Netcentric · kwin · Mar 4, 2025 · Mar 4, 2025
diff --git a/README.md b/README.md
@@ -19,6 +19,7 @@ There are several validators included in this artifact, all relate to namespacin
 1. [OSGi Configuration][osgi-installer-configurations]
 1. [Sling Resource Type and Resource Super Type][sling-resource-type] (`sling:resourceType` and `sling:resourceSuperType` properties)
 1. [AEM Client Library][aem-clientlibrary] (`categories` property)
+1. [Embedded Bundles][embedded] (the `Bundle-SymbolicName` of embedded bundles)
 
 Namespacing has been explicitly mentioned in [Achim Koch's Blog: Hosting Multiple Tenants on AEM](https://blog.developer.adobe.com/hosting-multiple-tenants-on-aem-815c8ed0c9f9) but obviously namespacing is just one of multiple aspects to consider for multi-tenant AEM environments.
 
@@ -33,21 +34,22 @@ The following options are supported apart from the default settings mentioned in
 Leaving the validators with the default options will not emit validation issues at all, i.e. none of the options are mandatory.
 
 
-Validator ID | Option | Description
---- | --- | --- 
-`netcentric-filter-namespace` | `allowedPathPatterns` | Comma-separated list of regular expression patterns. Each package filter `root` must match at least one of the given patterns.
-`netcentric-packageid-namespace` | `allowedGroupPatterns` | Comma-separated list of regular expression patterns. The package's group must match at least one of the given patterns.
-`netcentric-packageid-namespace` | `allowedNamePatterns` | Comma-separated list of regular expression patterns. The package's name must match at least one of the given patterns.
-`netcentric-authorizable-namespace` | `allowedPrincipalNamePatterns` | Comma-separated list of regular expression patterns. The authorizable's `rep:principalName` must match at least one of the given patterns.
-`netcentric-authorizable-namespace` | `allowedAuthorizableIdPatterns` | Comma-separated list of regular expression patterns. The authorizable's `rep:authorizableId` or its node name (if the property does not exist( must match at least one of the given patterns.
-`netcentric-authorizable-namespace` | `allowedAuthorizableIdPatterns` | Comma-separated list of regular expression patterns. The authorizable's `rep:authorizableId` or its node name (if the property does not exist) must match at least one of the given patterns.
-`netcentric-oakindex-namespace` | `allowedPathPatterns` | Comma-separated list of regular expression patterns. Each Oak index definition's path restriction ([for `lucene` index types][oakindex-lucene-pathrestrictions] or [`property` index types][oakindex-property-pathrestrictions]) must match at least one of the given patterns.
-`netcentric-osgiconfig-namespace` | `allowedPidPatterns` | Comma-separated list of regular expression patterns. Each (non-factory) configuration name given via the [OSGi Installer][osgi-installer-configurations] must have a PID matching at least one of the given patterns.
-`netcentric-osgiconfig-namespace` | `allowedFactoryPidNames` | Comma-separated list of regular expression patterns. Each factory configuration name given via the [OSGi Installer][osgi-installer-configurations] must have a name matching at least one of the given patterns.
-`netcentric-osgiconfig-namespace` | `restrictFactoryConfigurationsToAllowedPidPatterns` | Boolean flag, `false` by default. If set to `true` each factory configuration PID given via the [OSGi Installer][osgi-installer-configurations] must also matching at least one of the given patterns from `allowedPidPatterns`.
-`netcentric-resourcetype-namespace` | `allowedTypePatterns` | Comma-separated list of regular expression patterns. Each `sling:resourceType` property of arbitrary JCR nodes must match at least one of the given patterns.
-`netcentric-resourcetype-namespace` | `allowedSuperTypePatterns` | Comma-separated list of regular expression patterns. Each `sling:resourceSuperType` property of arbitrary JCR nodes must match at least one of the given patterns.
