Restrict access to links in Global navigation panel

We often have to tighten the link access in AEM to limit user access to only few links, like only Sites, Experience fragments.


For AEM 6.3 touch UI, if you wish to revoke access on a link in Global Navigation Panel, you will have to follow 2 steps:

  1. Revoke access on the icon that displays the link on Global Navigation Panel
  2. Revoke access on the link resource, so that you cannot access the URL from browser directly.

The following table lists both the icon path and resource that renders a link (Example: Sites, Projects, Screens etc). You would have to revoke read access on relevant paths to meet the customer needs.

Column details:

  • “Browser URL in AEM” is the URL that AEM redirects you to, when you click an item in Global navigation panel
  • “Node rendering the menu link”: Revoking read access on these nodes will assure that you cannot directly access the corresponding “Browser URL in AEM”
  • “Global Navigation Panel Icon”: Revoking read access on these nodes will assure that you cannot access the Menu item in Global Navigation Panel

Navigation Tab

Link Browser URL in AEM Node rendering the menu link Global Navigation Panel Icon
Projects /projects.html/content/projects /libs/cq/core/content/projects /libs/cq/core/content/nav/projects
Sites /sites.html/content /libs/wcm/core/content/sites /libs/cq/core/content/nav/sites
Experience fragments /aem/experience-fragments.html/content/experience-fragments /libs/cq/experience-fragments/content/experience-fragments /libs/cq/core/content/nav/experiencefragments
Screens /screens.html/content/screens /libs/screens/dcc/content/main /libs/cq/core/content/nav/screens
Files /assets.html/content/dam /libs/dam/gui/content/assets /libs/cq/core/content/nav/assets/files
Collections /libs/dam/gui/content/collections.html/content/dam/collections /libs/dam/gui/content/collections /libs/cq/core/content/nav/assets/collections
Shared links /libs/dam/gui/content/assets/mylinkshares.html /libs/dam/gui/content/assets/mylinkshares /libs/cq/core/content/nav/assets/links
Templates /libs/dam/gui/content/idsprint/templates.html/content/dam/templates /libs/dam/gui/content/idsprint/templates /libs/cq/core/content/nav/assets/templates
Catalogs /libs/dam/gui/content/idsprint/catalogs.html/content/dam/catalogs /libs/dam/gui/content/idsprint/catalogs /libs/cq/core/content/nav/assets/catalogs
Content Services
Apps /aem/apps.html/content/mobileapps /libs/mobileapps/admin/content/catalog /libs/cq/core/content/nav/contentservices/apps
Forms & documents /aem/forms.html/content/dam/formsanddocuments /libs/fd/fm/gui/content/forms /libs/cq/core/content/nav/forms/formsanddocuments
Themes /aem/forms.html/content/dam/formsanddocuments-themes /libs/fd/fm/gui/content/forms /libs/cq/core/content/nav/forms/themes
Activities /libs/cq/personalization/touch-ui/content/activities.html /libs/cq/personalization/touch-ui/content/activities /libs/cq/core/content/nav/personalization/activities
Offers /libs/cq/personalization/touch-ui/content/offers.html /libs/cq/personalization/touch-ui/content/offers /libs/cq/core/content/nav/personalization/offers
Audiences /libs/cq/personalization/touch-ui/content/audiences.html /libs/cq/personalization/touch-ui/content/audiences /libs/cq/core/content/nav/personalization/audiences
Catalogs /aem/catalogs.html/content/catalogs /libs/commerce/gui/content/catalogs /libs/cq/core/content/nav/commerce/catalogs
Products /aem/products.html/etc/commerce/products /libs/commerce/gui/content/products /libs/cq/core/content/nav/commerce/products
Collections /aem/collections.html/etc/commerce/collections /libs/commerce/gui/content/collections /libs/cq/core/content/nav/commerce/collections
Orders /aem/orders.html/etc/commerce/orders /libs/commerce/gui/content/orders /libs/cq/core/content/nav/commerce/orders
Sites /communities/sites /libs/social/console/content-shell3/sites /libs/cq/core/content/nav/communities/sites
Moderation /communities/moderation.html/content/sites /libs/social/moderation/content-shell3/admindashboard /libs/cq/core/content/nav/communities/moderation
Reports /communities/reports /libs/social/reporting/content-shell3/reports$1 /libs/cq/core/content/nav/communities/reports
Resources /communities/resources /libs/social/enablement/content-shell3/enablement-sites /libs/cq/core/content/nav/communities/resources
Groups /communities/groups.html/content /libs/social/members/content-shell3/groups /libs/cq/core/content/nav/communities/groups
Members /communities/members.html/content /libs/social/members/content-shell3/members /libs/cq/core/content/nav/communities/members

Tools Tab

Link Browser URL in AEM Node rendering the menu link Global Navigation Panel Icon
CRXDE Lite /crx/de/index.jsp /libs/cq/core/content/nav/tools/general/crxdelite
Search Forms /libs/cq/core/content/tools/customsearch/searchfacetformlister.html /libs/cq/core/content/tools/customsearch/searchfacetformlister /libs/cq/core/content/nav/tools/general/customsearchfacets
Tagging /libs/cq/tagging/gui/content/tags.html/etc/tags /libs/cq/tagging/gui/content/tags/etc/tags /libs/cq/core/content/nav/tools/general/tagging
Templates /libs/wcm/core/content/sites/templates.html/conf /libs/wcm/core/content/sites/templates /libs/cq/core/content/nav/tools/general/templates
Translation Configuration /libs/cq/translation/translationrules/contexts.html /libs/cq/translation/translationrules/contexts /libs/cq/core/content/nav/tools/general/translationRules
Components /libs/wcm/core/content/sites/components.html /libs/wcm/core/content/sites/components /libs/cq/core/content/nav/tools/general/components
Configuration Browser /libs/granite/configurations/content/view.html/conf /libs/granite/configurations/content/view/conf /libs/cq/core/content/nav/tools/general/configuration-browser
Models /libs/cq/workflow/admin/console/content/models.html/etc/workflow/models /libs/cq/workflow/admin/console/content/models/etc/workflow/models /libs/cq/core/content/nav/tools/workflow/models
Instances /libs/cq/workflow/admin/console/content/instances.html /libs/cq/workflow/admin/console/content/instances /libs/cq/core/content/nav/tools/workflow/instances
Launchers /libs/cq/workflow/admin/console/content/launchers.html /libs/cq/workflow/admin/console/content/launchers /libs/cq/core/content/nav/tools/workflow/launchers
Archive /libs/cq/workflow/admin/console/content/archive.html /libs/cq/workflow/admin/console/content/archive /libs/cq/core/content/nav/tools/workflow/archive
Failures /libs/cq/workflow/admin/console/content/failures.html /libs/cq/workflow/admin/console/content/failures /libs/cq/core/content/nav/tools/workflow/failures
Web Console /system/console/configMgr Please use the steps on following link to provide access:
Testing /libs/granite/testing/hobbes.html /libs/granite/testing/hobbes /libs/cq/core/content/nav/tools/operations/testing
Configuration /miscadmin /libs/wcm/core/content/misc /libs/cq/core/content/nav/tools/operations/configuration
Backup /libs/granite/backup/content/admin.html /libs/granite/backup/content/admin /libs/cq/core/content/nav/tools/operations/backup
Maintenance /libs/granite/operations/content/maintenance.html /libs/granite/operations/content/maintenance /libs/cq/core/content/nav/tools/operations/maintenance
Health Reports /libs/granite/operations/content/healthreports/healthreportlist.html /libs/granite/operations/content/healthreports/healthreportlist /libs/cq/core/content/nav/tools/operations/healthreports
Monitoring /libs/granite/operations/content/monitoring/page.html /libs/granite/operations/content/monitoring/page /libs/cq/core/content/nav/tools/operations/monitoring
Diagnosis /libs/granite/operations/content/diagnosis.html /libs/granite/operations/content/diagnosis /libs/cq/core/content/nav/tools/operations/diagnosis
Blueprints /libs/wcm/msm/gui/content/blueprintconfig.html /libs/wcm/msm/gui/content/blueprintconfig /libs/cq/core/content/nav/tools/sites/blueprints
Launches /libs/launches/content/launches.html /libs/launches/content/launches /libs/cq/core/content/nav/tools/sites/launches
ContextHub /etc/cloudsettings.html /etc/cloudsettings /libs/cq/core/content/nav/tools/sites/contexthub
Assets in left menu /libs/cq/core/content/nav/tools/assets
