SubServices in Apache Sling and Adobe AEM - osgi

I would like to know the concept of subservices in OSGi, I tried to find the documentation, but not able to get any material in regards of AEM. I have snippet code.
ResourceResolverFactory.SUBSERVICE, "datawrite"
I tried to check in Felix console, I am able to find ResourceResolverFactory in service tab. But how can i check SUBSERVICE, and the various options available like datawrite etc. & what they standfor.
Thanks

Let me try and explain it in the context of Sling Authentication.
As of AEM6 there are changes in API to stop the abuse of AdministrativeResourceResolver which has been utilized by many developers to get admin resourceResolver without passing any credentials.
As this has been deprecated in AEM6 you need to call getServiceResourceResolver(..) and pass it with subservice name which is mapped to a user via ServiceUserMapper configuration.
e.g. a configuration for writeservice could be AEM-bundle:datawrite=datawriteuser. here we are saying that datawrite which is part of AEM-bundle is mapped to datawriteuser and the privilege available to this user is what will be used by datawrite service.
A Service can be composed of many subservice and those subservices will be mapped to different users quoting sling documentation mail transfer service can be composed of smtp, queue, deliver subsystem and these subsystem can be mapped to mta:smtp, mta:queue, mta:deliver users respectively.
Check these references:
inside Blog entry
Sling Authentication

It is the Name of the authentication information property providing the Subservice Name for the service requesting a resource resolver.
See http://sling.apache.org/apidocs/sling7/org/apache/sling/api/resource/ResourceResolverFactory.html#SUBSERVICE

Related

Is it safe to use a common ACS URL and SP Entity ID for multiple Asserting Parties?

My use case is that my users create an application, for example in Okta, then send a link to the metadata from which my application creates a RelyingPartyRegistration. Users can then login using the IDP they registered. The app supports several commonly known IDPs, but it is also possible to add integration with a custom IDP that supports SAML
I'm trying to figure out if it's safe to use a common ACS URL and SP Entity ID for all users (without using {registrationId} in the links). If so, can this be done within a single IDP or can I use a common one for all IDPs that my application supports (Okta, OneLogin, etc).
Also, if I understand correctly, this use case is slightly different from the examples because the IDP metadata is known in advance in the examples. I would be grateful if you could tell me the correct name for this use case so I can read more about it.

Azure SSO and Laravel login have issue with SAML

I have followed the solution explained in the Azure SSO related question in the forum
After that i checked in the Portal Azure try testing from the portal itself but it keeps redirecting me to the login page only if doing it first time so its new to me though. am i missing something or i need to write login handler for my application to handle this as for now i have not created any handler for login because as per the description in the link it supposed to work .
I tried by having dd in the service provider that has been created but its not reflecting as i am confused and stuck here i am not getting where i need to write the logic where i need to handle users with type in this as for login now it is redirecting me to login route when i test it from azure portal.
Any guidance on this would be helpful !
• I would suggest you follow the Github documentation below for configuring the lavarel SAML SSO in Azure AD as it uses Lavarel package for SAML2 integration as a service provider itself. Also, as you have added the service provider in your case, it doesn’t need to if you are using v 5.5 and higher of Lavarel as it gets automatically registered. Its just for older versions that you need to add the service provider in ‘config/app.php’.
https://github.com/aacotroneo/laravel-saml2
• Thus, once you do the above and publish the config files accordingly by executing the php commands, then you will need to modify the IDP settings in PHP app’s configuration and in here, please ensure that you are entering the ACS(Reply) URL and Identifier (Entity ID) from the Azure AD created application correctly. Also, ensure that the required SAML URLs and certificate keys are correctly entered in the environment variables required in the aad_idp_settings.php
Also, please check the actual routes in the metadata, by navigating to ‘http(s)://{laravel_url}/{idpName}/metadata’ as they must be reachable for your application to pass the authentication claims to AAD for get the authentication token and since, you are configuring SSO, please check the IDP metadata for ‘http(s)://{laravel_url}/single_sign_on/mytestidp1/metadata’ and finally please ensure that ‘RedirectIfAuthenticated.php’ is configured to redirect to ‘/routesPrefix/myIdp1/login’ and the same in '/Exceptions/Handler.php'
By following the above steps, your issue should be resolved.

Apache NiFi : Users addition from backend?

I am aware of adding/managing users from GUI in NiFi i.e. a admin user and add user and groups/policies etc.
This is maintained in users.xml file.
I wanted to know, can we manually add records in users.xml instead of GUI?
If yes, how is identifier tag of user derived by NiFi. For e.g. I see a tag:
How is above identifier generated?
The reason for above is, we can maintain the users.xml file in our code base and whenever new users need to be added in NiFi, team can update its details in this file and release and we re-start NIFi. We do not have to rely on GUI to add new users.
Is it possible?
EDIT:
To be more clear, currently we have ldap authentication in place using ldap-provider. So that part is fine. I am not lookng for ldap authentication to NiFi.
Now for actual roles/permissions for "authorized users" i.e. who can see the processors/components, create new processors, query data provenance etc admin go to NiFi UI and add users/groups/policies etc. These details are then updated in users.xml.
I am specifically looking to achieve this activity via automating or from backend.
As per the response from Bryan, I think the feasible solution is using Nifi REST API for that.
The users.xml and authorizations.xml really shouldn't be manually edited/maintained, they are internals of the file-based authorizer that are not meant to be a public API.
It would be better to maintain a script that looped through a list of users and used NiFi's REST API to see if the user existed, and if it didn't then created the user using the REST API.
Another option would be to load your users from a Directory Server. This is detailed in the admin guide [1]. This implementation is configured with an interval for retrieving new users from the Directory Server.
[1] https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#authorizers-setup
users.xml doesn't intended to updated by users. This can be overcomed if you use external authentication providers ex. ldap-authentication provider

Role based access to service methods using spring and mongodb

I have a requirement where I need to use role based access to service methods. I have restful services and i use spring-data to interact with MongoDB.
There are some of the restrictions that I have. I deal with a document in DB called "Organization". In each organization, I know who are the Admins. I do not have a repository of users who can access the services.
So the only way I can enforce some access based rules is to check if the logged in user is one of the admin's configured for each organization and then allow the user to access the methods.
Should I think of applying Spring security in this case? Otherwise will a simple check on user against the configured admins in the database document help? Can I make this check at a single point so that I can apply it to service methods based on my use case needs.
Please provide your suggestions / thoughts on how to go about this.
If you use Spring Security your rest methods can take advantage of a passed-in authenticated Principal object (example here) whereupon you can do whatever extra validation desired (such as checking if the admin is good for the given organization requested, etc.) There are many other parameters also available, perhaps allowing for this org checking to be done once and stored in the session object.

Programmatic access to Google API Console's functionality

I would like to configure the Google API services programmatically instead of having to go through the API Console. For example, I would like to be able to the following types of things programmatically:
Create OAuth and API Key credentials; this would include generating
the client id\secret, setting the redirect uri, downloading the
client_secrets.json file, etc.
Get the list of projects for a user
Enable\disable services for a specified project
Does Google provide any APIs for configuring services so that I don't have to use the API Console's GUI? All of the documentation I have seen has indicated that the only way to do this is through the API Console’s GUI.
You can use the Cloud Resource Manager API to get the list of projects for a user. Unfortunately, public APIs don't exist for the other things at this time.

Resources