-`netcentric-clientlibrary-namespace` | `allowedCategoryPatterns` | Comma-separated list of regular expression patterns. Each [client library's `categories` value][aem-clientlibrary] must match at least one of the given patterns.
+Validator ID | Option | Description | Since
+--- | --- | --- | ---
+`netcentric-filter-namespace` | `allowedPathPatterns` | Comma-separated list of regular expression patterns. Each package filter `root` must match at least one of the given patterns. | 1.0.0
+`netcentric-packageid-namespace` | `allowedGroupPatterns` | Comma-separated list of regular expression patterns. The package's group must match at least one of the given patterns. | 1.0.0
+`netcentric-packageid-namespace` | `allowedNamePatterns` | Comma-separated list of regular expression patterns. The package's name must match at least one of the given patterns. | 1.0.0
+`netcentric-authorizable-namespace` | `allowedPrincipalNamePatterns` | Comma-separated list of regular expression patterns. The authorizable's `rep:principalName` must match at least one of the given patterns. | 1.0.0
+`netcentric-authorizable-namespace` | `allowedAuthorizableIdPatterns` | Comma-separated list of regular expression patterns. The authorizable's `rep:authorizableId` or its node name (if the property does not exist( must match at least one of the given patterns. | 1.0.0
+`netcentric-authorizable-namespace` | `allowedAuthorizableIdPatterns` | Comma-separated list of regular expression patterns. The authorizable's `rep:authorizableId` or its node name (if the property does not exist) must match at least one of the given patterns. | 1.0.0
+`netcentric-oakindex-namespace` | `allowedPathPatterns` | Comma-separated list of regular expression patterns. Each Oak index definition's path restriction ([for `lucene` index types][oakindex-lucene-pathrestrictions] or [`property` index types][oakindex-property-pathrestrictions]) must match at least one of the given patterns. | 1.0.0
+`netcentric-osgiconfig-namespace` | `allowedPidPatterns` | Comma-separated list of regular expression patterns. Each (non-factory) configuration name given via the [OSGi Installer][osgi-installer-configurations] must have a PID matching at least one of the given patterns. | 1.0.0
+`netcentric-osgiconfig-namespace` | `allowedFactoryPidNames` | Comma-separated list of regular expression patterns. Each factory configuration name given via the [OSGi Installer][osgi-installer-configurations] must have a name matching at least one of the given patterns. | 1.0.0
+`netcentric-osgiconfig-namespace` | `restrictFactoryConfigurationsToAllowedPidPatterns` | Boolean flag, `false` by default. If set to `true` each factory configuration PID given via the [OSGi Installer][osgi-installer-configurations] must also matching at least one of the given patterns from `allowedPidPatterns`. | 1.0.0
+`netcentric-resourcetype-namespace` | `allowedTypePatterns` | Comma-separated list of regular expression patterns. Each `sling:resourceType` property of arbitrary JCR nodes must match at least one of the given patterns. | 1.0.0
+`netcentric-resourcetype-namespace` | `allowedSuperTypePatterns` | Comma-separated list of regular expression patterns. Each `sling:resourceSuperType` property of arbitrary JCR nodes must match at least one of the given patterns. | 1.0.0
+`netcentric-clientlibrary-namespace` | `allowedCategoryPatterns` | Comma-separated list of regular expression patterns. Each [client library's `categories` value][aem-clientlibrary] must match at least one of the given patterns. | 1.0.0
+`netcentric-embedded-namespace` | `allowedBundleSymbolicNamePatterns` | Comma-separated list of regular expression patterns. Each [embedded bundle in the package][embedded] must have a `Bundle-SymbolicName` in its manifest which matches at least one of the given patterns. | 1.1.0
 
