Author Archives: J.S Tomar

AEM Solution: How to create an AEM Custom global object?


As an AEM developer, you know that there are a set of global objects available in AEM at the view layer. Whether you can use JSP or New template framework (HTL). Most commons global objects are currentPage, current resource, current design object etc.

These set of objects are initialized by the AEM application by default & available to use them in every component.

Do you really need custom object?

With given architecture of AEM & Sling framework to resolve the resource, there is a situation when you need your own custom object to be available across the application components. Just like global objects.

Let’s consider a multi-brand site where you need some brand-specific information, Objects or JSON etc should be available at each brand application level. It means object should be available at every component.

General Solution

General practice is that have a common bean/Use class gets initialized at each component level. Performance wise, initializing a bean at every component level, isn’t that bad. Because most of the content gets cached. However, It is an issue when you have got that information/object through service. You can’t make a web service from every component. You could still do that if you are an architect & developer has an alternative solution. So let’s see an alternative solution.

Alternative Solution

An alternative solution is pretty simple. Just like any other AEM global objects, keep your custom object available at every component by default. No initialization of any objects. Make sense? let’s see the following steps to create global custom objects.

  • Create a new class with an appropriate name (hard to find the appropriate name but try it). 
  • Make sure new class is registered as Component in OSGI Console.
  • Sling Framework provides an interface BindingValuesProvider. Implement this interface. This interface provides addBindings(Bindings bindings) method.
  • Bindings parameter works like a map. You need to put key & value in it. For instance, bindings.put(“myObject”, “valueOfCustomObject”);
  • Now, “myObject” can be used as a global variable anywhere in the components.

Sample src Code

# CustomGlobalObject
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import javax.script.Bindings;
public class CustomGlobalObject implements BindingsValuesProvider {
    IMyService iMyService;
    public void addBindings(Bindings bindings) {
        bindings.put("mylist", iMyService.getGlobalObject());
#Service Interface
import java.util.List;
public interface IMyService {
    List getGlobalObject();
#Service Interface implementation

import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Service;
import java.util.ArrayList;
import java.util.List;
public class MyService implements IMyService{
    public List<String> getGlobalObject() {
        List list = new ArrayList();
        list.add("a"); list.add("b"); list.add("c");
        return list;
# Entry in Sightly HTML component
Custom object: ${mylist}
Custom object: a,b,c

Final Thought: 

There could be other good solutions to solve the problem which I described in this post. Would love to hear others ideas. Don’t hesitate to share your thoughts in the comment section. For any doubt or question, leave a comment. will do our best to answer your questions. Thanks in advance.


CyberSecurity: All about mobile sim swap attack!

SIM Swap attack (aka SIM intercept attack ) is an identity theft where someone could impersonate your digital life & received all text messages etc in their own SIM. Just to clarify, Sim swap attack isn’t about swapping your physical sim.

How attacker achieve this?

In cybersecurity chain, The weakest link is human factor & attacker knows how easy it is to convince with someone. By nature, we trust other people or system as well. How hackers convince customer representative is called social engineering. Social engineering is all about pretending to be someone & convince to the person who can trust & provide valuable information. With the same technique, SIM swap could happen. In very simple terms, Attacker would pretend to be you & would convince to your telecom carriers to switching your SIM number to new SIM which owns by the attacker.

How dangerous it could be?

It is very bad for the victims when all your OTP, messages etc are received by someone. Lots of things could be done. most dangerous is when an attacker can gain access to your bank accounts, credit cards, all other sensitive information which depends on OTP & messages. Recent examples here. SIM swap! Man charged after million dollar cryptocurrency theft

What is the solution?

Well, In such cases, nothing much can be done except taking extra precaution. There are a few solutions like App-based two-factor authentication just like Text/Message based authentication. Your bank has two-factor authentication & OTP goes to your message. You could enable app based two-factor authentication like Google authenticator, Authy etc. App-based authentication generates an OTP & that OTP would be within the apps so someone needs to steal your device to get that OTP. 

Problem with app-based two-factor authentication is that it may not possible with every bank & still rely on text-based two-factor authentication.

