Saturday, 7 May 2022

Application security testing within AEM Boundary and Tools

Evolution of AEM from on-prem/AMS to AEM As Cloud service has reduced the security concerns to a certain limit. But there are areas an AEM architect should be concerned about, when the code moves to production.

Role of Application Security Testing (AST)
The application security is a major consideration when new design techniques are adopted and DevSecOps are in demand. Application Security Testing (AST) tools available as On-Premise,Cloud or as a SaaS offering. The current tech-market comprises of Application Security Testing (AST) tools offering core testing capabilities — which can be of type static, dynamic, interactive and various optional, specialized capabilities testing;


Below given a set of the AST techniques in brief
    
Static AST (SAST): SAST analyzes an application’s source, bytecode or binary code for security vulnerabilities - Mainly during development & testing phases.
   
Dynamic AST (DAST): DAST analyzes applications in their running/dynamic state during testing mainly during operational phases.
DAST Simulates the attack on web-application(AEM) and APIs(within the boundary of AEM application)
   
Software composition analysis (SCA):    SCA is used to identify other open-source and, less frequently, commercial components in use within an AEM application. From this, known security vulnerabilities, potential licensing concerns and operational risks can be identified.

Interactive AST (IAST): IAST checks a running application, For e.g In case of AEM via the Java Virtual Machine [JVM] and examines its operation to identify vulnerabilities.

Fuzzing: Fuzz testing relies on providing random, malformed or unexpected input to a program to identify potential security vulnerabilities — For e.g., a memory leaks or buffer overflows or application crashes.

Mobile AST (MAST): MAST generally use traditional testing approaches (e.g., SAST and DAST) that have been optimized to support languages and frameworks commonly used to develop mobile and/or Internet of things (IoT) applications. Since mobile & IoT is a related technology with AEM, we must consider such techniques.

Some of the market leaders in AST

There are many AST tools available in market, but below given a set of tools which we came across during our evaluation.
Synopsis, Checkmarx, Veracode, Contrast security, Invicti, Data Theorem are some of the options which can be considered for Application security testing.

Please comment if you have come across any other tools suitable for AEM projetcs.

Conclusion
An architectural thought should be around the selection of tools available in market, the time frame for testing, frequency and penetration level etc. 

The consideration for tool selection must factor pricing vs a freemium model, low-code applications, notification/ alert strategies, language options, IDE & Dashboard supports, customer experience etc.


Monday, 7 February 2022

Understanding Adobe WorkFront & Its use with AEM

What is Adobe WorkFront?
Workfront is a Work management application, which helps organizations to organize entire work in
single location.
 

Workfront helps manage projects, assign tasks, manage resources, documents, allocate finance, generate various reports, analytics reports etc. The tool basically helps standardize process and establish governance within any organization.

Using this tool, a Project Manager can create projects and related tasks, assign tasks to team, set end dates etc. Project status section captures all status of a project (based on details which are manually updated within system by end users).

Read More About Workfront here:

What are all the default capabilities of WorkFront?
Workfront by default provides project templates, custom forms, approval workflows which are highly customizable. 

Below given a list of all capabilities of Workfront,

  • Agile Storyboard Management,
  • Resource Management,
  • Project Management and Tasks Management,
  • Project planning and scheduling,
  • Time tracking,
  • Manage Budgeting, Projections and Spendings,
  • Status tracking,
  • Task management and progress tracking,
  • Milestone, Time and Expense tracking,
  • Alerts and notifications,
  • Custom Dashboards


Workfront integration with AEM

Workfront can be easily integrated with Adobe Experience Manager. Using WorkFront, we can create projects, tasks (For e.g. marketing promotion project and its subtasks like asset design) and once assets are ready it can be pushed to AEM. We can also enrich asset metadata between systems once connected while syncing (push & pull) AEM assets to WorkFront.

AEM specific Features within Workfront
We can have project link folders - which help to organize folders and taxonomy between AEM and WorkFront. We can also create folder and subfolders, metadata and link or sync between AEM & Workfront.

Metadata sync capability

The feature helps sync metadata between AEM & Workfront.
We can create AEM metadata schema(Workfront Asset details) and send them to Workfront. Once linked, on AEM Assets metadata tab we will have Workfront Asset details tab where all metadata gets synced.

Version controlled between AEM & Workfront
We can have versions of assets and manages them well between AEM & Workfront.

Content Creation and Sync
We can create a task for content creation and this content can be made available in AEM as Content fragment modal.
Once done, using the same project id, (content fragment modal + same project id) specific assets can be authored on a page.

Automation
We can have actions, trigger activity on both AEM & Workfront.

AEM Workflow engine can be used to update Workfront tasks, attach custom forms to any of the work types, automate publishing events based on predefined conditions etc. once connector is configured AEM Workflow can have steps to do specific actions on Workfront.

Which version of AEM supported with Workfront?
Workfront works on AEM 6.4 to AEM as Cloud Service

Workfront License
We will see how Workfront licenses and access levels are tied together here.
There are 4 types of paid Workfront licenses which allow different levels of access to Workfront. Each access level is attached to one of these below licenses.

As a Workfront administrator, instead of assigning a license to a user, we can assign them the access level attached to that license.


License     - Associated access level
------------       ------------------------
Plan          - System Administrator
                 - Planner
Work        - Worker
Review     - Reviewer
External   - External User [Note: Not a paid license. Designed mainly for sharing documents with collaborators who don't use Workfront.]

How to add users to Workfront

If the organization has been onboarded to the Adobe Business Platform, we can perform this action through the Adobe Admin Console. There are various operatios allowed within Workfront[ For e.g. Grant a user admin access, Add a user, deactivate, delete, edit bulk edit, import users]

What are all the access types available in Workfront?
There are 6 built-in access levels are designed for a particular type of user:

  1. System Administrator (attached to the Plan license)
  2. Planner (attached to the Plan license) - users who create and manage work (plan and manage project, build & share reports, add users, edit project templates, create portfolios)
  3. Worker (attached to the Work license) - a normal employee who work on task based on project task assigned by a manager
  4. Reviewer (attached to the Review license)
  5. Requestor (attached to the Request license)
  6. External User (attached to the External Email license)

Various permission w.r.t users
Edit             - Users can create, edit, delete, and share the Workfront object
View           - Users can review and share the Workfront object
No Access  -    Users cannot access the Workfront object

Custom Permissions
In case if we need a custom Planner, Worker, Requester, or Reviewer access level, we can copy the built-in access level and determine the amount of access we want it to allow for the various Workfront object types.

For the users who are assigned to it, an access level defines what they can see and do with the following object types and areas in Workfront:

  • Projects
  • Tasks
  • Issues
  • Portfolios
  • Reports, Dashboards, and Calendars
  • Filters, Views, and Groupings
  • Documents
  • Other users
  • Templates
  • Financial Data
  • Resource Management
  • Scenario Planner
  • Workfront Goals


Read more here

SSO and Active Directory integration with Workfront?

Active Directory & LDAP Support 

We can configure Adobe Workfront with SAML 2.0, SAML 1.1 using ADFS, We can also configure Adobe Workfront with Azure Active Directory. Adobe recommend SAML 2 Always.

Workfront provides a centrally managed single sign-on (SSO) configuration that easily integrates Workfront with existing corporate SSO solution. This configuration is easy to set up and manage, and is available for both OnDemand and OnPremise Enterprise customers.

In order to use the SSO functionality in Workfront, organization needs to setup an SSO application, such as LDAP or Active Directory. We can then configure Workfront so that it can communicate with organizations SSO solution.

If the organization has been onboarded to the Adobe Business Platform, the users use the Adobe Business Platform to access Adobe Workfront. User management is mainly done through the Adobe Admin Console. i.e. Single Sign-On (SSO) is handled through the Adobe Business Platform rather than through Workfront

If organization has been onboarded to the Adobe Business Platform, Single Sign-On (SSO) is automatically enabled as part of that integration. There is no separate configuration required for same.

User Onboarding by import
If there is an existing system that is already populated with users associated with SSO credentials, we can import the users' IDs into Workfront by importing a comma-separated values (CSV) file into Workfront.

Third Party Integrations
We can integrate Adobe Workfront with third-party applications. These integrations can extend the utility of Workfront. 


Built-in integrations

We can configure integrations directly from Workfront, or from another application by installing the Workfront add-in for that application.

Built-in integrations cover many of the most common apps used by businesses, such as Dropbox, Slack, Google Drive, or Adobe products such as the Adobe Creative Cloud or Adobe Experience Manager Assets.

Custom OAuth2 applications
Workfront administrators can create OAuth2 applications for their instance of Workfront, which allow other applications to access Workfront. Admin users can then give permission to those other applications to access their Workfront data. In this way, we can integrate Workfront with applications of our choice, including own in-house applications.

Workfront API
Workfront offers a public API that enables to extend and enhance the Workfront experience. The goal for the Workfront API is to simplify building own integrations with Workfront by introducing a REST-ful architecture that operates over HTTP.

Webhooks
Adobe Workfront Document Webhooks defines a set of API endpoints through which Workfront makes authorized API calls to an External Document Provider. This allows anyone to create a connector plugin for any document storage provider.

What is Workfront Fusion?

Workfront Fusion helps to connect with other platform applications by allowing you to automate workflows across multiple apps and web services(scenarios where the apps work together to execute a task). It provides a visual user interface to configure workflows. Development knowledge is not mandatory to work with Workfront Fusion.

Conclusion
Workfront improves operational efficiency & accuracy while reducing need for more resource by enabling more automation.

The integration between AEM and Workfront is mainly around the AEM assets capability at present.

Good read on WorkFront
How To Master Your Marketing Workflow

Create roles & permission in Workfront



Friday, 12 November 2021

AEM With Brand Portal

Below given step by step tutorial on Uses & Features of Brand Portal, integrating AEM with Brand Portal and how to work on Brand Portal.

Introduction to Adobe Brand Portal - Video 1

Difference between Brand Portal Dynamic Media and Asset share commons - Video 2

Brand Portal User Interface Walk-through - Video 3

Integrate AEM with Brand Portal - Video 4

Asset Sourcing in Brand Portal - Video 5

Search and filtering in Brand Portal - Video 6

Report Generation in Brand Portal -Video 7

Generate reports for a users last log-in in AEM

There are cases where we need to generate reports for a users last log-in in AEM. 

I have seen many help blogs but none of them worked for me. Below given an approach which worked for me.

Approach

Utilising 'AuthenticationInfoPostProcessor' service in combination with ACS commons, its going to be easy to generate such reports. This is tested on AEM 6.5 version.

Step1: Deploy below Java code which will capture lastLogin information.
    

Java class which captures the users last login and update the user node

Note: Modify the conditions as per your project requirement. 

--Java class START ---

package yourpackage.core.services;

import java.text.SimpleDateFormat;
import java.util.Date;

import javax.jcr.Session;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.AuthenticationInfoPostProcessor;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(name = "UserProfileService", service = AuthenticationInfoPostProcessor.class, immediate = true)
    
public class UserProfileService implements AuthenticationInfoPostProcessor {
    
    /**
     * This class generate Last login property of any user profile
     *
     * @param authenticationinfo
     * @param servletrequest
     * @param servletresponse
     */
    
    private static final Logger LOGGER = LoggerFactory.getLogger(UserProfileService.class);
    @Reference
    private ResourceResolverFactory resourceResolverFactory;

    @Override
    public void postProcess(AuthenticationInfo info, HttpServletRequest request, HttpServletResponse response)
            throws LoginException {

    /**
         * Users last logged in will be his last active time in AEM
         * Executed only when it is a logout operation to ensure the last active time is captured
         * Ensure to update the code with relevant condition
         */
        if ((info != null && info.getAuthType() == null) || (request != null && request.getServletPath() != null
                && (*Your condition 1*))) {
            LOGGER.debug("AuthenticationInfo is null. " + "we can skip post processing this request.");
            return;
        }
        
        ResourceResolver resourceResolver = null;        
        Session session = null;
        UserManager userManager = null;
        Authorizable auth = null;

        try {
            resourceResolver = resourceResolverFactory.getResourceResolver(info);
            session = resourceResolver.adaptTo(Session.class);
            userManager = resourceResolver.adaptTo(UserManager.class);
            auth = userManager.getAuthorizable(session.getUserID());
            SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSXXX");
                //Anonymous users need not be checked
                if (auth.getID() != null && (*Your condition 2*)) {
                    LOGGER.info("Logged in Users log in");
                    //Profile will have a new property
                    auth.setProperty("profile/lastLoggedIn", session.getValueFactory().createValue(sdf.format(new Date())));
                    session.save();
                    session.logout();
                }

