Expand my Community achievements bar.

caching secure pages in AEM

Avatar

Level 3

Dear All,

I have a requirement where the user has to login to see the pages. I have implemented the way explained in the https://docs.adobe.com/docs/en/dispatcher/permissions-cache.html.

But its not really working. Our requirement is not that the user has access to the page or not as all users have access to all the pages. Only constraint I need to check is that the user has a valid session or not. If not I have to ask him to login via SAML. I have configured my dispacther as per the link above and wrote a permission check servlet. But after the first login and once the page is cached, the page is served from the cache though I dont login.

While serving from the cache, it doesnt even hit my servlet to authorize. 

My dispatcher configuration is like this, I have removed some of the filter to hide identity but it should not matter. Yes this is my configuration.

/farms
{
    /website 
    {  
        /clientheaders
        {
            "*"
        }

        /virtualhosts
        {
            "*"
            #"https://*"
        }

        /renders
        {
            /rend01
            {
                /hostname "localhost"
                /port "4503"
                /ipv4 "1"
                /always-resolve "1"
                #/secure "1"
            }
        }

/auth_checker
  {
  # request is sent to this URL with '?uri=<page>' appended
  /url "/bin/permissioncheck"
       
  # only the requested pages matching the filter section below are checked,
  # all other pages get delivered unchecked
  /filter
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "/content/*.html"
      /type "allow"
      }
    }
  # any header line returned from the auth_checker's HEAD request matching
  # the section below will be returned as well
  /headers
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "Set-Cookie:*"
      /type "allow"
      }
    }
  }

 /sessionmanagement
  {
   /header "Cookie:login-token"
   /directory "C:/AEM/dispatcher_cache/httpd/.sessions"
  }

        /filter
        {
            /0001 { /type "allow" /glob "* /*" }
            /0012 { /type "deny" /url "/system/*"}
            /0013 { /type "deny" /glob "/system/*"}
            /0014 { /type "deny" /url "/libs/*"   }
            /0015 { /type "deny" /glob "/libs/*"   }
            /0016 { /type "deny" /url "* /etc/*" }
            /0017 { /type "allow" /url "* /etc/designs/*" }
            /0018 { /type "allow" /url "* /etc/clientlib/*" }
            /0019 { /type "allow" /url "* /etc/segmentation.segment.js*" }
            /0020 { /type "deny" /url "* /etc/replication.xml*" }
            /0021 { /type "deny" /url "* /etc/replication.infinity.json*" }
            /0022 { /type "deny" /url "* /libs/opensocial/proxy*" }       
            /0023 { /type "allow" /url "/content*" }  # disable this rule to allow mapped content only
            /0024 { /type "deny" /url "/bin/crxde/logs"}
            /0025 { /type "deny" /url "/content/geometrixx.sitemap.txt"}
            /0026 { /type "deny" /url "/var/linkchecker.html"}
            /0027 { /type "deny" /url "/etc/linkchecker.html"}
            /0030 { /type "allow" /url "* /is/image*"   }
            /0031 { /type "allow" /url "* /is/content*"   } 
            /0041 { /type "allow" /url "*.css"   }  # enable css
            /0042 { /type "allow" /url "*.gif"   }  # enable gifs
            /0043 { /type "allow" /url "*.ico"   }  # enable icos
            /0044 { /type "allow" /url "*.js"    }  # enable javascript
            /0045 { /type "allow" /url "*.png"   }  # enable png
            /0046 { /type "allow" /url "*.swf"   }  # enable flash
            /0047 { /type "allow" /url "*.jpg"   }  # enable jpg
            /0048 { /type "allow" /url "*.jpeg"  }  # enable jpeg
            /0049 { /type "allow" /url "*.woff"  }  # enable woff font
            /0050 { /type "allow" /url "*.eot"  }   # enable eot
            /0051 { /type "allow" /url "*.svg"  }   # enable svg
            /0052 { /type "allow" /url "*.ttf"  }   # enable ttf
            /0053 { /type "allow" /url "*.doc"  }   # enable doc
            /0054 { /type "allow" /url "*.docx"  }   # enable docx
            /0055 { /type "allow" /url "*.pdf"  }   # enable pdf
            /0062 { /type "allow" /glob "/libs/cq/personalization/*"  }  # enable personalization
            /0063 { /type "allow" /glob "POST /content/[.]*.form.html" }  # allow POSTs to form selectors under content
            /0064 { /type "allow" /glob "POST /content/[.]*.commerce.cart.json" }  # allow POSTs to update
            /0065 { /type "allow" /glob  "/libs/wcm/stats/tracker.js"  }
            /0066 { /type "allow" /glob  "/libs/cq/personalization/components/clickstreamcloud/content/config.json"  }
            #/0067 { /type "allow" /glob  "/libs/cq/security/userinfo.json"  }
            /0095 { /type "deny"  /url "*.infinity.json" }
            /0096 { /type "deny"  /url "*.tidy.json"     }
            /0097 { /type "deny"  /url "*.sysview.xml"   }
            /0098 { /type "deny"  /url "*.docview.json"  }
            /0099 { /type "deny"  /url "*.docview.xml"  }
            /00100 { /type "deny"  /url "*.*[0-9].json" }
            #/00101 { /type "allow" /method "GET" /url "*.1.json" }  # allow one-level json requests
            /00102 { /type "deny"  /url "GET *.feed*"      }  
            /00103 { /type "deny" /url "GET /content*.json*" } 
            /00104 { /type "deny" /glob "GET /etc/*.json*" }
            /00105 { /type "deny"  /glob "GET *.feed*"  }
            /00106 { /type "deny"  /url "GET *.xml*"  }
            /00107 { /type "deny"  /glob "GET *.xml*"  }
            /00108 { /type "deny" /url "GET *.json*" }
            /00109 { /type "deny" /glob "GET *.json*" }
            /00119 { /type "allow"  /url "/bin/permissioncheck" }
            /00120 { /type "allow"  /url "GET /bin/permissioncheck" }
        }

