Acl Setup service

As of CQ 5.3, run-mode dependent default permissions can be defined with the AclSetupService that always runs during startup.

The AclSetupService allows you to specify access control entries to be created at a given path for a given principal name. In addition, it allows you to clear existing entries at a given path for a given principal name.

Because of the nature of the service, this may potentially cause issues with existing access control content.

Sample read permission given on apps to everyone group on startup.

allow;jcr:read;everyone;/apps

The first config above is OOTB. 

Config added 

allow;jcr:read;intranet-site-managers;/apps

Error.log

Acl setup service permissions being applied can be seen in the logs during startup.

When config is saved

18.09.2017 13:02:40.116 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.day.cq.security.ACLSetup)] com.day.cq.security.impl.ACLSetupService adjust ACL rules based on configuration.

18.09.2017 13:02:40.150 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.day.cq.security.ACLSetup)] com.day.cq.security.impl.ACLSetupService applying Rule{allow=true, inherit='false', privileges='[jcr:read]', principal='intranet-site-managers', path='/apps'}

18.09.2017 13:02:40.244 *INFO* [CM Event Dispatcher (Fire ConfigurationEvent: pid=com.day.cq.security.ACLSetup)] com.day.cq.security.impl.ACLSetupService done.

18.09.2017 13:02:40.793 *INFO* [JcrInstaller.1] org.apache.sling.installer.provider.jcr.impl.WatchedFolder Watching folder /apps/cq/security/config.author (priority 201)

18.09.2017 13:02:41.332 *INFO* [JcrInstaller.1] org.apache.sling.installer.provider.jcr.impl.JcrInstaller Registering resource with OSGi installer: [InstallableResource, priority=201, id=/apps/cq/security/config.author/com.day.cq.security.ACLSetup.config]

On Starting you see the following logs

18.09.2017 13:09:20.440 *INFO* [FelixStartLevel] com.day.cq.security.impl.ACLSetupService adjust ACL rules based on configuration.

18.09.2017 13:09:20.456 *INFO* [FelixStartLevel] com.day.cq.security.impl.ACLSetupService applying Rule{allow=true, inherit='false', privileges='[jcr:read]', principal='intranet-site-managers', path='/apps'}

18.09.2017 13:09:20.487 *INFO* [FelixStartLevel] com.day.cq.security.impl.ACLSetupService done.

Continue reading : Acl handling via pom

Acl handling via pom

By default acls are installed in overwrite mode.

Acls package install behavior can be changed by modifiying the pom.xml.

Update you pom build plugin "content-package-maven-plugin": with the aclHandling options.

acHandling options: - ignore - overwrite - merge - merge_preserve - clear

Example: for merging acls on installation.

<plugin>

    <groupId>com.day.jcr.vault</groupId>

    <artifactId>content-package-maven-plugin</artifactId>

    <version>0.0.24</version>

    <extensions>true</extensions>

    <configuration>

        <failOnError>true</failOnError>

        <username>${crx.username}</username>

        <password>${crx.password}</password>

        <properties>

            <acHandling>merge </acHandling>

        </properties>

    </configuration>
</plugin>

ACLs and How they are evaluated

Access Control Lists(ACL) are made up of the individual permissions (ACE’s (Access control enteries)) and are used to determine the order in which these permissions are actually applied.

An AccessControlEntry (ACE) represents the association of one or more Privilege objects with a specific Principal.

A standard installation of a CRX repository is configured to use resource-based access control lists.

Resource-based ACLs

That means that a resource = node is associated with a list of allow/deny entries for certain principals (users or groups), which naturally maps to store them along the JCR node.

ACLs and How They Are Evaluated

• Allow rights have higher precedence than deny rights.
• Group principals are evaluated in order, both within the hierarchy and order within a single access control list ie on the same node (CONCURRENT).
• This list is then scanned bottom-up until the first appropriate permission to apply to a page is found.

Concurrent (on the same node) Permission on ACL

• The permission created first in user admin is added to the node first (1st ACE) and then the next permission is added below it (2nd ACE). 
• This list is then scanned bottom-up until the first appropriate permission to apply to a page is found. 

EXAMPLE 1. 

Suppose, you have the following ACL for the same resource under /content/geometrixx/

en/products.

If a user is part of the two groups ‘allowed-it’ and ‘restricted-it’, you can see that the

access to the page products is denied because the ACL deny in read access is the rule

at the bottom.

EXAMPLE 2.

            

Now, if the order of the ACL is the opposite, a user, part of two groups, allowed-it and
restricted-it, will have access /to the products page (because the ACL allow in read access
is the rule at the bottom).

