Temporarily bypass a closed user group page within a servlet

Question

Hello,I have a page, which is protected with a closed user group. Now I need to get the HTML-Markup of this (protected) page via a servlet.The difficulty here is, that the user should not need to be logged in. I know it sounds weird, to protect a page just to make it vulnerable again through a servlet, but it is the customers wish. :)My first step to solve this, was to create this servlet and use a RequestDispatcher object, which calls the "/content/.../targetpage.html":StringWrapper responseWrapped = new StringWrapper(response); RequestDispatcher dispatcher = request.getRequestDispatcher("/content/blah/protectedsection/targetpage.html"); dispatcher.include(request, responseWrapped); String markup = responseWrapped.toString();This works as expected: The RequestDispatcher calls the given resource and delivers the constructed HTML into my String object which I then can use for things to come.But this works just as long as I am logged in. As soon as I logout, i.e. lose my sling authentication, the RequestDispatcher does not deliver anything. This is because it is just using the actual request of the user calling the servlet (who is not authenticated).What I need, would be something like an internal "RequestDispatcherWithCredentials" (which does not exist, of course) which can access at least the pages I need.Maybe there is a possibility to get administrative privileges temporarily within the servlet? For example, I know how to get an admin session and how to access any node within the jcr - independently from the credentials of the actual user. So there should be also a way to bypass closed user groups to get final HTML markup... I hope.Has anyone an idea how I could solve this?Thanks in advance for your help!Florian

JustinEd3 · Accepted Answer

Hi Florian,First off, let's just get this out of the way - this is a bad idea. You shouldn't do it. But you know that alreadyThe way to handle this requirement is using the SlingRequestProcessor interface (http://sling.apache.org/apidocs/sling6/org/apache/sling/engine/SlingRequestProcessor.html). You'll also want to use the RequestResponseFactory to create synthetic request and response objects (http://dev.day.com/docs/en/cq/current/javadoc/com/day/cq/contentsync/handler/util/RequestResponseFactory.html).The code would look like this (ignoring service injections and error handling):HttpServletRequest request = requestResponseFactory.createRequest("GET", "/content/blah/protectedsection/targetpage.html"); ByteArrayOutputStream baos = new ByteArrayOutputStream(); HttpServletResponse response = rrFactory.createResponse(baos); ResourceResolver resolver = resourceResolverFactory.getAdministrativeResourceResolver(null); requestProcessor.processRequest(request, response, resolver); resolver.close();HTH,JustinP.S. Don't do this

flkr · Answer

Hi Justin,thanks for your help!I am still in the process of trying it out, but not yet getting it to run. (NullPointerException for any reason) ;)I have to take more time on friday (tomorrow areholidays in Germany).I'll update this post then.Thanks again!Florian

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded