Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Authorization - Permissions for public and secure portions of site

rohits9014799
Level 1
Level 1

Hi,

I have two portions of site. One is public to all where as other one is secure (which will have couple of pages) . User will login from the public portion of the site (from Sign-In link in public navigation) and will redirect to Secure portion home page. 

How I have implemented this is by making redirect page in default login component to /content/<mysite>/<secure-home-page>.   I have created a secure-user group and only this group will have read access to the secure portion of the site. So if any user who doesnt belong to this group tries to login, he gets 404 page. But what i want is a custom page or pop-up where user will get a message that He doesnt have access to visit this area.

Can someone please help how this can be done?

Thanks

1 Accepted Solution
Yogesh_Upadhyay
Correct answer by
Level 5
Level 5

Rohit,

If user do not have access to page then they get 403 status code. But since for CQ no access = pages does not exist, thats why you are seeing 404 page. You can always extend your 404 under /apps/sling/servlet/errorhandler/default.jsp and 404.jsp to show correct behavior. You can also manage your custom redirect or pop up here.

Sample code snippet for default.jsp 

 

int statusCode = (scObject != null) ? scObject.intValue() : HttpServletResponse.SC_INTERNAL_SERVER_ERROR;

    

    if(statusCode==404){

        boolean pageExist = true;

        ResourceResolverFactory rrfac = sling.getService(ResourceResolverFactory.class);

        Map<String,Object> authInfo = new HashMap<String,Object>();

        //Change this code in future to use read only user

        authInfo.put(ResourceResolverFactory.USER_IMPERSONATION,"SOME USER WITH READ ACCESS");

        ResourceResolver rr=null;

        try{

            rr = rrfac.getAdministrativeResourceResolver(authInfo);

            //You want to ideally check for .html resources. All other resources should be egnored

            pageExist = (!slingRequest.getRequestURI().endsWith(".json") && !slingRequest.getRequestURI().endsWith(".xml") && !(rr.resolve(slingRequest,slingRequest.getRequestURI()) instanceof NonExistingResource)); 

        }catch(Exception e){

            pageExist=false;

        }finally{

            if(rr!=null){

                rr.close();

            }

        }

        

    

        // Handle 403

        

        if(pageExist && statusCode==404){

            Externalizer externalizer = sling.getService(Externalizer.class);

            if ( url.contains("/SOMELINK/") ){

                pageURL = YOUR CUSTOM 403 PAGE;

 

             }else{

                 pageURL = SOME OTHER CUSTOM 403;

             }

            

            statusCode = 403;

        }

        

 

Yogesh    

View solution in original post

2 Replies
Yogesh_Upadhyay
Correct answer by
Level 5
Level 5

Rohit,

If user do not have access to page then they get 403 status code. But since for CQ no access = pages does not exist, thats why you are seeing 404 page. You can always extend your 404 under /apps/sling/servlet/errorhandler/default.jsp and 404.jsp to show correct behavior. You can also manage your custom redirect or pop up here.

Sample code snippet for default.jsp 

 

int statusCode = (scObject != null) ? scObject.intValue() : HttpServletResponse.SC_INTERNAL_SERVER_ERROR;

    

    if(statusCode==404){

        boolean pageExist = true;

        ResourceResolverFactory rrfac = sling.getService(ResourceResolverFactory.class);

        Map<String,Object> authInfo = new HashMap<String,Object>();

        //Change this code in future to use read only user

        authInfo.put(ResourceResolverFactory.USER_IMPERSONATION,"SOME USER WITH READ ACCESS");

        ResourceResolver rr=null;

        try{

            rr = rrfac.getAdministrativeResourceResolver(authInfo);

            //You want to ideally check for .html resources. All other resources should be egnored

            pageExist = (!slingRequest.getRequestURI().endsWith(".json") && !slingRequest.getRequestURI().endsWith(".xml") && !(rr.resolve(slingRequest,slingRequest.getRequestURI()) instanceof NonExistingResource)); 

        }catch(Exception e){

            pageExist=false;

        }finally{

            if(rr!=null){

                rr.close();

            }

        }

        

    

        // Handle 403

        

        if(pageExist && statusCode==404){

            Externalizer externalizer = sling.getService(Externalizer.class);

            if ( url.contains("/SOMELINK/") ){

                pageURL = YOUR CUSTOM 403 PAGE;

 

             }else{

                 pageURL = SOME OTHER CUSTOM 403;

             }

            

            statusCode = 403;

        }

        

 

Yogesh    

rohits9014799
Level 1
Level 1

Thanks Yogesh,

That was a nice explanation. So by your reply i believe my approach using the groups is ok. 

I have another use case here. I have multiple sites and every site will have its own security group. So will this 404 jsp be able to handle for all? 

Thanks

Rohit