        /cache
        {
            /docroot "C:/AEM/dispatcher_cache"  #environment specific
            /statfileslevel "0"
            /allowAuthorized "1"
            #/allowAuthorized "0"
            /serveStaleOnError "1"
            /rules
            {
                /0000
                {
                    /glob "*"
                    /type "allow"
                    #/type "deny"
                }
                /0001
                {
                    /glob "/en.sitemap.xml"
                    /type "deny"
                } 
            }

            /invalidate
            {
                /0000
                {
                    /glob "*"
                    /type "deny"
                }
                /0001
                {
                    /glob "*.html"
                    /type "allow"
                }
                /0002
                {
                    /glob "/etc/segmentation.segment.js"
                    /type "allow"
                }
                /0003
                {
                    /glob "*/analytics.sitecatalyst.js"
                    /type "allow"
                }
                #/0004
                    #{
                    #/glob "/en.sitemap.xml"
                    #/type "allow"
                    #}  
            }

            /allowedClients
            {

                /0000
                {
                    /glob "*"
                    /type "deny"
                }
                /0001
                {
                    /glob "127.0.*.*"
                    /type "allow"
                }
            }
            /ignoreUrlParams
            {
                /0001 { /glob "*" /type "allow" }
                /0002 { /glob "q" /type "deny" }
            }
        }

        /statistics
        {
            /categories
            {
                /html
                {
                    /glob "*.html"
                }
                /others
                {
                    /glob "*"
                }
            }
        }
        /retryDelay "2"
        /numberOfRetries "5"
        /unavailablePenalty "5"
        /failover "1"
    }
}

 

My servlet code is 

 

  public void doHead(SlingHttpServletRequest request, SlingHttpServletResponse response) {
        try{ 
            //retrieve the requested URL
            String uri = request.getParameter("uri");
            //obtain the session from the request
            Session session = request.getResourceResolver().adaptTo(javax.jcr.Session.class);
            
            final SlingHttpServletRequest slingRequest = (SlingHttpServletRequest) request;
            final SlingHttpServletResponse slingResponse = (SlingHttpServletResponse) response;
            UserProperties userProps = slingRequest.adaptTo(UserProperties.class);
            
            if(null != userProps && StringUtils.isNotEmpty(userProps.getAuthorizableID())){
                logger.info("authchecker says OK");
                logger.error("authchecker says OK and teh user is " + userProps.getAuthorizableID());
                response.setStatus(SlingHttpServletResponse.SC_OK);
            } else{
                logger.info("AUTHCHECKSERVLET :: authchecker says NO USER ID");
                logger.error("authchecker says OK and teh user is " + userProps.getAuthorizableID());
                System.out.println("AUTH CHECKER SAYS FORBIDDEN::: " + userProps + " Session user id :: " + session.getUserID());
                response.setStatus(SlingHttpServletResponse.SC_FORBIDDEN);
            }

Please suggest on how to make sure the user is logged in before rendering from the cache.

3 Replies

Avatar

Level 10

I have a requirement where the user has to login to see the pages. I have implemented the way explained in the https://docs.adobe.com/docs/en/dispatcher/permissions-cache.html.

What is happening when you follow the documentation? 

Avatar

Level 3

Hi,

I am facing the following issues after I implemented according to the documentation,

1. When we set allowAuthorize to 1, the page caches. But as soon as the page is cached the next user when try to access, the dispatcher serves the page from the cache without asking him to login.

2. When we set allowauthorize to 0, the page wont get cached and works fine asking the user to login if he has not logged in but the page always get rendered from publisher.

What we need is to cache the page and the dispacther should invoke my authorize servlet to check if he has logged in or not, if yes then render from cache if not then redirect him to login.

Avatar

Level 3

Hi Ravi,

Following up on your question above, did you get chance to find solution to this problem?