Comments (13)
Out of curiosity -- I have this Question in my mind .... why not completely rely on user service account ? "acs-commons-manage-redirects-service" which is already being used in RedirectFilter.java .. This already gives you read permission on complete /conf node?
Performance is one of the reasons. Redirect Manager was designed to work in high-load environments. Opening a service resolver on every request would add a delta , so why not to use the resolver from the request?
In early versions of the Redirect Manager this wasn't a problem. Redirects were loaded on startup/on-change into a mem-cache and everything was super-fast. Then we added stuff that required evaluation in the context and this extra bit of ACL was introduced .
Changing the bucket would break it, it's a good catch, although I'm not sure if we need to be that flexible. I'd say we need to hide this configuration and have it static.
from acs-aem-commons.
@thcharan I can't reproduce it. ACS Commons grants read access to redirects in the repo-init script:
![image](https://private-user-images.githubusercontent.com/2543854/310048277-71a3d82c-519a-421e-bc11-c2423a411504.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTcyNjMxMTcsIm5iZiI6MTcxNzI2MjgxNywicGF0aCI6Ii8yNTQzODU0LzMxMDA0ODI3Ny03MWEzZDgyYy01MTlhLTQyMWUtYmMxMS1jMjQyM2E0MTE1MDQucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDYwMSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA2MDFUMTcyNjU3WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MTU1ZDgxOTVkYTFhYmJjZjZmODhhY2UwNDg5OTM0NmVhYTBjOGE3ZjA3YjVmMGVmMGZlZTlmN2YzMjY2ZDFjNCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.tnehhD5pVKtkok2Q7O8g8voo-QaDoHZwReGUI0U1uG8)
I tried with aem-sdk-2023.12.14697.20231215T125030Z-231200 and 6.5.20 and redirects worked fine to me.
Do you have any ACL customizations on the /conf node?
from acs-aem-commons.
Ok -- we did further test on a vanilla localhost publish instance (aem-sdk-quickstart-2023.12.14697.20231215T125030Z-231200) with ACS 6.4.0 pkg deployed and (no other custom code on it) --- The issue is still reproducible.
Also - i checked if the ACL's of "anonymous" user acc in the above vanilla localhost with acs 6.4.0 -> They look exact same as 'what's in your screenshot'.
Can you double check ?
- Specifically - The ignore selector functionality working for you in localhost aem sdk publish (as anonymous user). ?
- Also to check the permissions - can you hit this endpoint...see if any prop vals returned in that json..as anonymous user context. (ensure you are not logged in to crx/de as admin).
http://localhost:4503/conf/global/settings/redirects.json
I can definitely say "anonymous" being part of "everyone" group... the out of the box acl restrictions defined at the "everyone" group is conflicting with the ACL defined at the 'anonymous' user acc which is being modified by acs-repoinit --- that is completely possible.
I'm very certain this is a issue.
from acs-aem-commons.
I'm able to reproduce the issue with vanilla aem sdk local setup(aem-sdk-quickstart-2023.12.14697.20231215T125030Z-231200) and acs 6.4.0.
Also checked conf/global/settings/redirects.json value as an anonymous user and an admin. Attaching the screenshot of the same
Screenshot of localhost 4503 configs and acs version used-
from acs-aem-commons.
@thcharan @vc-architha I was able to reproduce it on my local. Thanks for spotting it out.
@thcharan the statement that none of the context-aware configs are working is not quite correct . Regular redirects are working fine. The issue only impacts the functionality that reads optional configuration parameters from the context, i.e. from this tab:
that's why I could not reproduce it first.
The fix seems to be easy, we need to set another ACL for /conf :
# web requests need read access to redirect configurations, e.g. /conf/global/settings/redirects
set ACL for anonymous
allow jcr:read on /conf restriction(rep:glob,/*/settings/redirects)
allow jcr:read on /conf restriction(rep:glob,/*/settings/redirects/*)
end
I tried it on my local and with these two rules it works properly. The PR with the fix is coming.
from acs-aem-commons.
@YegorKozlov / @vc-architha - Thank you for checking on it. Glad to know that it's reproducible on your end.
Yes Apologies - I will update the title of this "Issue" to make it clear.. i probably did not phrase that statement correctly - Yes. Any of the CA Option params directly stored on that specific /redirects node being the only problem was my intended statement.
Out of curiosity -- I have this Question in my mind .... why not completely rely on user service account ? "acs-commons-manage-redirects-service" which is already being used in RedirectFilter.java .. This already gives you read permission on complete /conf node?
![Screen Shot 2024-03-08 at 11 23 09 AM](https://private-user-images.githubusercontent.com/112187708/311296117-294aabb9-7f48-43c5-a39b-c5bc2983c23c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTcyNjMxMTcsIm5iZiI6MTcxNzI2MjgxNywicGF0aCI6Ii8xMTIxODc3MDgvMzExMjk2MTE3LTI5NGFhYmI5LTdmNDgtNDNjNS1hMzliLWM1YmMyOTgzYzIzYy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjAxJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYwMVQxNzI2NTdaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01MmUxNjA1NmUyNzJjMWI2OTYxMGFjMzg5MDc3YjM0ZDk0NjkwZmY1Y2I4NzVhMzM4N2Q3ZWZkMDBiYTY2YzM3JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.iZL4_WPqC0vfgQbZkpb8Q5P_jDk_Juv1XBhJkwgVosE)
![Screen Shot 2024-03-08 at 11 18 43 AM](https://private-user-images.githubusercontent.com/112187708/311294526-1ceca03f-68cb-48e2-a1ac-6c094fcbea9f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTcyNjMxMTcsIm5iZiI6MTcxNzI2MjgxNywicGF0aCI6Ii8xMTIxODc3MDgvMzExMjk0NTI2LTFjZWNhMDNmLTY4Y2ItNDhlMi1hMWFjLTZjMDk0ZmNiZWE5Zi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjAxJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYwMVQxNzI2NTdaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0wZWQ1Y2ZjMzc4ZjAxNDU4ZTFjOGYxYzY0MTk1ZWRjN2E3MzYzYzY5YjZlNGU2MWI0YTdhODk2NTZmYzdmMTA2JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.yCXuINoC7vUUNs5Ixme3d7FT8me6zOBPgKuIoe4MJLU)
![Screen Shot 2024-03-08 at 11 18 27 AM](https://private-user-images.githubusercontent.com/112187708/311294558-a026dae7-78bb-4488-bd5c-a41cf14cb738.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTcyNjMxMTcsIm5iZiI6MTcxNzI2MjgxNywicGF0aCI6Ii8xMTIxODc3MDgvMzExMjk0NTU4LWEwMjZkYWU3LTc4YmItNDQ4OC1iZDVjLWE0MWNmMTRjYjczOC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjAxJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYwMVQxNzI2NTdaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1kNzMzNjQzMTFhY2Y3YTU5YzRlOTM1NjYzNTY5OGI2MzVkYWMxNzZmYmFmM2JlOTlkOTdlMDQyNDM5YzgwMWI4JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.Wa3tb6BBA8iGIU0Rcf_hSsOYQ5le47yIlLpfhZAGPCg)
any specific reasons not to ? was wondering -- why take the painful approach of modifying the 'anonymous' user ACL on publish..as i know it is a very sensitive user acc. and potentially can cause some conflicts with a custom code base of a specific client... IF we rely on our own ACS user service acc "acs-commons-manage-redirects-service" ... may be it provides better insulation in a customer envt where custom code won't interfere with acs-commons-manage-redirects-service.
Another reason to consider the user service acc usage is that... IF we modify the "Configuration Name" and "Configuration Bucket Name"... your ACL's which assumes /settings/redirects node being the bucket won't work...that would in-turn require customer implementing their own ACL and troubleshooting cycles that it would cause and all that down the road.
