);  

  ResourceResolver resourceResolver=null;
  resourceResolver = resolverFactory.getServiceResourceResolver(param);
  Resource pageResource = resourceResolver.getResource("/etc/cloudservices/salesforce/kishore/jcr:content");
  Node configNode = pageResource.adaptTo(Node.class);
  configNode.setProperty("accesstoken", client.getAccessToken());
  adminSession.save();
...
} catch (LoginException e) {
...
}

This code will not work in AEM 6.1 using a standard user.
If we try to assign any arbitrary user as service user in AEM 6.1 we would face below error : org.apache.sling.api.resource.LoginException: Cannot derive user name for bundle com.kishore.aem-bundle [452] and sub service readService Note:- From AEM 6.1 service users can only be mapped to system users (jcr:primaryType = rep:SystemUser).


To create a system user, perform these tasks:
Open http://localhost:4502/crx/explorer/index.jsp
Login as admin
Click User Administration
Click Create System User
Set the UserId
Click Save


Once created, you can extend permissions like a normal user using the AEM ACL functionality.

Sometimes we face below error, so I tried the other option to use the system user.
Error:Missing permission to create intermediate authorizable folders.

Other option for using system user to set properties to node.
Use in-built system user in OSGI configuration. In OSGI select Apache Sling Service User Mapper Service
Add new entry com.kishore.aem:writeService=oauthservice

com.kishore.aem is bundle name
writeService is sling subservice name
oauthservice is systemuser available in AEM



Note: If we try to set properties under /etc, read&write permission to be set for oauthservice system user else resourceResolver.getResource will return null pointer exception.




By aem4beginner

No comments:

Post a Comment

If you have any doubts or questions, please let us know.