How to do User Impersonation in Apache Sling or Jackrabbit Oak?

0
votes

Or more specifically:

Given I am signed in as the 'admin' user, and I want to to impersonate a user 'testSiteUser'

Given the 'testSiteUser' node (rep:User) does not have a protected String[] property called rep:impersonators set with a value containing admin

How do to update the protected property rep:impersonators such that it contains admin?

Once the user node has this set, I'm confident that setting a cookie sling.sudo should allow user impersonation. pache Sling Authentication Service configuration

What I have tried so far..

curl -F:name=testSiteUser -Fpwd=testSiteUser 
    -FpwdConfirm=exampleSiteUser 
    -F'rep:impersonators'=admin 
    -F'rep:impersonators'@TypeHint='String[]' 
    -u admin:admin 
    http://localhost:8080/system/userManager/user.create.html

Which responds with 500

javax.jcr.nodetype.ConstraintViolationException: Attempt to set an protected property rep:impersonators

According to the JCR Spec

16.3.12 Interaction with Protected Properties Many features of JCR expose repository metadata as protected properties defined by mixin node types. For example, locking status is exposed by the properties jcr:lockOwner and jcr:lockIsDeep defined by mix:lockable. Changes to protected properties can only be made indirectly through a feature-specific API (for example, Node.lock), not through a generic write method like Node.setProperty. Such changes are not governed by the jcr:modifyProperties privilege, but rather by the particular feature-specific privilege, for example, jcr:lockManagement (see ยง16.2.3 Standard Privileges).

Perhaps the only way is to write my own Java code as shown below, but I'm pretty sure there should be a REST API to do this... 

Authorizable authorizable = userManager.getAuthorizable(user.getId()); 
Principal admin = userManager.getAuthorizable("admin").getPrincipal();
jackrabbitUser = (User) authorizable;
Impersonation impersonation =jackrabbitUser.getImpersonation();
impersonation.grantImpersonation(admin);

Basically rep:impersonators is a read only property that is managed "indirectly through a feature-specific API" What is the API and procedure to do user impersonations using Apache Sling or Jackrabbit Oak?

1
slingjackrabbit-oak

1 Answers

0
votes

I understood your question, that you want to add an impersonator via a REST-call.

As you already found, all security related properties are protected. So they can only be manipulated via API-calls - and not directly written to.

But AEM already has a lot specialized REST-API's for its own user interface. To find them you should first perform the desired action on the normal AEM UI. Then check with the browser network inspector, which http-request was made by the browser.

In your case go to the classic user manager (http://localhost:4502/useradmin).

There you find the curl:

curl 'http://localhost:4502/home/users/J/JfiFIrTqxwUamu2BvWj-' \
     -u admin:admin \
     -F_charset_=utf-8 \
     -FmemberAction=sudoers \
     -FmemberEntry=alex

In the example I added for user alex2 the impersonator alex. So alex can impersonate to alex2.

For the user alex you need the repository-path, which is encrypted meanwhile for security reasons. But this path is easy to find with the querybuilder. As example the following query:

http://localhost:4502/bin/querybuilder.json?path=%2fhome%2fusers&property=rep%3aauthorizableId&property.value=alex2&type=rep%3aUser

or via the querybuilder UI http://localhost:4502/libs/cq/search/content/querydebug.html

path=/home/users
type=rep:User
property=rep:authorizableId
property.value=alex2