        } catch (Exception exception) {
            exception.printStackTrace();
        }
    }
}

--Java class END---

 
In my case I had used below conditions.
(*Your condition 1*) - !request.getServletPath().equals("/system/sling/logout.html")
(*Your condition 2*) - !auth.getID().equals("anonymous")
  

Step 2: ACS Commons Report
Now in ACS common reports create a new report with query of type JCRSQL2



SELECT * FROM  [rep:User] as nodes WHERE  ISDESCENDANTNODE("/home/users")
AND nodes.[profile/lastLoggedIn] IS NOT NULL
AND NOT ISDESCENDANTNODE([/home/users/community])
AND NOT ISDESCENDANTNODE([/home/users/mac])
AND NOT ISDESCENDANTNODE([/home/users/rep:policy])
AND NOT ISDESCENDANTNODE([/home/users/screens])
AND NOT ISDESCENDANTNODE([/home/users/system])

And configure the report column as below.



Now you will be able to Generate the final report as shown below.





 Demo Video

Tuesday, 9 November 2021

AEM Asset Upload Size restriction - How to overcome?

By default, AEM supports Assets that are smaller than 2 GB because of a file size limit. However, you can overwrite this limit by going into CRXDE Lite and creating a node under the /apps directory detailed in URL.



Refer URL : RAW Assets Size More info: 


https://experienceleague.adobe.com/docs/experience-manager-65/assets/managing/managing-video-assets.html?lang=en#configuration-to-upload-assets-that-are-larger-than-gb


Is there any limit to upload an asset?

It can be configured to 30 GB also. AEM doesnt define a size limit.

What we need to ensure while changing the default behavior?


  • When we make this changes, ensure you take care of the time out limit on OSGi and Dispatcher idle time so that AEM keep listening the asset upload.
  • Also major point; consider the AEM's default asset processing, and hardware configurations while making this changes. 

Demo Video

How to fix traversal index issue in AEM

 Recently I got an email from my AEM Admin about the indexing issue. The email had some content as shown below.

"WARN* [qtp1832135175-163] org.apache.jackrabbit.oak.spi.query.Cursors$TraversingCursor Traversed 10,000 nodes with filter Filter(query=select * from [nt:base] where foo = 'bar', path=*, property=[foo=[bar]]); consider creating an index "

Some times while working on AEM, we may face traversal warnings. The latest AEM doesn't index the nodes by default. So to ensure our content gets indexed well within AEM, we will have to create indexing nodes and get them indexed.

Below given steps to fix index issues

  • Use the Oak index generation tool - generate index definition.
  • Add the indexing under node oak:index.
  • Trigger the re-index.

 
When we find an issue with a query(traversal warning !), we can use below tool to analyze the query.
 

Query Performance tool URL

http://[AEM URL]:[PORT]/libs/granite/operations/content/diagnosistools/queryPerformance.html

If the analysis recommends to index the nodes, we can use below Oak Index tool to generate the index definitions. 


Oak Index Definition Generator in AEM


http://oakutils.appspot.com/generate/index

 
How to validate the index operation is done?

The indexing property becomes 'false' once the indexing has been completed.

Also, in the console we can go and validate it from index diagnosis tool > index manager
http://[AEM URL]:[PORT]/libs/granite/operations/content/diagnosistools/indexManager.html

Notes:

  • We can even use Synonym file to index the synonyms in AEM.
  • We can define multiple indexes together and trigger them parallel without any issues.

Demo Video

Monday, 8 November 2021

Fix package upload issue in AEM - use CURL command for package upload

While working on AEM, some times we get package upload issue in some of the browsers . 




There could be multiple reasons for this. Now a days companies are doing stringent checks when we try to upload anything via browser. We have faced issue of package upload on AEM during the remote work situations.

Below given an alternate option to upload packages in AEM using CURL command.

CURL Command
curl -u admin:admin -F package=@"name_of_package.zip" http://localhost:4502/crx/packmgr/service/.json/?cmd=upload

Where admin:admin is the local instance user credential.


name_of_package.zip - Change the package name according to your case.

 


 Demo Video