Welcome to 2024: Advice on Sling Models
Greetings to the new year, 2024! Let’s kick off with some valuable advice on Sling Models that can make implementation easier on your end.
The Sling Model Exporter utilizes the Jackson framework to serialize an object graph, starting with the requested Sling Model as the root. It recursively serializes all public and protected members, along with return values of simple getters. While this process works effectively when properly modeled, even minor errors can lead to significant consequences. While missing data is easily noticeable, over-serialization often goes undetected, potentially causing issues.
In my quest to enhance performance, I’ve been exploring the ResourceResolver.getPropertyMap() API for implementing a per-resource resolver cache. During testing, I encountered customer code in which the ResourceResolver was serialized into JSON using the Sling Model Exporter.
@SlingModel
public class MyModel {
@Self
Resource resource;
ResourceResolver resolver;
@PostConstruct
public void init() {
resolver = resource.getResourceResolver();
}
}
This approach is problematic for two main reasons:
- Security: Serializing the ResourceResolver exposes sensitive data to JSON consumers, including property maps, search paths, and user IDs.
- Exceptions: Serialization can trigger ClassNotFound exceptions for non-publicly exposed classes, leading to broken exports or internal server errors.
Therefore, I strongly advise against serializing a ResourceResolver. To address this issue, a two-step mechanism has been introduced:
- In the latest AEM as a Cloud Service release 14697, a warning message is generated when a Model definition triggers ResourceResolver serialization.
- A functionality to block ResourceResolver serialization via the Sling Model Exporter has been implemented to prevent possible issues.
It’s crucial to address this warning and update your code to avoid ResourceResolver serialization. Stay tuned for the activation of the second step in 2024.
Update (January 19, 2024): Official AEM documentation now covers this topic as well.
Published: