QR Code generator component for Adobe AEM / CQ5

I like so much Adobe AEM: it is very easy to customize this product and make our customers happier. Moreover, Adobe AEM is based on a wonderful stack: it is easier to work on a state of art technology: Apache Jackrabbit OAK, Apache Sling, Apache Felix and the most important layer, Adobe AEM are so well integrated and very powerful technologies.

A new customer requirement

A customer asked me to create a new Adobe AEM component to generate on the fly QR Code images. The functional requirement is pretty simple: the author wants to add a QR Code that “renders” the current url page url. Occasionally the author wants to create a QR Code to an external Url or different page. QR Code are very useful because with a Sidekick-Adobe-AEM-Yuri-Simione-Custom component-QR Code--italiano-next 2u-consulenza-next2u.itsmartphone or tablet, everyone can scan the QR Code from a monitor and continue the browsing far from the desktop or far from a digital . In addition, if the end user print the page that contains a QR Code, it will be super fast to scan the QR Code and, again, to continue to surf the same printed information days or months later, without to enter an annoying url. Eventually, QR Code can store more than 4.000 character on a single image:  it is possible to store on a printed page any kind of information, like Sling selectors and parameters used to access the original page, visitor navigation path or detailed information of a specific product showed in the web site.

Why QR Code?

If you think that this is another strange requirement from your digital marketing team, you will probably change idea. QR Code are in some way related to digital marketing because these can connect a casual visitor to a specific page or, better, to a new web site that he or she never knewed or visited before. Think about digital signage in a shop or in a airport. Do you see the point?

digital-signage-qr-code-yuri.simione-adobe-aem--italiano-next 2u-consulenza-next2u.it



If you are, like me, a digital marketer newbie probably still don’t get the importance of  the QR Code technology. Ok, this is not what you should appreciate or love, this is just a an image but probably your digital marketing team will ask you something similar soon. Adobe Experience Manager is used not just to publish sites or to create cool web applications or Html5 based apps for mobile phones or tablets. With AEM your digital marketing team can engage shoppers in large  in a shopping aisle of a shopping center, in the airport, in a public place, using digital signage or digital kiosks. Evantually, do you know that public administrations are using Adobe AEM? Visitors are not just shoppers, casual visitors could be also citizens that are looking for useful information in few seconds just watching a digital kiosks in a public place.

By the way, did you notice the new “Screen” link in the AEM 6 projects console? There are and there will be more features in AEM that integrate digital experiences in phisical stores.

aem-screen-yuri-simione-adobe-aem-digital.signage--italiano-next 2u-consulenza-next2u.it

The QR Generator component implementation

This is what my customer was asking. It is not more than that, a new component to create a QR Code, to drag and drop directly into the web page (or to statically include in every page):Yuri Simione - custom Adobe Aem Cq5 component

Of course, he wants that the new component works and can be configured via the new Touch UI interface:


With libraries like ZXing it is very easy to create a QR Code image from a string.  So, the first thing to do is to import one of these libraries as an OSGI bundle.

The good news is that Adobe already provides a similar bundle in the standard implementation. Adobe is using this bundle to publish the url of the authored mobile apps with a QR Code. In the OSGI system console you can easily find this bundle:

QR CODE GENERATOR - Adobe AEM - Yuri Simione

qrcode-to-crxde-lite-adobe-aem-yuri-simione The QR Code of the CRX DE Lite url, on your local AEM instance.

The same bundle is in the “active” state in the publish instance so we don’t have to manually activate that.

The bundle implements a simple servlet that renders a QR Code just passing the “url” parameters to the servlet …url. So, for example, to create a QR Code to the Adobe CRX DE Lite application, one can just enter this url: http://localhost:4502/libs/wcm/mobile/qrcode.png?url=http://localhost:4502/crx/de

With this bundle, the implementation required few steps and, litterally, very few lines of Java code. I just created a new component named qrcode-generator. Here, below, the Java code that I wrote for the component logic:

<%@ page import="com.day.cq.commons.Externalizer,
<%@ include file="/libs/foundation/global.jsp"%>
 final String CODE = "qrcode"; // the qr code property name
 final String WIDTH = "width";
 Node n = currentNode;
 String extension = "." + slingRequest.getRequestPathInfo().getExtension();
 Externalizer externalizer = resourceResolver.adaptTo(Externalizer.class);
 String myExternalizedUrl = externalizer.publishLink(resourceResolver, currentPage.getPath() + extension);
 n.setProperty(WIDTH,100); // default width
<img width="<%=properties.get(WIDTH,"")%>" src="<%= request.getContextPath() %>/libs/wcm/mobile/qrcode.png?url=<%=properties.get(CODE,"")%>"/>


I created the component dialogs for both the Classic and the Touch UI, just using the CRX DE Lite:

touch-ui-dialog-adobe-aem-yuri-simione-italiano-next 2u-consulenza-next2u.it

classic-ui-dialog-configuration-adobe-aem-yuri-simione--italiano-next 2u-consulenza-next2u.it

One important point is that the standard bundle generates QR Code just for url (not for any kind of text) and only for the urls that are in a whitelist defined as a regex. Url based on the Externalizer service are automatically whitelisted: that’s why I used the Externalizer in the component logic implementation. The


creates a link to the Adobe AEM publish instance. If you need to create QR Code for generic text, you have just to modify the component configuration via the Apache Felix Console, using the menu OSGI >> Configuration:

osgi-configuration-adobe-aem-yuri-simione--italiano-next 2u-consulenza-next2u.it

And that’s it. Now the author can create a new QR Code in few seconds! Watch the new component in action on Vimeo.

The component package

I like to share my Adobe AEM experience and it is a pleasure to do that when many other colleagues do the same, daily. I created a new package that contains the custom component and everything needed to use the new component. Just click on the image below, download the package and try it on your environment (you have to install the package and enable the new coomponent in your pages but I am supposing you know how to do that).


Next steps

It is good to add a configuration to include the Alt text, a Description to the rendered QR Code as per every html <img /> tag. Then it is needed to update the dialogs in order to enable modifications for the new attributes. I am going to complete these changes (just few minutes required usingAEM stack!).

Digital marketing team is composed by “volcanic” people. They are never satisfied and they wants more and more, every day, something diffancy-qr-code-adobe-aem-yuri-simione-generator-custom-component--italiano-next 2u-consulenza-next2u.itferent, something more innovative. In the future they will want someghing like newer and fancy QR Code. We are ready to make our digital marketing team happy because with Adobe AEM you can concentrate “just” on business logic.

If you need more information or if you need a custom AEM implementation, just ask me or to my company, Next 2U Consulting, a consultancy firm based in Rome, Italy.

You can follow me in Twitter: http://twitter.com/artika4biz or on Linkedin http//linkedin.com/in/yurisimione .

Next 2U Consuting - consulenza e formazione EMC Documentum, Adobe AEM CQ5, Roma, Italia, Italiano

Next 2U Consuting - consulenza e formazione EMC Documentum, Adobe AEM CQ5, Roma, Italia, Italiano

Posted in Adobe, WCM | Tagged , , , , , , , | Leave a comment

Content Management repository is a graph – Part I


In October, I attended the GraphConnect 2014 in San Francisco. GraphConnect is a conference and an event organised by Neo Technology, the company behind Neo4J, one of most important NoSql database.