Metadata Profiles /libs/dam/gui/content/processingprofilepage/metadataprofiles.html /libs/dam/gui/content/processingprofilepage/metadataprofiles /libs/dam/gui/content/nav/tools/assets/metadata
Asset Reports /libs/dam/gui/content/reports/reportspage.html /libs/dam/gui/content/reports/reportspage /libs/dam/gui/content/nav/tools/assets/assetreports
Metadata Schemas /libs/dam/gui/content/metadataschemaeditor/schemalist.html /libs/dam/gui/content/metadataschemaeditor/schemalist /libs/dam/gui/content/nav/tools/assets/metadataschemas
Desktop Tools for AEM /libs/dam/gui/content/nav/tools/assets/desktop-tools
Insights Configuration /libs/dam/gui/content/assetinsights/wizard/configure.html /libs/dam/gui/content/assetinsights/wizard/configure /libs/dam/gui/content/nav/tools/assets/configwizard
Documentation /libs/cq/core/content/nav/tools/resources/documentation
Developer Resources /libs/cq/core/content/nav/tools/resources/dev
Replication /etc/replication.html /etc/replication /libs/cq/core/content/nav/tools/deployment/replication
Distribution /libs/granite/distribution/content/distribution.html /libs/granite/distribution/content/distribution /libs/cq/core/content/nav/tools/deployment/distribution
Packages /crx/packmgr Please use the steps on following link to revoke access:
Package Share /crx/packageshare Please use the steps on following link to revoke access:
Topology /libs/granite/topology/content/view.html /libs/granite/topology/content/view /libs/cq/core/content/nav/tools/deployment/topology
Offloading /libs/granite/offloading/content/view.html /libs/granite/offloading/content/view /libs/cq/core/content/nav/tools/deployment/offloading
Cloud Services /libs/cq/core/content/tools/cloudservices.html /libs/cq/core/content/tools/cloudservices /libs/cq/core/content/nav/tools/deployment/cloudservices
Users /libs/granite/security/content/useradmin.html /libs/granite/security/content/useradmin /libs/cq/core/content/nav/tools/security/users
Groups /libs/granite/security/content/groupadmin.html /libs/granite/security/content/groupadmin /libs/cq/core/content/nav/tools/security/groups
OAuth Clients /libs/granite/oauth/content/clients.html /libs/granite/oauth/content/clients /libs/cq/core/content/nav/tools/security/oauth
Permissions /useradmin /libs/cq/security/content/admin /libs/cq/core/content/nav/tools/security/permissions
Payment Methods /libs/commerce/gui/content/paymentmethods.html/etc/commerce/payment-methods /libs/commerce/gui/content/paymentmethods/etc/commerce/payment-methods /libs/cq/core/content/nav/tools/commerce/payment-methods
Shipping Methods /libs/commerce/gui/content/shippingmethods.html/etc/commerce/shipping-methods /libs/commerce/gui/content/shippingmethods/etc/commerce/shipping-methods /libs/cq/core/content/nav/tools/commerce/shipping-methods
Storage Configuration /communities/admin/defaultsrp /libs/social/console/content-shell3/defaultSrpConfig /libs/cq/core/content/nav/tools/communities/storageconfig
Component Guide /editor.html/content/community-components/en.html /content/community-components/en /libs/cq/core/content/nav/tools/communities/componentguide
Community Functions /communities/communityfunctions /libs/social/console/content-shell3/communityfunctions /libs/cq/core/content/nav/tools/communities/communityfunctions
Group Templates /communities/communitygrouptemplates /libs/social/console/content-shell3/communitygrouptemplates /libs/cq/core/content/nav/tools/communities/communitygrouptemplates
Community Badges /communities/badges /libs/social/gamification/content-shell3/badges /libs/cq/core/content/nav/tools/communities/badges
Sites Templates /communities/communitysitetemplates /libs/social/console/content-shell3/communitysitetemplates /libs/cq/core/content/nav/tools/communities/communitysitetemplates