Final Thought

Anything which is linked to your banking system needs security. If any loose point is vulnerable then the whole thing could be vulnerable. In cybersecurity, it is said that every vulnerability is exploitable.

“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” 

― Stephane Nappo

CyberSecurity: Machine learning can create fake fingerprints


JUST LIKE ANY lock can be picked, any biometric scanner can be fooled. Researchers have shown for years that the popular fingerprint sensors used to guard smartphones can be tricked sometimes, using a lifted print or a person’s digitized fingerprint data. But new findings from computer scientists at New York University’s Tandon School of Engineering could raise the stakes significantly. The group has developed machine learning methods for generating fake fingerprints—called DeepMasterPrints—that not only dupe smartphone sensors but can successfully masquerade as prints from numerous different people. Think of it as a skeleton key for fingerprint-protected devices.

How this is possible?

As of now, mobile devices take when scanning a user’s fingerprint. The sensors are small enough that they can only “see” part of your finger at any given time. As such, they make some assumptions based on a snippet, which also means that fake fingerprints likely need to satisfy fewer variables to trick them.

Research Paper & References.

AEM Solution: How to get OSGI Service object in POJO?


In AEM, OSGI Container supports dependency injection which means one OSGi service can be injected into another service using @Reference annotation. Dependency injection design is a well-known design pattern.   In this post, would like to explain what are the ways to get a reference of OSGi Service? 


As you know, In some case you are not able to get the object using @Reference annotation. Basically, OSGI container does not allow you to inject NON-OSGI classes (POJO) into another class. 

This happens when you have a class which is not registered as OSGI Component & Service. In such cases, You are left with the following option. Get the service object through a parameter to our class or get the service object through Sling request object. In Sightly model, referencing of services are possible now.


Here is the example how to get service object through Sling request object.

// Fetching service reference from request object.
public class Example{
 public ServiceObject YouServiceReference(SlingHttpRequest request){
      final SlingBindings bindings = (SlingBindings) request.getAttribute(SlingBindings.class.getName());
      SlingScriptHelper slingScriptHelper = bindings.getSling();
     YouServiceReference service = slingScriptHelper.getService(YouServiceReference.class);
        return service
#Wiht Sightly POJO
public class Example extends WCMUsePojo{
 public ServiceObject YouServiceReference(SlingHttpRequest request){
      return getSlingScriptHelper.getService(YouServiceReference.class);

AEM Solution: AEM OSGi Config Resolution Order


In this post, will talk about simple concept what is OSGi (i.e open service gateway interface) resolution order & what does this order is different when AEM starts & when something we change from OSGi console.

OSGI Config Resolution Order: at Startup vs Runtime

AEM Apache Felix based OSGi runtime environment(aka system console) loads the configurations in two different ways and makes them available to the application. Read the section “How these configs are resolved?” in this post How AEM OSGi works?

The same OSGi Apache Felix framework loads configuration runtime different. The following order of precedence applies: 

  • If you have modified any config directly from system console (i.e AEM OSGi admin console) then AEM creates another .config file and this file gets precedence over your XML file, apps or libs.
  • If you have made changes in config file under apps and the same config has not been modified from system console then apps modified config would take the precedence over libs and will available to the application immediately.
  • If you have modified any config under libs & it is not overridden at the apps level & it is not modified from system console then modified config will take the precedence.

Config Resolution Order with multiple run modes:

For run mode specific configurations, multiple run modes can be combined. For example, you can create configuration folders in the following style:


Configurations in such folders will be applied if all run modes match a run mode defined at startup. For example, if an instance was started with the run modes author,dev,emea, configuration nodes in /apps/*/config.emea/apps/*/ and /apps/*/ will be applied, while configuration nodes in /apps/*/ and /config/ will not be applied.

If multiple configurations for the same PID are applicable, the configuration with the highest number of matching run modes is applied.

For example, if an instance was started with the run modes author,dev,emea, and both /apps/*/ and /apps/*/ define a configuration for, the configuration in/apps/*/ will be applied.

This rule’s granularity is at a PID level. You cannot define some properties for the same PID in/apps/*/ and more specific ones in /apps/*/ for the same PID.
The configuration with the highest number of matching run modes will be effective for the entire PID.