Expand my Community achievements bar.

Get ready! An upgraded Experience League Community experience is coming in January.
Learn more
SOLVED

AEM 6.5 : Permission Sensitive caching not working as expected

Avatar

Level 1
Level 1
10/29/25 6:39:30 PM

Hi Everyone - I did following implementation to enable permission sensitive caching in my AEM 6.5 instance:

1. Created an AuthCheckerServlet at /bin/permissionChecker

2. Added /auth_checker section in dispatcher file with uri mapped to uri in #1 above

3. Added allowAuthorized ="1" in /cache section

4. restarted dispatcher

 

I verified following in dispatcher log:

1. On dispatcher start, i see a message "Authorization checker: initialized with URL '/bin/permissionChecker'

2. When i go to any secured page, i see following in dispatcher log:

[Wed Oct 29 21:31:39 2025] [D] [xxx] Authorization checker: backend answered with status code: 403

[Wed Oct 29 21:31:39 2025] [D] [xxx] No socket reuse: response body not fully consumed

[Wed Oct 29 21:31:39 2025] [I] [xxx] authorization checker denied access: /mnt/var/www/html/content/abc/secure.html

[Wed Oct 29 21:31:39 2025] [D] [xxx] cache-action for [/content/abc/secure.html]: NONE

[Wed Oct 29 21:31:39 2025] [I] [xxx] "GET /content/abc/secure.html" 200 none [publishfarm/0] 53ms

 

I verified following in publish logs:

1. log message where i am explicitly setting response code 403:

response.setStatus(SlingHttpServletResponse.SC_FORBIDDEN);
 
I tried multiple options but i am unable to deny access to secure.html. Want to check if i missed any steps of any additional configurations?
 
Thanks in advance

Views

311

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/29/25 9:57:37 PM

Hello,

 

 

  1. Create the AuthCheckerServlet at /bin/permissionChecker. It should return HTTP 200 if access is allowed and HTTP 403 with an empty body if access is denied.

  2. In the Dispatcher configuration file (dispatcher.any or .farm), add the following:

    /auth_checker {
    /url "/bin/permissionChecker"
    /timeout "3000"
    }

    In the /cache section, set /allowAuthorized "1". Optionally, add rules to protect secure pages:

    /rules {
    /0001 { /glob "*"; /type "allow" }
    /0002 { /glob "/content/abc/secure.html"; /type "deny" }
    }

  3. Restart the  Dispatcher to apply the new configuration.

  4. Verify the setup by checking Dispatcher logs for initialization of /bin/permissionChecker and 403 responses on secure pages. Also confirm the servlet returns correct status codes.

  5. Test by accessing a secure page as an unauthorized user; Dispatcher should return 403 Forbidden and not cache the response.

 

View solution in original post

Views

283

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Level 6
Level 6
10/29/25 7:57:22 PM

Hi @MayankSa 

Your setup is almost right — the issue is likely AEM publish permissions or the AuthCheckerServlet response.

Quick checklist:

1.Servlet must return:

200 → authorized

403 → unauthorized (no redirect, no body)

2.dispatcher.any:

/auth_checker {
  /url "/bin/permissionChecker"
  /filter {
    /0001 { /glob "/content/abc/secure/*" /type "allow" }
  }
}
/cache { /allowAuthorized "1" }

3.Remove anonymous read access on /content/abc/secure in AEM Publish.

4.Ensure Dispatcher farm handling this path has the /auth_checker config.

If secure pages are still served with 200, your publish instance is allowing public access.

 

Hope this helpful:)

 

Regards,

Karishma.

Views

296

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/29/25 9:57:37 PM

Hello,

 

 

  1. Create the AuthCheckerServlet at /bin/permissionChecker. It should return HTTP 200 if access is allowed and HTTP 403 with an empty body if access is denied.

  2. In the Dispatcher configuration file (dispatcher.any or .farm), add the following:

    /auth_checker {
    /url "/bin/permissionChecker"
    /timeout "3000"
    }

    In the /cache section, set /allowAuthorized "1". Optionally, add rules to protect secure pages:

    /rules {
    /0001 { /glob "*"; /type "allow" }
    /0002 { /glob "/content/abc/secure.html"; /type "deny" }
    }

  3. Restart the  Dispatcher to apply the new configuration.

  4. Verify the setup by checking Dispatcher logs for initialization of /bin/permissionChecker and 403 responses on secure pages. Also confirm the servlet returns correct status codes.

  5. Test by accessing a secure page as an unauthorized user; Dispatcher should return 403 Forbidden and not cache the response.

 

Views

284

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
AEM 6.5 Classic UI – How to completely disable drag/move (make component non-draggable) using client-side JavaScript / clientlib? Solved

Views

192

Likes

0

Replies

2
AEM JWT Token Solved

Views

232

Likes

0

Replies

3
AEM 6.5.23 Upgrade – Bundle Imports Not Resolved (Google Captcha Bundle Failing)

Views

106

Likes

0

Replies

4
Is a fully configurable 12-column grid system feasible in AEM Edge Delivery Services with Universal Editor?

Views

60

Like

1

Replies

0
jQuery v1.12.4-AEM is always loading on page

Views

78

Likes

0

Replies

1