Continue reading : Acl setup service

Sling model inject annotation issue in Aem 6.2

In 6.2 if you create a project with archetype 10 and deploy it on aem the bundle remains in installed state coz. 
Continue Reading

Sling models and WCMUsePojo

• You should use one or the other - if you use WCMUse/WCMUsePojo - then do not use SLing Models. If you want to use SLing Models - then do not use WCMUse/WCMUsePojo.
• Both provide the same functionality so no use of using both.
• WCMUse is deprecated in 6.1. Use WCMUsePojo instead.

Now let’s look at the implementation for this, you have 5(!) options:

1.  Class that implements the Use interface (deprecated)
2.  Class that extends WCMUsePojo class
3.  Class that is adaptable from Resource (resource.adaptTo(YourClass))
4.  Class that is adaptable from Request (request.adaptTo(YourClass))
5.  Sling Models

Both 3,4 are usefull when you implement AdapterFactory interface. These 2 can be ignored.

Inject annotation issue in Sling models AEM 6.2

Read here - http://aemconcepts.blogspot.com/2017/07/sling-model-inject-annotation-issue-in.html

Sling models

• Sling models can be created using model annotation which automatically adapts your request or resource.
• Doesn’t provide any activate method. Activate method is treated just like another method.
• Method have @PostConstruct annotation does not need to be called using a use object. It gets called automatically after all injections are done. Once you edit and save dialog injections happen again hence method with this annotation is called again.
• Style object currentStyle is also only available through the SlingHttpServletRequest as an injection and not thru adapting to a resource. But in adaptable from resource we can get it by adapting resource.

Available injectors for sling models.

 Inject resource resolver

    @Inject

    private ResourceResolver resourceResolver;

 @named annotation

Injects are injected as instance variables with same name as the property. Both if you want different property name and instance name then this annotation can be used. For example

      /** The news filter tags. */

      @Inject

      @Named("newsfiltertags")

      private String[] newsFilterTags;

This inject newsfiltertags property value in newsFilterTags instance variable.

Sling model adaptable from request

@Model(adaptables = SlingHttpServletRequest.class, defaultInjectionStrategy = DefaultInjectionStrategy.OPTIONAL)

public class MegaMenuModel {…}

Retrieve resource

@Model(adaptables = SlingHttpServletRequest.class)

To retrieve resource.

1.          request.getResource();
2.          Inject
     @Source("script-bindings")    [optional]  private Resource resource;

 To inject Style for design

      @Inject

      private Style currentStyle;

Sling model adaptable from resource

@Model(adaptables = Resource.class, defaultInjectionStrategy = DefaultInjectionStrategy.OPTIONAL)

public class LoginSplashScreenModel {…}

Get Style object to retrieve from design

TagManager = resourceResolver.adaptTo(TagManager.class);

designer = this.resourceResolver.adaptTo(Designer.class);

if (designer != null) {

      style = designer.getStyle(resource);

}
                 

if (StringUtils.isEmpty(viewAllTitle)) {

      viewAllTitle = style.get("viewalltitle", String.class);

}

Passing Parameters from slightly to sling models.

To show the full range of possibilities, let’s also pass a parameter, so the content of the data-sly-use attribute must be changed to an expression with an option:

<div data-sly-use.myComponent="${'com.myproject.MyComponent' @ param1='one', param2='two'}">

    ${myComponent.calculatedValue}

</div>

WCMUsePojo/WCMUse

·       Provides convenience method activate() which is called from wcmusepojo.init() once all injections are done. Implement this method to perform post initialization tasks.

·      Method activate does not need to be called using a use object. It gets called automatically after all injections are done.

@Override

activate(){..}

Common Issues in Debugger

Debugger keeps popping up with following stack trace

ThreadExpiringThreadPool(ThreadPoolExecutor).runWorker(ThreadPoolExecutor$Worker) line: not available
ThreadPoolExecutor$Worker.run() line: not available
Thread.run() line: not available  

Solution

Configuring the behavior of Eclipse is straightforward:

Go to Window > Preferences > Java > Debug and uncheck Suspend execution on uncaught exceptions.

Source and Reference

http://stackoverflow.com/questions/6290470/eclipse-debugger-always-blocks-on-threadpoolexecutor-without-any-obvious-excepti 

Debugger doesn’t work

 

All threads not started hence debugging wont work.

Solution

Increase max heap size ie -Xmx param.

Remote debugging in aem

JVM Parameters in java

http://aemconcepts.blogspot.in/2017/05/jvm-parameters-in-java.html

In remote debugging.

