@Reference Session is showing unsatisfied error

Question

I'm using a sling servlet. In that I'm using javax.jcr.Session as a reference. After taking a build and when I see in system/console/components, I'm seeing the following error

Reference session ["Unsatisfied","Service Name: javax.jcr.Session","Cardinality: 1..1","Policy: static","Policy Option: reluctant","No Services bound"]

How can I solve this?

Oliver Gebert · Answer 1 · 2016-07-15T12:13:58.400

javx.jcr.Session is not a service component, therefore you cannot reference it (see http://felix.apache.org/documentation/subprojects/apache-felix-maven-scr-plugin/scr-annotations.html#reference) with @Reference.

If you need the current user session, you can extract it from the SlingHttpServletRequest object like this:

Session session = slingHttpServletRequest.getResourceResolver()
                    .adaptTo(Session.class);

If you need the session of a different user (a technical user with "better" rights maybe), you could use the ResourceResolverFactory, which is a service that can be referenced.

score 3 · Answer 2 · answered Jul 15 '16 at 11:49

3

javax.jcr.Session is not a service and thus can not be injected with @Reference annotation.

To get the session you could do following -

In AEM 6.x, you are suppose to use code like this.

 /**
 * Gets the service resource resolver.
 *
 * @return resourceResolver.
 * @throws LoginException - exception if unable to login to repo.
 */
public static ResourceResolver getServiceResourceResolver(ResourceResolverFactory resourceResolverFactory) throws LoginException {
    final Map<String, Object> authParam = new HashMap();
    authParam.put(ResourceResolverFactory.SUBSERVICE, APPLICATION_READER_SUBSERVICE.value());

    return resourceResolverFactory.getServiceResourceResolver(authParam);
}

You could refer here of sample implementation of the above approach

answered Jul 15 '16 at 11:49

Ameesh Trikha

1,652
2
12
18

Why should he get a service resource resolver in a servlet? The response object has its own session bound resource resolver and you can extract the session directly from that one. – Oliver Gebert Jul 15 '16 at 11:54
True, for most of the use-cases the resource resolver from request could be used to get session in a servlet. My view is that for anything that doesn't require Node manipulation on publish can be done w/o a need of session using sling API. The session you will get on publish will be with rights of anonymous user and wont have any write rights to it. So if there is need of session for CRUD or workflow trigger its best not to use the session from Resource resolver from request – Ameesh Trikha Jul 15 '16 at 11:57
@AmeeshTrikha I consider this a bad practice and opens up vulnerabilities. On a publish access is usually anonymous and this should never have write access and on an author the user is authenticated and if his privileges don't allow him to write in a specific space this shouldn't be overruled. Administrative or technical user sessions only make sense in scheduled jobs and event listeners. – Thomas Jul 19 '16 at 08:31
@Thomas - I am not sure how is it different from what I have said. To explain further the context from where I am coming - 1) JCR API is low level API and Sling API wraps around it. The code in servlet comes in context of Sling and it makes a cleaner code to stay with Sling API than moving to JCR one. Now continuing with the same comes the second aspect - 2) Session is required in case you want to do repository manipulation which is not limited to UserManagement, Workflow initiation, Maintenance Jobs etc or any system user interaction. – Ameesh Trikha Jul 19 '16 at 13:23
In all of these cases your anonymous session will not have sufficient privileges to perform the needed actions. So you will need a system user based Session or resouceResolver to work with. That said, its up to developer to make sure that the system user used/created serve a specific purpose and have rights to perform its intended tasks only. AEM 6.x OOTB itself uses number of system users to perform certain tasks. In the given use-case its a servlet (assuming its to be used at publish) if really needs session and can not work with Resolver only then it needs more than anonymous session – Ameesh Trikha Jul 19 '16 at 13:27

@Reference Session is showing unsatisfied error

2 Answers2