![MicrosoftTeams-image (1)](https://private-user-images.githubusercontent.com/112187708/311299120-7b5f0a11-9da2-4559-813a-de821a18a30f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTcyNjMxMTcsIm5iZiI6MTcxNzI2MjgxNywicGF0aCI6Ii8xMTIxODc3MDgvMzExMjk5MTIwLTdiNWYwYTExLTlkYTItNDU1OS04MTNhLWRlODIxYTE4YTMwZi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjAxJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYwMVQxNzI2NTdaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0wMjlkZmFiMjE0MjhmZmJiMzdiZmI0NjNjNjA5NmM2YjZhMDk4ZTE2NDdjODNlNzJhMjM3YTZkZDA1MThmYzM5JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.2ORKCzL8Vxmruc6UIx9dTUxlEv_KZGnrkhSMjpbsio8)
Any thoughts ? I am sure you may have some valid reasons not to rely user service account..would like to know what could be that.. ?
from acs-aem-commons.
@YegorKozlov 👍 Ok. Thank you for clarifying the context there.
from acs-aem-commons.
Fixed in 6.5.0
from acs-aem-commons.
Redirect manager works well for anonymous users, but the same issue occurs and the config is unable to be accessed for logged in user. I am working on a site where a portion is behind login and am exploring using redirect manager. Once a user logs in none, of the redirects are processed. As a short term workaround, I am looking to give everyone jcr:read for redirect folder that is applied to anonymous per this fix. A better fix would seem to be to use a service user as mentioned by @YegorKozlov
Thanks
from acs-aem-commons.
@josh-ellingsworth I was able to reproduce it in WKND. It's a different issue that the one reported in this ticket and we've always had it.
We allow anonymous to read redirect rules, and my assumption was if anonymous could read redirects, then any other user would be able too. It's not correct and like you said, we need to grant read access to anonymous and any other users/groups that access the site.
It's a good argument for using a service user. The fix might take some time though.
from acs-aem-commons.
Please don't use service users but just grant the necessary permissions to the everyone
group (every user, even anonymous is implicitly member of it) in the repoinit script.
from acs-aem-commons.
@kwin thanks for the tip. we are never late to learn:)
I see what's wrong with the current version of repo-init:
set ACL for anonymous
allow jcr:read on /conf restriction(rep:glob,/*/settings/redirects)
allow jcr:read on /conf restriction(rep:glob,/*/settings/redirects/*)
end
it should grant it to everyone
instead.
from acs-aem-commons.
@YegorKozlov, @kwin - Yes, granting everyone access also fixes the issue. This is the temporary workaround I am implementing on our onPrem installation. I think this makes sense as an exception, but Adobe clearly documents that it is not recommended to change ACLs on everyone.
from acs-aem-commons.
Related Issues (20)
- ACS query packager filter mode
- MCP-Renovator Tool might replaced old folders with new folders and Assets while moving Assets
- System notification appearing Twice in AEM ( AEM Cloud) HOT 4
- ResultSet referenced from a method is not visible from class loader HOT 5
- Add Provider Type Checker Plugin
- eTag is not showing in Response Header
- Add Mockito-inline dependency
- Manage Controlled Processes does not show any process
- Marketo Forms Success URL
- Composite multifield: Underscore dependency missing HOT 4
- CCVAR : Cannot use variable in links
- Exception in renovator tool <pre>java.lang.IllegalArgumentException: The maximum length of cell contents (text) is 32767 characters</pre> HOT 2
- Updating Acs commons package AEM Cloud as a Service.
- ACS Commons Dispatcher flush rules not working for json file flush
- [ACS AEM Common 6.3.8] Vulnerabilities Regarding Logback and Nekohtml. HOT 1
- Redirects in Redirect Manager not working until ACS Commons Bundle is Restarted HOT 6
- Parameterized Includes fails for granite:hide HOT 2
- Cloud Manager - Code Scan Report - Bug and Code Smell Issues HOT 1
- Unwanted Propeties getting added at Author when Replicating Packages
- Content Sync Hosts Settings HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acs-aem-commons.