1.      Aem forces the jvm to fork a process.

2.      UseSplitVerifier is required for java 7. (Even to start cq normally w/o debug mode.)

Modify start.bat (or create a debug.bat by modifying start.bat)

if not defined CQ_JVM_OPTS set CQ_JVM_OPTS=-Xmx1024m -XX:MaxPermSize=512M -XX:-UseSplitVerifier -Djava.awt.headless=true
-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=30302

OR

if not defined CQ_JVM_OPTS set CQ_JVM_OPTS=-Xmx1024m -XX:MaxPermSize=512M -XX:-UseSplitVerifier -Djava.awt.headless=true
-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=30303

OR

start "CQ" cmd.exe /K java -Xdebug -Xrunjdwp:transport=dt_socket,server=y,address=30302,suspend=n %CQ_JVM_OPTS% -jar %CQ_JARFILE% %START_OPTS%

Or Run from CMD (from the directory where jar is present)

java -jar cq-publish-p4503.jar -XX:MaxPermSize=512m -Xmx1024m
-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=30305
-Dsling.run.modes=publish

OR

java -jar cq-publish-p4503.jar -XX:MaxPermSize=512m -Xmx1024m
-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=30303
-Dsling.run.modes=publish

For Common Issues in Debugger

http://aemconcepts.blogspot.in/2017/05/common-issues-in-debugger.html

JVM parameters in Java

On the basis of how we specify JVM option it can be divided into two parts, JVM Options which starts with –X and those which starts with -XX:

1)       JVM Options that begin with -X are non-standard (thy are not guaranteed to be supported on all JVM implementations), and are subject to change without notice in subsequent releases of the JDK.

2)       JVM Options or parameters which are specified with -XX are not stable and are not recommended for casual use. These options are subject to change without notice also.

 -Xmx

The flag Xmx specifies the maximum memory allocation pool for a Java Virtual Machine (JVM), while Xms specifies the initial memory allocation pool. A common use for these flags is when you encounter a java.lang.OutOfMemoryError.

 -Xms        set initial Java heap size

 -Xmx        set maximum Java heap size

      -Xss>         set java thread stack size

-XX:MaxPermSize

are used to set size for Permanent Generation.

Permanent Generation: The Permanent Generation is where class files are kept and never deallocated as the name suggests. These are the result of compiled classes and jsp pages. If this space is full, it triggers a Full Garbage Collection. If the Full Garbage Collection cannot clean out old unreferenced classes and there is no room left to expand the Permanent Space, an Out‐of‐ Memory error (OOME) is thrown and the JVM will crash

agentlib:jdwp 

Sun's VM implementations require command line options to load the JDWP agent for debugging.

From 5.0 onwards the -agentlib:jdwp option is used to load and specify options to the JDWP agent.

For releases prior to 5.0, the -Xdebug and -Xrunjdwp options are used 

The -agentlib:jdwp and -Xrunjdwp option can be further qualified with sub-options. The sub-options are specified as follows:

    -agentlib:jdwp=<name1>[=<value1>],<name2>[=<value2>]...

or

   -Xdebug -Xrunjdwp:<name1>[=<value1>],<name2>[=<value2>]...

Transports

A JPDA Transport is a method of communication between a debugger and the virtual machine that is being debugged (hereafter the target VM).  The communication is connection oriented - one side acts as a server, listening for a connection. The other side acts as a client and connects to the server. JPDA allows either the debugger application or the target VM to act as the server. 

1. Socket Transport

The JPDA reference implementation provides a socket transport for the Solaris, Linux, and Microsoft Windows platforms. The socket transport uses a TCP/IP connection between the debugger application and the target VM. With the socket transport, the debugger application and target VM can reside either on the same machine or on different machines.

The socket transport is identified through a unique string, dt_socket.

2. Shared Memory Transport

In addition to the socket transport, the JPDA reference implementation provides a shared memory transport on the Microsoft Windows platform. The shared memory transport uses a shared memory region to exchange JDWP packets between the debugger application and the target VM. With the shared memory transport, the debugger application and target VM must reside on the same machine.

The shared memory transport is identified through a unique string, dt_shmem.

Server

The option server=y opens a socket and listens for incoming debugger requests(cq acts as server).

With server=n the debugged application will try to connect actively to a debugger and run therefore as a client.

Suspend

In JVM DEBUG parameters there is a parameter called "suspend" which takes the value as "y" or "n". so if you want to debug the process from the start set this parameter as "suspend=y" and your Java application will wait until Eclipse remotely connects to it. Otherwise, if you want to run your program and later want eclipse to be connected that set this as "suspend=n" so your java application will run normally and after eclipse remotely connected to it, it will stop on breakpoints. (default  value suspend=y if not specified)


Source and References

http://javarevisited.blogspot.in/2011/11/hotspot-jvm-options-java-examples.html