Neo4j is a graph database, a database that uses graph structures with nodes, edges, and properties to represent and store data. A graph database provides a mechanism for storage and retrieval of data that is modeled in means other than the tabular relations used in relational databases. NoSQL databases can be classified in five categories,

  • Column: like Accumulo, Cassandra, Druid, HBase
  • Document: like Clusterpoint, Apache CouchDB, Couchbase, MarkLogic, MongoDB
  • Key-value: like Dynamo, FoundationDB, MemcacheDB, Redis, Riak, FairCom c-treeACE, Aerospike
  • Graph: like Allegro, Neo4J, InfiniteGraph, OrientDB, Virtuoso, Stardog

If you are looking for a new technology to learn or to approach, for sure every NoSQL field is cool enough to require attention (and to provide great visibility in the labour market). Among NoSQL databases, graph databases are the coolest technology. As reported during the GraphConnect conference by Emil Eifrem, founder and Ceo of Neo Technology, “Graphs are eating the world”. This sentence is not just a slogan, instead it describes clearly, what is happening. The image reported below (source db-engines.com) confirms that, with no doubts:

The DB-Engines Ranking is a list of database management systems ranked by their current popularity. DB-Engine Ranking algorithms measures the interest to database vendors and database model (as reported in the graph) using: number of mentions on websites, Google Trends, frequency of technical discussions, number of job offers, number of profiles in professional networks, number of Twitter tweets, in which the db system or db model is mentioned. I don’t know how the ranking algorithm works in detail but the graph is clear: graph databases is growing in popularity more than any other NoSQL technologies.

[continue on Linkedin: https://www.linkedin.com/pulse/content-management-repository-graph-part-i-yuri-simione]

Follow me on Twitter and Linkedin.


Posted in Analytics, Big data, ECM, Enterprise Search, Frontpage, Technologies | Tagged , , , | Leave a comment

APIs for DUMMIES – eBook review – Apigee special edition

Yesterday I downloaded the APIs for DUMMIES ebook. I really liked this book because it in 2 or 3 hours you can read and learn about best practices of REST api best practices.

This is just what we are doing right now and I found many useful and interesting ideas and suggestions.

I like this kind of book: they are not academic, are free (!) and you can learn about best practice without to spend hours to read and to understand the reason why these are best practices.

Without explanations or more details, for sure “you have to believe” that few pages are correct but, in this case, apigee name guarantee all the readers.

In just 36 pages, they are condensed many important points, like:

  • Keep your base URL simple and intuitive
  • Use two base URLs per resource.
  • Keep verbs out of your base URLs. Use verbs just for responses that don’t involve resources (like calculate, language translation, etc)
  • Use HTTP verbs to operate on the collections and elements.
  • (…) keep your API intuitive by simplifying the associations between resources,
  • and sweeping parameters and other complexities under the rug of the HTTP question
  • Regarding error and status code: use HTTP status code but not too much…. Start by using the following 3 codes. If you need more, add them. But you shouldn’t need to go beyond 8. • 200 – OK • 400 – Bad Request • 500 – Internal Server Error
  • If you’re not comfortable reducing all your error conditions to these 3, try picking among these additional 5: • 201 – Created • 304 – Not Modified • 404 – Not Found• 401 – Unauthorized • 403 – Forbidden
  • Never release an API without a version and make the version mandatory.
  • Support partial response by adding optional fields in a comma delimited list.
  • Use limit and offset to make it easy for developers to paginate objects.
  • Consolidate all API requests under one API subdomain.
  • The API Façade Pattern

So, if you have a couple of hours and if you like application development tools and techniques, you have to read this ebook!

Posted in Consumer, Frontpage, Technologies | Tagged , , , | Leave a comment

ESA-2014-046 – Multiple Content Server vulnerabilities fixed

Doumentum 'Yuri Simione' consultancy certified emcAnother day, another fix: someone can think that Content Server has too much vulnerabilities but for sure during these days EMC is working very hard to make his systems more secure.

I appreciate the way EMC is working on vulnerabilities and if you consider how many products EMC Information Intelligence Group is managing, you will agree that security fix is an hard and long task, just considering all the supported platforms where the fix should be tested.

rss security alert for ecm systems like documentum, opentext, alfresco - From Yuri SimioneAs usual, in this blog I report all the security bulletins published by EMC.  An easy way to know more about security is to subscribe this  RSS channel.


