Skip navigation
Currently Being Moderated

Querybuilder.json servlet and authorization

May 2, 2012 7:05 PM

Tags: #search #query #querybuilder

Hi all,


Does the querybuilder.json servlet acknowledges the user authorization when searching? Can I pass user credential so the Querybulider.json will only return what that user suppose to see ?  If yes, how do i pass user credential via URL ?


Any pointers would be greatly appreciated.

  • Currently Being Moderated
    May 3, 2012 12:05 AM   in reply to cqlearner



    querybuilder.json is like every other http service given by cq, authorizing only registered credentials (among which is anonymous)  and retrieving the data that associated JCR session is allowed to read.


    if you are in a secured network, or just playing with features, you can use basic auth, e.g.




    or through curl :


    curl -u admin:admin http://localhost:4502/...


    There are other ways of authentication (see login page code e.g.)

    Mark as:
  • Currently Being Moderated
    May 3, 2012 7:01 AM   in reply to cqlearner

    The query builder runs in the user's session and uses the normal jcr query underneath, so all ACLs are respected. I guess your ACLs are not what you think they are.

    Mark as:
  • Currently Being Moderated
    May 3, 2012 8:50 AM   in reply to cqlearner

    Yes a publish instance must be readable for an anonymous user, whereas an author instance isn't.


    Depending on the runmode (cf. _Configs_for_Fun_and_Profit.pdf) the author runmode will redirect anonymous to the login if a resource is not readable to him, the publish runmode will just finish here (and retrieve 404).

    Mark as:
  • Currently Being Moderated
    May 3, 2012 12:19 PM   in reply to cqlearner

    As noted, ACLs you create on the author don't get over to a publish automatically, and all activated content is readable by anonymous by default, assuming a public website.


    You probably want to look into "closed user groups" to set up ACLs and custom logins on the publish.


    Mark as:
  • Justin Edelson
    276 posts
    Nov 24, 2010
    Currently Being Moderated
    May 3, 2012 1:09 PM   in reply to cqlearner

    by definition, you can't "run publish instance in author mode"


    CUG are the right mechanism to define an ACL on author and have it apply on publish (after replicating the page).

    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points