 *Due to the use of comma-separated strings it is not possible to use a comma within the regular expressions. However, as those are matched against names/paths (which don't allow a comma anyhow) using the comma inside the regular expressions shouldn't be necessary anyhow.*
 
@@ -67,44 +69,49 @@ You can use this validator with the [FileVault Package Maven Plugin][filevault-p
     <validatorsSettings>
       <netcentric-authorizable-namespace>
         <options>
-            <allowedPrincipalNamePatterns>mytenant-.*</allowedPrincipalNamePatterns>
-            <allowedAuthorizableIdPatterns>mytenant-.*</allowedAuthorizableIdPatterns>
+          <allowedPrincipalNamePatterns>mytenant-.*</allowedPrincipalNamePatterns>
+          <allowedAuthorizableIdPatterns>mytenant-.*</allowedAuthorizableIdPatterns>
         </options>
       </netcentric-authorizable-namespace>
       <netcentric-clientlibrary-namespace>
         <options>
-            <allowedCategoryPatterns>mytenant-.*</allowedCategoryPatterns>
+          <allowedCategoryPatterns>mytenant-.*</allowedCategoryPatterns>
         </options>
       </netcentric-clientlibrary-namespace>
      <netcentric-filter-namespace>
         <options>
-            <allowedFilterRootPatterns>/apps/mytenant(/.*)?,/conf/mytenant(/.*)?,/home/users/mytenant(/.*)?,/oak:index/mytenant-(.*)</allowedFilterRootPatterns>
+          <allowedFilterRootPatterns>/apps/mytenant(/.*)?,/conf/mytenant(/.*)?,/home/users/mytenant(/.*)?,/oak:index/mytenant-(.*)</allowedFilterRootPatterns>
         </options>
       </netcentric-filter-namespace>
       <netcentric-oakindex-namespace>
         <options>
-            <allowedPathPatterns>/content/mytenant(/.*)?</allowedPathPatterns>
+          <allowedPathPatterns>/content/mytenant(/.*)?</allowedPathPatterns>
         </options>
       </netcentric-oakindex-namespace>
       <netcentric-osgiconfig-namespace>
         <options>
-            <allowedPidPatterns>com\.example\.mytenant\..*</allowedPidPatterns>
-            <allowedFactoryPidNames>name.*</allowedFactoryPidNames>
-            <restrictFactoryConfigurationsToAllowedPidPatterns>true</restrictFactoryConfigurationsToAllowedPidPatterns>
+          <allowedPidPatterns>com\.example\.mytenant\..*</allowedPidPatterns>
+          <allowedFactoryPidNames>name.*</allowedFactoryPidNames>
+          <restrictFactoryConfigurationsToAllowedPidPatterns>true</restrictFactoryConfigurationsToAllowedPidPatterns>
         </options>
       </netcentric-osgiconfig-namespace>
       <netcentric-packageid-namespace>
         <options>
-             <allowedGroupPatterns>biz\.netcentric\.filevault\.validator\.aem\.namespace\.it</allowedGroupPatterns>
-             <allowedNamePatterns>.*-package</allowedNamePatterns>
+          <allowedGroupPatterns>biz\.netcentric\.filevault\.validator\.aem\.namespace\.it</allowedGroupPatterns>
+          <allowedNamePatterns>.*-package</allowedNamePatterns>
         </options>
       </netcentric-packageid-namespace>
       <netcentric-resourcetype-namespace>
         <options>
-            <allowedSuperTypePatterns>/apps/mytenant2/components/.*</allowedSuperTypePatterns>
-            <allowedTypePatterns>/apps/mytenant2/components/.*</allowedTypePatterns>
+          <allowedSuperTypePatterns>/apps/mytenant2/components/.*</allowedSuperTypePatterns>
+          <allowedTypePatterns>/apps/mytenant2/components/.*</allowedTypePatterns>
         </options>
       </netcentric-resourcetype-namespace>
+      <netcentric-embedded-namespace>
+        <options>
+          <allowedBundleSymbolicNamePatterns>mytenant-.*<allowedBundleSymbolicNamePatterns>
+        </options>
+      </netcentric-embedded-namespace>
     </validatorsSettings>
   </configuration>
   <dependencies>
@@ -131,4 +138,5 @@ Adobe, and AEM are either registered trademarks or trademarks of Adobe in the Un
 [filevault-package-id]: https://jackrabbit.apache.org/filevault/properties.html
 [sling-resource-type]: https://sling.apache.org/documentation/the-sling-engine/resources.html#resource-types
 [oak-authorizables]: https://jackrabbit.apache.org/oak/docs/security/user/default.html#representation-in-the-repository
+[embedded]: https://jackrabbit.apache.org/filevault-package-maven-plugin/osgi.html#bundles-and-configurations
 
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>biz.netcentric.filevault.validator</groupId>
   <artifactId>aem-content-package-namespace-validators</artifactId>
-  <version>1.0.2-SNAPSHOT</version>
+  <version>1.1.0-SNAPSHOT</version>
 
   <name>AEM FileVault Content Package Namespace Validators</name>
   <description>FileVault validators which verify that content packages comply with certain namespacing rules.</description>

diff --git a/src/it/inside-namespace/container-package/pom.xml b/src/it/inside-namespace/container-package/pom.xml
@@ -16,8 +16,23 @@
                 <artifactId>filevault-package-maven-plugin</artifactId>
                 <configuration>
                     <packageType>container</packageType>
+                    <embeddeds>
+                        <embedded>
+                            <artifactId>commons-lang3</artifactId>
+                            <filter>true</filter>
+                        </embedded>
+                    </embeddeds>
+                    <embeddedTarget>/apps/mytenant/install</embeddedTarget>
                 </configuration>
             </plugin>
         </plugins>
     </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+    </dependencies>
 </project>
diff --git a/src/it/inside-namespace/pom.xml b/src/it/inside-namespace/pom.xml
@@ -94,6 +94,11 @@
                                     <allowedTypePatterns>/apps/mytenant2/components/.*</allowedTypePatterns>
                                 </options>
                             </netcentric-resourcetype-namespace>
+                            <netcentric-embedded-namespace>
+                                <options>
+                                    <allowedBundleSymbolicNamePatterns>org.apache.commons.lang3</allowedBundleSymbolicNamePatterns>
+                                </options>
+                            </netcentric-embedded-namespace>
                         </validatorsSettings>
                     </configuration>
                     <dependencies>