Today EMC released a security note identified by the ESA-2014-026 and registered on the Common Vulnerabilities and Exposures as CVE-2014-2506, CVE-2014-2507 and CVE-2014-2508.


The affected systems are Content Server version 6.7, 7.0 and 7.1. EMC stated that even all the “EMC Software: EMC Documentum Content Server all versions prior to 6.7 SP1″ has the same vulnerabilities but it is not clear if this is valid even for 6.6 and prior versions.

[June 9th update: as reported in the http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2506 the systems affected by these vulnerabilities are all the Content Server versions, even the 6.6.x, 6.5.x and 6.0.x]


For sure EMC strongly recommends all customers upgrade to one of the versions reported below, at the earliest opportunity:

  • EMC Documentum Content Server 7.1 P05 and later
  • EMC Documentum Content Server 7.0 P15 and later
  • EMC Documentum Content Server 6.7 SP2 P14 and later
  • EMC Documentum Content Server 6.7 SP1 P28 and later

EMC strongly recommends all customers upgrade to one of the above versions at the earliest opportunity.

Latest patches solve these three problems:

  • Privilege Escalation  (CVE-2014-2506):Authenticated non-privileged users are allowed to create system objects with super user privileges due to improper authorization checks being performed on these objects. This may potentially be exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server.
  • Shell Injection (CVE-2014-2507):Certain methods in Documentum Content Server perform improper validation checks on input arguments. This may potentially be exploited by an authenticated malicious user to conduct shell injection attacks against these methods and perform unauthorized actions on Content Server.
  • DQL Injection (CVE-2014-2508): Certain DQL hints in Documentum Content Server may potentially be exploited by an authenticated malicious user to conduct DQL injection attacks and perform unauthorized database actions.

Posted in ECM, EMC, Frontpage, Security alert | Tagged , | Leave a comment

ESA-2014-024: EMC Documentum Digital Asset Manager DQL Injection Vulnerability

Today EMC announced a security fix to address Blind Documentum Query Language (DQL) Injection vulnerability on Documentum Digital Asset Manager (DAM).

The affected versions are:

  • EMC Software: EMC Documentum Digital Asset Manager 6.5 SP3
  • EMC Software: EMC Documentum Digital Asset Manager 6.5 SP4
  • EMC Software: EMC Documentum Digital Asset Manager 6.5 SP5
  • EMC Software: EMC Documentum Digital Asset Manager 6.5 SP6

logo dam yuri simione documentum emc consultancy

The DAM thumbnail proxy server allows unauthenticated users to query objects using a vulnerable URL query string parameter. A malicious attacker may potentially conduct Blind DQL injection attacks using the vulnerable parameter to infer or modify the database contents.

EMC released a hotfix for DAM 6.5 SP3, 6.5 SP4, and 6.5 SP5. For 6.5 SP6, patch P13 and later contains resolution for this issue.

EMC strongly recommends all customers apply the hotfix or upgrade at the earliest opportunity.

You can subscribe the RSS feeds related to the security alerts published on my blog.

Posted in ECM, EMC, Frontpage, Security alert | Tagged , , | Leave a comment

ESA-2014-026: vulnerability explained

On January 3, 2014 I discovered a vulnerability related to Documentum Content Server that I communicated to EMC during the same day.

On April 11, 2014 EMC published the ESA-2014-026: EMC Documentum Content Server Information Disclosure Vulnerability.

One month after that, in this post, I am going to describe publicly more about this vulnerability, in order to share in which situation and why you should apply latest patches released by EMC.

First of all, this is a Documentum Content Server vulnerability: in a repository, a user with limited privilege, can browse more objects than a standard configuration should permit. The issue is related to the restricted folders configuration option for the dm_user instances.