Customizing AEM Toolbar

Adding new action to an AEM Assets Toolbar consists of 2 steps:

  1. Configure the new action for the toolbar
  2. Add a client library to execute some operation on clicking the action.

In the following example, we are adding ability to publish and unpublish assets from the Collection view.


Step 1: Resolving the location of toolbar in CRXDE.

A toolbar’s location can easily be resolved via its page URL.

  1. Copy the URL of the page.
  2. Replace “/mnt/overlay” with “/libs” to resolve toolbar’s path. In our current example:
    • Page URL: /mnt/overlay/dam/gui/content/collections/collectiondetails
    • Toolbar’s location: /libs/dam/gui/content/collections/collectiondetail


Step 2: Add the new action to the toolbar

  1. In CRXDE, locate the toolbar via the path resolved in Step-1.
  2. Browse to “<Toolbar’s path>/jcr:content/actions”.
  3. Overlay actions node in “/apps”. This is to ensure that the customization are only done in “/apps” and NOT “/libs”
  4. Add the new required action. In current example, we have copied publish and unpublish actions from:
    • Source:
      • /libs/dam/gui/content/assets/annotate/jcr:content/actions/selection/publish
      • /libs/dam/gui/content/assets/annotate/jcr:content/actions/selection/unpublish
    • Destination:
      • /apps/dam/gui/content/collections/collectiondetail/jcr:content/actions/selection/publish
      • /apps/dam/gui/content/collections/collectiondetail/jcr:content/actions/selection/unpublish
  5. Visit the Collections View. Select an asset. Notice that publish and unpublish actions would now be available. But, clicking on will execute any operation


Step 3: Add clientlibs to execute an operation via the newly added actions

  1. In CRXDE, locate the toolbar via the path resolved in Step-1.
  2. Browse to “<Toolbar’s path>/jcr:content/head/clientlibs”.
  3. Overlay clientlibs node in “/apps”. This is to ensure that the customization are only done in “/apps” and NOT “/libs”
  4. Add the required client library to the “categories” property of “/apps/dam/gui/content/collections/collectiondetail/jcr:content/head/clientlibs”
    • For the current example, we have added following client libraries:
      • dam.gui.admin.publishasset.coral
      • dam.gui.admin.unpublishasset.coral

Node View.PNG

Visit the Collections View. Select an asset. You should now be able to publish/unpublish an asset via Collection view 🙂



cURL execution from Java program

cURL is a tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNETand TFTP). The command is designed to work without user interaction.

With AEM, you can use cURL commands to modify repository, download json, access OSGi information etc.

Snippet to download a json file via cURL:

While majority of the AEM’s content information can be downloaded via HTTP connection,  cURL command can be used to download information from AEM’s OSGi console.

In the shared example, we have used cURL to get information about all the bundles installed in AEM.

Snippet to execute a cURL command:

The follwoing snippet contains acURL command that has been converted in a format to be used in Java snippet.

The cURL command used here is meant to lock page “/content/geometrixx/en/toolbar/contacts” :

curl -u admin:admin -X POST -F cmd=”lockPage” -F path=”/content/geometrixx/en/toolbar/contacts” -F “_charset_”=”utf-8” http://localhost:4502/bin/wcmcommand

For more samples of cURL commands, please refer to:

Connecting AEM from remote AEM instance (via JCR API)

The best way to allow communication between two AEM instance is by:

  • Exposing a service from the AEM instance which acts a source of information  (say Source-AEM)
  • Consuming the exported service in the required remote AEM (Consumer-AEM).


In case, you have a use-case where:

  1. A Service cannot be exposed via source AEM
  2. A utility needs to be deployed in Consumer-AEM to access Source-AEM’s information

Then, you can use the following steps to achieve the same.

Please note: AEM does not allow remote connection OOTB. Hence, we would be embedding jcr2dav bundles. No performance testing has been conducted for the shared code.

Step-1: Create a user in Source-AEM Instance.

Create a user in source-AEM Instance with bare minimum access needed by the utility.


Step-2: Add dependencies to your maven project 

Add following dependencies to the maven project of the utility.

Since, the above bundles are not available in AEM, embed dependency for the above bundles in your pom.xml.

Step-3: Access source AEM instance from utlity.

Create an instance of “Jcr2davRepositoryFactory” to access the source AEM Instance.

For the sample code, access the servlet via URL (http://<Processor-AEM-HOST:Processor-AEM-port>/bin/testRemoteConnection), to get list of all components below “/apps/” folder on Source-AEM Instance.

DS Annotations – dependency updates

With AEM 6.2, we can use the new Declarative Service annotations. These are improvements over Felix annotations. Adding the recommendation excerpt from Apache Felix website:

While the Apache Felix Maven SCR Plugin is a great tool (see below), for developing OSGi components using Declarative Services you should use the official annotations from the OSGi R6 specification. The development of the Apache Felix SCR Plugin is in maintenance mode.

