Error when executing the hook under AEM 6.3

[santiagozky]

When executing the installhook under AEM 6.3 the following error happens

Caused by: javax.jcr.LoginException: Bundle biz.netcentric.cq.tools.accesscontroltool.bundle is NOT whitelisted at org.apache.sling.jcr.base.AbstractSlingRepository2.loginAdministrative(AbstractSlingRepository2.java:378) at biz.netcentric.cq.tools.actool.dumpservice.impl.DumpserviceImpl.createAclDumpMap(DumpserviceImpl.java:419)

This seems to be caused by the usage of repository.loginAdministrative. which now is not allowed unless the bundle calling it is explicitly whitelisted in org.apache.sling.jcr.base.internal.LoginAdminWhitelist

[kwin]

There are three solution approaches to this:

1. Whitelist the usage of of the administrative session (https://issues.apache.org/jira/browse/SLING-5135)
2. Use a dedicated service user for this. Not clear how to initially create it with the appropriate rights or whether an existing service user should be just reused. We would need to investigate which service user is available on all supported AEM versions.
3. Use the session of the underlying package installation

I would be in favour of 3. for the Vault Install Hook, but this not an option for JMX as there is no session/resourceresolver available there. So for JMX we should instead rely on 2.

[santiagozky]

I've created a PR with a proporsal for this issue. https://github.com/Netcentric/accesscontroltool/pull/177 it provides a service user, then it is easy to use loginService instead of loginAdministrative.

[ghenzler]

Fixed by #177, after some tests removed cloning of session in 821c4fa6d0a878f81d173f546d618982d7c88a19 to accommodate @kwin's suggestion.