How to exploit the security bug

Create a new standard Documentum user:


  • user_name equal to HACK,
  • standard privilege set to NONE,
  • default folder /HACK
  • restricted folder /Temp

As reported in the EMC Documentum Content Server Version 7.x Administration and Configuration Guide, the Restrict Folder Access To configuration:

Specifies which folders the user can access. (…).

If no folders or cabinets are specified, the user has access to all folders and cabinets in the repository, depending on the permissions on those cabinets and folders, and depending on folder security.”

In our scenario, the HACK user should access just the objects linked into the /Temp cabinet. Let’s continue to create the environment to prove the vulnerability. With a standard user, create a document in a new folder, for example into the cabinet /SECURITY BUG EXPLOIT. For this document add the BROWSE or more powerful permission to the dm_world alias. I named this document “My personal salary”. I know, I know: for a private document such “My personal salary” I should not add BROWSE permission to dm_world alias but for sure the HACK user should not browse and read my document, because this document is “outside” his restricted folders.


Does the Restricted Folders option work? Yes, let’s test it. In my system the ID of this document is 09001eab80002990. Login into Documentum Administrator, with the HACK user credentials and execute the DQL query reported below: esa-2014-026-documentum-yuri-simione 3

Zero rows returned: Restricted Folders security option works well!

Again, correctly, the execution of the dump object fails:


Error processing command:DfException:: THREAD: tomcat-http–19; MSG: [DM_SYSOBJECT_E_NOT_IN_RESTRICTED_FOLDERS]error: “The sysobject (’09001eab80002990′) is not in any folder (or subfolder of the folder) specified in the user’s restricted_folder_ids.”; ERRORCODE: 100; NEXT: null

So Restricted Folders configuration works well but in some cases there is a….


The problem is that HACK user can browse more documents than permitted if he or she uses the not folder keywords.

If the HACK user executes DQL using the not folder(…) statement as reported below, he/she can browse the metadata of the document outside his restricted folders and he/she can browse (or read, write, delete, depending on permission add to the documents for the dm_world alias) more data:

esa-2014-026-documentum-yuri-simione 4

So, if  ”your” repository is  configured to use Restricted Folders option for some special users, you probably should upgrade the Content Server at the earliest opportunity.

Anyway, if the end-user repository is a Global Registry repository, you should upgrade all your content servers! You know that there is a special user configured to work just on some Restricted Folders: the dm_bof_registry user.


If the end-user repository is a Global Registry repository, upgrade your content servers as soon as you can, because, as you probably know, there are some ways to decrypt the dm_bof_regsitry password stored in the dfc.properties file: with this user credential someone could potentially access to all the documents stored in the repository protected with the dm_world / BROWSE permission. It’s a good practice to use a dedicated repository for the Global Registry and this vulnerability justify one more time why.


To solve this issue you should upgrade to one of the versions listed below:

  • EMC Documentum Content Server version 7.1 P02 and later
  • EMC Documentum Content Server version 7.0 P13 and later
  • EMC Documentum Content Server version 6.7 SP2 P13 and later
  • EMC Documentum Content Server version 6.7 SP1 P26 and later
Posted in Blogroll, ECM, EMC, Frontpage, Next 2U Consulting, Security alert | Tagged , , , | Leave a comment

ESA-2014-045 Documentum D2 Vulnerability

Today EMC released a note related to a vulnerability that affect the Documentum D2 client.

The CVE vulnerability identifier is CVE-2014-2504 (score 8.5). The affected products are

  • EMC Documentum D2 3.1 and patch versions
  • EMC Documentum D2 3.1SP1 and patch versions
  • EMC Documentum D2 4.0 and patch versions
  • EMC Documentum D2 4.1 and patch versions
  • EMC Documentum D2 4.2 and patch versions

In particular EMC Documentum D2 may be vulnerable to an arbitrary Documentum Query Language (DQL) query execution vulnerability because there are methods and a D2FS web service method that may allow an authenticated user to execute arbitrary DQL queries with superuser privileges. For this reason an upgrade to the latest patch is strongly recommended.

