Custom User Group Mapping in AEM 6.5

Older AEM Versions AEM 6.5 Comments

Property: cq:cugEnabled

Declaring node type: N/A, residual property

Authorization:

Node: rep:cugPolicy of node type rep:CugPolicy

Declaring node type: rep:CugMixin

Authentication:

Mixin type: granite:AuthenticationRequired

In order to restrict read access a dedicated CUG policy is applied to the target node.

NOTE: Policies can only be applied at the configured supported paths.

Nodes with name rep:cugPolicy and type rep:CugPolicy are protected and cannot be written using regular JCR API calls; use JCR access control management instead.

See this page for more info.

In order to enforce authentication requirement on a node it is sufficient to add the mixin type granite:AuthenticationRequired.

NOTE: Only respected below the configured supported paths.

Property: cq:cugPrincipals

Declaring node type: NA, residual property

Property: rep:principalNames

Declaring node type: rep:CugPolicy

The property containing the names of those principals that are allowed to read the content below the restricted CUG is protected and cannot be written using regular JCR API calls; use JCR access control management instead.

See this page for more details on the implementation.

Property: cq:cugLoginPage

Declaring node type: NA, residual property

Property: granite:loginPath (optional)

Declaring node type: granite:AuthenticationRequired

A JCR node that has the mixin type granite:AuthenticationRequired defined, may optionally define an alternative login path.

NOTE: Only respected below the configured supported paths.

Property: cq:cugRealm

Declaring node type: NA, residual property

NA No longer supported with the new implementation.

Comparison of OSGi Services

Older AEM Versions

Label: Adobe Granite Closed User Group (CUG) Support

Name: com.day.cq.auth.impl.CugSupportImpl

AEM 6.5

  • Label: Apache Jackrabbit Oak CUG Configuration

    Name: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugConfiguration

    ConfigurationPolicy = REQUIRED

  • Label: Apache Jackrabbit Oak CUG Exclude List

    Name: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugExcludeImpl

    ConfigurationPolicy = REQUIRED

  • Name: com.adobe.granite.auth.requirement.impl.RequirementService

  • Label: Adobe Granite Authentication Requirement and Login Path Handler

    Name: com.adobe.granite.auth.requirement.impl.DefaultRequirementHandler

    ConfigurationPolicy = REQUIRED

Comments

  • Configuration of the CUG authorization and enable/disable the evaluation.
    Service to configure exclusion list of principals which should not be affected by the CUG authorization.

    NOTE

    If the CugExcludeImpl is not configured, the CugConfiguration will fall back to the default.

    It is possible to plug a custom CugExclude implementation in case of special needs.

  • OSGi component implementing LoginPathProvider that exposes a matching login path to the LoginSelectorHandler. It has a mandatory reference to a RequirementHandler which is used to register the observer that listens to changed auth requirements stored in the content by the means of the granite:AuthenticationRequired mixin type.

  • OSGi component implementing RequirementHandler that notifies the SlingAuthenticator about changes to authrequirements.

    As configuration policy for this component is REQUIRE it will only be activated if a set of supported paths is specified.

    Enabling the service will launch the RequirementService.

On this page