Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
Register!
SOLVED

Authorization - Permissions for public and secure portions of site

Avatar

Level 1
Level 1
10/15/15 7:28:47 PM

Hi,

I have two portions of site. One is public to all where as other one is secure (which will have couple of pages) . User will login from the public portion of the site (from Sign-In link in public navigation) and will redirect to Secure portion home page. 

How I have implemented this is by making redirect page in default login component to /content/<mysite>/<secure-home-page>.   I have created a secure-user group and only this group will have read access to the secure portion of the site. So if any user who doesnt belong to this group tries to login, he gets 404 page. But what i want is a custom page or pop-up where user will get a message that He doesnt have access to visit this area.

Can someone please help how this can be done?

Thanks

Views

576

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 5
Level 5
10/15/15 7:28:47 PM

Rohit,

If user do not have access to page then they get 403 status code. But since for CQ no access = pages does not exist, thats why you are seeing 404 page. You can always extend your 404 under /apps/sling/servlet/errorhandler/default.jsp and 404.jsp to show correct behavior. You can also manage your custom redirect or pop up here.

Sample code snippet for default.jsp 

 

int statusCode = (scObject != null) ? scObject.intValue() : HttpServletResponse.SC_INTERNAL_SERVER_ERROR;

    

    if(statusCode==404){

        boolean pageExist = true;

        ResourceResolverFactory rrfac = sling.getService(ResourceResolverFactory.class);

        Map<String,Object> authInfo = new HashMap<String,Object>();

        //Change this code in future to use read only user

        authInfo.put(ResourceResolverFactory.USER_IMPERSONATION,"SOME USER WITH READ ACCESS");

        ResourceResolver rr=null;

        try{

            rr = rrfac.getAdministrativeResourceResolver(authInfo);

            //You want to ideally check for .html resources. All other resources should be egnored

            pageExist = (!slingRequest.getRequestURI().endsWith(".json") && !slingRequest.getRequestURI().endsWith(".xml") && !(rr.resolve(slingRequest,slingRequest.getRequestURI()) instanceof NonExistingResource)); 

        }catch(Exception e){

            pageExist=false;

        }finally{

            if(rr!=null){

                rr.close();

            }

        }

        

    

        // Handle 403

        

        if(pageExist && statusCode==404){

            Externalizer externalizer = sling.getService(Externalizer.class);

            if ( url.contains("/SOMELINK/") ){

                pageURL = YOUR CUSTOM 403 PAGE;

 

             }else{

                 pageURL = SOME OTHER CUSTOM 403;

             }

            

            statusCode = 403;

        }

        

 

Yogesh    

View solution in original post

Views

513

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Level 5
Level 5
10/15/15 7:28:47 PM

Rohit,

If user do not have access to page then they get 403 status code. But since for CQ no access = pages does not exist, thats why you are seeing 404 page. You can always extend your 404 under /apps/sling/servlet/errorhandler/default.jsp and 404.jsp to show correct behavior. You can also manage your custom redirect or pop up here.

Sample code snippet for default.jsp 

 

int statusCode = (scObject != null) ? scObject.intValue() : HttpServletResponse.SC_INTERNAL_SERVER_ERROR;

    

    if(statusCode==404){

        boolean pageExist = true;

        ResourceResolverFactory rrfac = sling.getService(ResourceResolverFactory.class);

        Map<String,Object> authInfo = new HashMap<String,Object>();

        //Change this code in future to use read only user

        authInfo.put(ResourceResolverFactory.USER_IMPERSONATION,"SOME USER WITH READ ACCESS");

        ResourceResolver rr=null;

        try{

            rr = rrfac.getAdministrativeResourceResolver(authInfo);

            //You want to ideally check for .html resources. All other resources should be egnored

            pageExist = (!slingRequest.getRequestURI().endsWith(".json") && !slingRequest.getRequestURI().endsWith(".xml") && !(rr.resolve(slingRequest,slingRequest.getRequestURI()) instanceof NonExistingResource)); 

        }catch(Exception e){

            pageExist=false;

        }finally{

            if(rr!=null){

                rr.close();

            }

        }

        

    

        // Handle 403

        

        if(pageExist && statusCode==404){

            Externalizer externalizer = sling.getService(Externalizer.class);

            if ( url.contains("/SOMELINK/") ){

                pageURL = YOUR CUSTOM 403 PAGE;

 

             }else{

                 pageURL = SOME OTHER CUSTOM 403;

             }

            

            statusCode = 403;

        }

        

 

Yogesh    

Views

514

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 1
Level 1
10/15/15 7:28:47 PM

Thanks Yogesh,

That was a nice explanation. So by your reply i believe my approach using the groups is ok. 

I have another use case here. I have multiple sites and every site will have its own security group. So will this 404 jsp be able to handle for all? 

Thanks

Rohit

Views

373

Replies

0
Sign in to like this content

Total Likes

Translate
Translate