diff --git a/src/it/no-config/container-package/pom.xml b/src/it/no-config/container-package/pom.xml
@@ -16,8 +16,23 @@
                 <artifactId>filevault-package-maven-plugin</artifactId>
                 <configuration>
                     <packageType>container</packageType>
+                    <embeddeds>
+                        <embedded>
+                            <artifactId>commons-lang3</artifactId>
+                            <filter>true</filter>
+                        </embedded>
+                    </embeddeds>
+                    <embeddedTarget>/apps/mytenant/install</embeddedTarget>
                 </configuration>
             </plugin>
         </plugins>
     </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+    </dependencies>
 </project>
diff --git a/src/it/outside-namespace/container-package/pom.xml b/src/it/outside-namespace/container-package/pom.xml
@@ -16,8 +16,23 @@
                 <artifactId>filevault-package-maven-plugin</artifactId>
                 <configuration>
                     <packageType>container</packageType>
+                    <embeddeds>
+                        <embedded>
+                            <artifactId>commons-lang3</artifactId>
+                            <filter>true</filter>
+                        </embedded>
+                    </embeddeds>
+                    <embeddedTarget>/apps/mytenant/install</embeddedTarget>
                 </configuration>
             </plugin>
         </plugins>
     </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+    </dependencies>
 </project>
diff --git a/src/it/outside-namespace/pom.xml b/src/it/outside-namespace/pom.xml
@@ -100,6 +100,11 @@
                                     <allowedTypePatterns>/apps/mytenant2/components/.*</allowedTypePatterns>
                                 </options>
                             </netcentric-resourcetype-namespace>
+                            <netcentric-embedded-namespace>
+                                <options>
+                                    <allowedBundleSymbolicNamePatterns>some-unused-prefix</allowedBundleSymbolicNamePatterns>
+                                </options>
+                            </netcentric-embedded-namespace>
                         </validatorsSettings>
                     </configuration>
                     <dependencies>

diff --git a/src/it/outside-namespace/verify.groovy b/src/it/outside-namespace/verify.groovy
@@ -23,10 +23,12 @@ assert buildLog.contains("""[ERROR] ValidationViolation: Filter root '/home/user
 
 // container-package
 assert buildLog.contains("""[ERROR] ValidationViolation: Filter root '/apps/mytenant/config' is not allowed (does not match any of the allowed patterns [/apps/mytenant2(/.*)?,/conf/mytenant2(/.*)?,/home/users/mytenant2(/.*)?,/oak:index/mytenant2-(.*)]) @ META-INF${File.separator}vault${File.separator}filter.xml, validator: netcentric-filter-namespace
+[ERROR] ValidationViolation: Filter root '/apps/mytenant/install/commons-lang3-3.17.0.jar' is not allowed (does not match any of the allowed patterns [/apps/mytenant2(/.*)?,/conf/mytenant2(/.*)?,/home/users/mytenant2(/.*)?,/oak:index/mytenant2-(.*)]) @ META-INF${File.separator}vault${File.separator}filter.xml, validator: netcentric-filter-namespace
 [ERROR] ValidationViolation: Package group 'biz.netcentric.filevault.validator.aem.namespace.it' is not allowed (does not match any of the group patterns [invalid-group]) @ META-INF${File.separator}vault${File.separator}properties.xml, validator: netcentric-packageid-namespace
 [ERROR] ValidationViolation: Package name 'container-package' is not allowed (does not match any of the name patterns [invalid-name]) @ META-INF${File.separator}vault${File.separator}properties.xml, validator: netcentric-packageid-namespace
 [ERROR] ValidationViolation: OSGi configuration PID 'com.example.mytenant.MyComponent2' is not allowed to be configured (does not match any of the allowed patterns [com\\.example\\.mytenant2\\..*]) @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}config${File.separator}com.example.mytenant.MyComponent2.cfg.json, validator: jackrabbit-osgiconfigparser
 [ERROR] ValidationViolation: OSGi configuration PID 'com.example.mytenant.MyComponent' is not allowed to be configured (does not match any of the allowed patterns [com\\.example\\.mytenant2\\..*]) @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}config${File.separator}com.example.mytenant.MyComponent~name.cfg.json, validator: jackrabbit-osgiconfigparser
-[ERROR] ValidationViolation: OSGi factory configuration PID 'com.example.mytenant.MyComponent' is not allowed with the given subname 'name' (does not match any of the allowed patterns [othername.*]) @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}config${File.separator}com.example.mytenant.MyComponent~name.cfg.json, validator: jackrabbit-osgiconfigparser""") : 'container-package'
+[ERROR] ValidationViolation: OSGi factory configuration PID 'com.example.mytenant.MyComponent' is not allowed with the given subname 'name' (does not match any of the allowed patterns [othername.*]) @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}config${File.separator}com.example.mytenant.MyComponent~name.cfg.json, validator: jackrabbit-osgiconfigparser
+[ERROR] ValidationViolation: Bundle-SymbolicName 'org.apache.commons.lang3' does not match any of the allowed patterns [some-unused-prefix] @ jcr_root${File.separator}apps${File.separator}mytenant${File.separator}install${File.separator}commons-lang3-3.17.0.jar, validator: netcentric-embedded-namespace""") : 'container-package'
 
 return true