The examples and dependencies have been verified on AEM 6.3 Instance

Maven dependency changes:

In order to use the new OSGi annotations, we need to add following dependencies to pom.xml.


Use latest version of maven-bundle-plugin (>=3.2.0)

For a project upgrading from Felix to DS annotations, you can remove following:

  • All Felix dependencies. Example:
    • org.apache.felix.scr.annotations
    • biz.aQute.bnd
  • Plugins
    • maven-scr-plugin: is required to resolve felix annotations at build time

Code changes:

You can choose to update java files at once, or one-by-one.

  • Incase you wish to modify all files together, then remove felix dependencies and plugins. The IDE would now recognize all the files that need modifcation.
  • However, if you wish to change files one-by-one, then you can keep both DS and Felix dependencies in pom.xml. A bundle with both types of annotations would still be good. Once all the code changes are done, you should remove all felix dependencies.

How to identify the changes:

You can easily identify the files, by looking for package imports of “org.apache.felix.scr.annotations.*”.

We would be using the following packages instead:

  • org.osgi.service.component.annotations.*
  • org.osgi.service.metatype.annotations.*

For more details on code changes involved, please visit the specific links:

Verify annotation resolution

To verify if the DS annotation is generated:

  • decompile the jar created after mvn clean install
  • Check for the Service description available below /OSGI-INF/ folder



DS Annotations – Component, property and configurations

@Component Annotation

An component is a piece of code that is managed by OSGi container. The container would be responsible for its instantiation and management.

A component is activated only after all its service dependencies are satisfied by the container.

Attributes of a component: 


The above table have been noted from:

  • configurationPolicy: The attribute can hold following values of ConfigurationPolicy
    • IGNORE: Always allow the component configuration to be satisfied and do not use the corresponding Configuration object even if it is present.
    • OPTIONAL: Use the corresponding Configuration object if present but allow the component to be satisfied even if the corresponding Configuration object is not present.
    • REQUIRE: There must be a corresponding Configuration object for the component configuration to become satisfied.
  • factory: used to create a configuration factory. More implementation details are available on link.
  • name: The attribute doesn’t support special characters. If invalid, the component will not be registered.
  • property: A replacement for “@Properties felix annotation used at Class-level”.
  • service: registers component as a Service. More implementation details available on link.


To create a component, add @Component annotation to a class. Also, configure its attributes as per your need.

In the following example, we have:

  • @Activate annotation is used to mark a function which would be called when the component activates. The function can have any name.
  • @Deactivate annotation is used to mark a function which would be called when the component deactivates. The function can have any name.
  • Declared a custom property using property attribute.
    • The property value is read from componentContext in @Activate/@Deactivate methods.

More on defining property:

One may also need to declare multiple properties of a component. In such scenarios, declare an array of values for property attribute:

To define multiple values of a property, create each value as a separate element of the property Array.



Creating configurable properties

The annotations described in this section will help you to create Components whose configurations can be edited via OSGi console. To achieve the same:

  1. Create a separate or an inner interface which would hold configurations. In example, we have created Config interface.
  2. Add @ObjectClassDefinition annotation to the interface. Also, add desired attributes
    • name: The name would help you search the configuration in OSGi’s configuration manager.
  3. Add @Designate to the Component that would consume the configurations.  The ocd attribute should refer to the Configuration interface created in Step-2.
  4. Declare properties that you would like to configure via @AttributeDefinition
    • Following image maps annotation attributes with the OSGi UI.osgi.PNG
    • Please note that there are 2 ways to define default values:
      • defaultValue attribute of @AttributeDefinition: The value is displayed to the user, when he/she tries to configure the interface via Configuration manager. OSGi will NOT pick this default value, if no Configuration exists. Thus, when you install a bundle, the output would appear as:default-values.PNG
      • Specifying default value in variable declarartion: The value is displayed to the user, when he/she tries to configure the interface via Configuration manager. OSGi will pick this default value, even if no Configuration exists.

Also, note that we no longer need PropertiesUtil to resolve OSGi configurations. 🙂


Via Declarative Services, the number of annotations have been reduced. For example: @Component annotation is used for:

  • Component
  • Service
  • Servlet
  • Filter etc..

All of the above can be created by utilizing attributes of @Component details. More details are available on specific links