The following products contain the resolution to this issue

  • EMC Documentum D2 3.1P20
  • EMC Documentum D2 3.1SP1P02
  • EMC Documentum D2 4.0P10
  • EMC Documentum D2 4.1P13
  • EMC Documentum D2 4.2P01
Posted in EMC, Security alert | Tagged , , | Leave a comment

OpenSSL Heartbleed and Documentum – Update – ESA-2014-037

Today EMC reported on the ESA-2014-037 that the the impact of OpenSSL Heartbleed vulnerability (CVE-2014-0160) on Documentum Content Server is limited to:

  • Fulltext query plugin used by the Content Server to communicate with the xPlore server;
  • CAS plugin, used by the Content Server for CAS based authentication.

The impacted environments are:

  • Documentum Content Server (Linux platform only) 6.7 SP1 (P14-P26), 6.7 SP2 (P01-P12), 7.0 (P03-P13)
  • Documentum Content Server (Windows 64, Linux, Solaris, AIX) 7.1 (base release – P03)

For these environments, EMC  strongly recommends to upgrade to one of the versions listed below at the earliest opportunity.

  • EMC Documentum Content Server version 7.1 P04 and later
  • EMC Documentum Content Server Linux version 7.0 P14 and later
  • EMC Documentum Content Server Linux version 6.7 SP2 P13 and later
  • EMC Documentum Content Server Linux version 6.7 SP1 P27 and later

After upgrade, it is strongly recommended to:

  • Renew certificates
  • Revoke old certificates
  • Change passwords for CAS user accounts


Posted in ECM, EMC, Frontpage, Security alert | Tagged , , , | Leave a comment

E’ in edicola Mac magazine 067 – Macworld / iWorld 2014

Nella sezione ULTIMISSIME di Mac magazine 067, in edicola a Maggio 2014, sono pubblicati i primi articoli che ho tratto dalla partecipazione all’evento Macworld/iWorld 2014, a San Francisco dal 27 al 29 Marzo 2014.

macmagazine yuri simione macworld iworld 2014 article Articolo di Yuri Simione – Macworld / iWorld 2014
Posted in Frontpage | Leave a comment

OpenSSL Heartbleed Vulnerability (CVE-2014-0160) does not affect Documentum systems

OpenSSL Heartbleed Vulnerability (CVE-2014-0160) does not affect Documentum systems because simply these don’t use OpenSSL! Some concerns just about the on premise edition of Syncplicty.

Due to a missing bounds check in OpenSSL during the TLS heartbeat extension, up to 64k of memory can be revealed to a connected client or server. This may potentially allow an unauthenticated, remote attacker to gain access to sensitive information such as private keys, login passwords, and encryption keys (Secret Keys). As a result of this disclosure of sensitive information, these Secret Keys can potentially be leveraged to decrypt other sensitive information or conduct so-called man-in-the-middle attacks.References:

  • Original disclosure: http://heartbleed.com/
  • US CERT: http://www.kb.cert.org/vuls/id/720951
  • NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160&cid=2
Non-Impacted Products:

Documentum ApplicationXtender Does not use OpenSSL
Documentum Content Application (ACS, BOCS, DMS, UCF) Does not use OpenSSL
Documentum D2 Does not use OpenSSL
Documentum DFS Does not use OpenSSL
Documentum eRoom Does not use OpenSSL
Documentum InfoArchive Does not use OpenSSL
Documentum REST Services Does not use OpenSSL
Documentum xPression Does not use OpenSSL
Syncplicity Enterprise Edition On-Premise All See ESA-2014-030 for details: : https://support.emc.com/kb/185966
Posted in EMC, Frontpage, Security alert | Tagged , , | Leave a comment