How to get a 403 error when trying to access a CUGs protected DAM asset? | Community
Skip to main content
jayv25585659
jayv25585659
Level 8
July 16, 2019
Solved

How to get a 403 error when trying to access a CUGs protected DAM asset?

  • July 16, 2019
  • 3 replies
  • 2686 views

setup/configuration

  1. using OKTA SSO which I configured using the SAML authentication configuration
  2. Looking at the code base and CRXDE, I can see we are using ACS commons error handling.
  3. I can only see a 404.jsp and a default.jsp in /apps/sling/servlet/errorhandler
  4. I have a 403.html, 404.html and default.html in /content/mysite/en/errors. This path has been configured in com.adobe.acs.commons.errorpagehandler.impl.ErrorPageHandlerImpl.xml
  5. I have several custom user groups in AEM. These includes role-customer, role-staff, role-contractor and many others.
  6. I'm a member of the role-staff.

test I've done

  1. I CUGs protected a published page and all groups can access the page. I can view the published page.
  2. I CUGs protected a published page and restricted access to only role-staff. I can view the published page.
  3. I CUGs protected a published page and restricted access to only role-contractor. I visited the page and I got the 403 page. A 403 is the the expected result.
  4. I CUGs protected a DAM folder (/content/dam/documents/myfolder) and all groups can access the folder. I can view one of the PDFs inside the folder.
  5. I CUGs protected a DAM folder (/content/dam/documents/myfolder) and gave access to role-staff only. I can view one of the PDFs inside the folder.
  6. I CUGs protected a DAM folder (/content/dam/documents/myfolder) with access to only role-contractor. I tried viewing one of the PDFs inside the folder and I got a 404 error instead of a 403.

I looked at https://adobe-consulting-services.github.io/acs-aem-commons/features/error-handler/index.html and there doesn't seemed to be DAM specific configuration required.

Any ideas on how to fix the problem?

Thanks!

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by joerghoh

    It is security best practices not to indicate a failed authentication, and treat it instead always with the same handling as if the resource is not there at all. As HTTP status codes: Never send a 403, but send a 404 instead.

    This is the default implementation for AEM as well. Why do you want to deviate from that practice?

    Jörg

    3 replies

    joerghoh
    Adobe Employee
    joerghohAdobe EmployeeAccepted solution
    Adobe Employee
    July 16, 2019

    It is security best practices not to indicate a failed authentication, and treat it instead always with the same handling as if the resource is not there at all. As HTTP status codes: Never send a 403, but send a 404 instead.

    This is the default implementation for AEM as well. Why do you want to deviate from that practice?

    Jörg

      jayv25585659
      jayv25585659Author
      Level 8
      July 22, 2019

      We want to deviate from the default because we have a need.

      In addition to that, we have variations/changes to various built-in components (RTE and image component comes to mind) because of our needs as well.

      ------------------------

      Can you please tell me how to change the default to a 404? Thanks

      joerghoh
      Adobe Employee
      joerghohAdobe Employee
      Adobe Employee
      July 22, 2019

      You need to adapt the error handler. See /libs/sling/servlet/errorhandler/default.jsp for the default. You need to overwrite this logic (by overlaying) and need to find out if it's a real 404 or rather a 403 (use an admin-session and check if this resource is really there or missing).

        Terms & ConditionsAccessibility statement

        Loading footer...