Custom User Group Mapping in AEM 6.5

Last update: March 5, 2025

Topics:
Administering

CREATED FOR:

Admin

Older AEM Versions

AEM 6.5

Comments

Property: cq:cugEnabled

Declaring node type: N/A, residual property

Authorization:

Node: rep:cugPolicy of node type rep:CugPolicy

Declaring node type: rep:CugMixin

Authentication:

Mixin type: granite:AuthenticationRequired

To restrict read access, a dedicated CUG policy is applied to the target node.

NOTE: Policies can only be applied at the configured supported paths.

Nodes with name rep:cugPolicy and type rep:CugPolicy are protected and cannot be written using regular JCR API calls; use JCR access control management instead.

See this page for more info.

To enforce authentication requirement on a node, it is sufficient to add the mixin type granite:AuthenticationRequired.

NOTE: Only respected below the configured supported paths.

Property: cq:cugPrincipals

Declaring node type: NA, residual property

Property: rep:principalNames

Declaring node type: rep:CugPolicy

The property containing the names of those principals that are allowed to read the content below the restricted CUG is protected and cannot be written using regular JCR API calls; use JCR access control management instead.

See this page for more details on the implementation.

Property: cq:cugLoginPage

Declaring node type: NA, residual property

Property: granite:loginPath (optional)

Declaring node type: granite:AuthenticationRequired

A JCR node that has the mixin type granite:AuthenticationRequired defined, may optionally define an alternative login path.

NOTE: Only respected below the configured supported paths.

Property: cq:cugRealm

Declaring node type: NA, residual property

NA

No longer supported with the new implementation.

Comparison of OSGi Services

Older AEM Versions

Label: Adobe Granite Closed User Group (CUG) Support

Name: com.day.cq.auth.impl.CugSupportImpl

AEM 6.5

Label: Apache Jackrabbit Oak CUG Configuration

Name: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugConfiguration

ConfigurationPolicy = REQUIRED
Label: Apache Jackrabbit Oak CUG Exclude List

Name: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugExcludeImpl

ConfigurationPolicy = REQUIRED
Name: com.adobe.granite.auth.requirement.impl.RequirementService
Label: Adobe Granite Authentication Requirement and Login Path Handler

Name: com.adobe.granite.auth.requirement.impl.DefaultRequirementHandler

ConfigurationPolicy = REQUIRED

Comments

Configuration of the CUG authorization and enable/disable the evaluation.
Service to configure exclusion list of principals which should not be affected by the CUG authorization.

NOTE
If the CugExcludeImpl is not configured, the CugConfiguration falls back to the default.

It is possible to plug a custom CugExclude implementation if there are special needs.
OSGi component implementing LoginPathProvider that exposes a matching login path to the LoginSelectorHandler. It has a mandatory reference to a RequirementHandler which is used to register the observer that listens to changed auth requirements stored in the content by the means of the granite:AuthenticationRequired mixin type.
OSGi component implementing RequirementHandler that notifies the SlingAuthenticator about changes to authrequirements.

As configuration policy for this component is REQUIRE, it is only activated if a set of supported paths is specified.

Enabling the service launches the RequirementService.

recommendation-more-help

Custom User Group Mapping in AEM 6.5

Comparison of JCR Content related to CUG (Custom User Group)

Comparison of OSGi Services