CUG pages are getting cached in Dispatcher

Avatar

Avatar

Mayukh007

Avatar

Mayukh007

Mayukh007

02-12-2020

HI,

 

We are at AEM 6.5.5, running deployments using Adobe Cloud Manager.

We are trying to implement CUG (Closed User Group) but I am seeing 2 new issues which I did not see when I first tried CUG 8/9 months back.

 

1. Could not login to CUG page using Dispatcher URL and was getting error at "/libs/granite/core/content/login.html/j_security_check".

Had to add this rule in Dispatcher to get this resolved.

 

File name - publish-filter-after.any
Rule - /0065 { /type "allow" /glob "*j_security_check*" }

 

2. Now I find that CUG pages getting automatically cached in Dispatcher which it should not and thus after first user logs in, from next user onwards Dispatcher is serving the cached page, making CUG authentication irrelevant...User is no longer getting challenged for Authentication.

 

These are 2 entire new things I am seeing now which was not like that before...

Does anyone have any pointer..?

Replies

Avatar

Avatar

sureshd71454102

Avatar

sureshd71454102

sureshd71454102

02-12-2020

did you check your cache rules?

you can deny cache of this page

 

## Don't cache login token or pages

/0220 {

 /glob "/libs/granite/core/content/login*"

/type "deny"

}

Avatar

Avatar

Mayukh007

Avatar

Mayukh007

Mayukh007

02-12-2020

It is caching any CUG page I am accessing in the site, not the login page. I can provide detail on my caching rules if you can point me to what you want me to look at..

Avatar

Avatar

sureshd71454102

Avatar

sureshd71454102

sureshd71454102

03-12-2020

Please provide the details , did you try with CUG page path deny in cache rules?

Avatar

Avatar

Mayukh007

Avatar

Mayukh007

Mayukh007

03-12-2020

HI Suresh, We allow everything for Dispatcher to cache. But as per CUG documentation, CUG pages are not cached by default unless we set "allowAuthorized 1" which makes sense as I dont know what will be path of CUG page in advance, any page can or can not be CUG set by Content Author on the Authoring Production. The only place we have "allowAuthorized" set as 1 is in Author farm files.

Avatar

Avatar

sureshd71454102

Avatar

sureshd71454102

sureshd71454102

03-12-2020

you are correct. allowAuthorized set to "0" should work. Can you check dispatcher logs and observe the farm getting invoked and rule applying, when you access the page

Avatar

Avatar

Mayukh007

Avatar

Mayukh007

Mayukh007

03-12-2020

I enabled Debug mode in dispatcher and ran the login steps. Here is what I see for my "cugpage" which is a CUG page and Dispatcher by default should not try to create cache for this 

 

domain/cugpage.html

xxxxxx :/mnt/var/log/httpd tail -f *.* | grep "cugpage"
[Thu Dec 03 18:28:29 2020] [D] [pid 10155] checking [/content/consumer-portal/en_CA/cugpage.html]
[Thu Dec 03 18:28:29 2020] [D] [pid 10155] cachefile does not exist: /mnt/var/www/html/content/consumer-portal/en_CA/cugpage.html
[Thu Dec 03 18:28:29 2020] [D] [pid 10155] try to create new cachefile: /mnt/var/www/html/content/consumer-portal/en_CA/cugpage.html
[Thu Dec 03 18:28:29 2020] [D] [pid 10155] cache-action for [/content/consumer-portal/en_CA/cugpage.html]: CREATE
[Thu Dec 03 18:28:29 2020] [D] [pid 10155] response.headers[Location] = "domain/libs/granite/core/content/login.html?resource=%2Fcontent%2Fconsumer-portal%2Fen_CA%2Fcugpage.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown"
[Thu Dec 03 18:28:29 2020] [I] [pid 10155] "GET /content/consumer-portal/en_CA/cugpage.html" 302 - 4ms [cugfarm/0]
[Thu Dec 03 18:28:29 2020] [D] [pid 10155] request contains a query string: resource=%2Fcontent%2Fconsumer-portal%2Fen_CA%2Fcugpage.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown
[Thu Dec 03 18:28:29 2020] [I] [pid 10155] "GET /libs/granite/core/content/login.html?resource=%2Fcontent%2Fconsumer-portal%2Fen_CA%2Fcugpage.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown" 200 12089 26ms [cugfarm/0]

Enter credential and hit login
[Thu Dec 03 18:30:17 2020] [D] [pid 10546] checking [/content/consumer-portal/en_CA/cugpage.html]
[Thu Dec 03 18:30:17 2020] [D] [pid 10546] cachefile does not exist: /mnt/var/www/html/content/consumer-portal/en_CA/cugpage.html
[Thu Dec 03 18:30:17 2020] [D] [pid 10546] try to create new cachefile: /mnt/var/www/html/content/consumer-portal/en_CA/cugpage.html
[Thu Dec 03 18:30:17 2020] [D] [pid 10546] cache-action for [/content/consumer-portal/en_CA/cugpage.html]: CREATE
[Thu Dec 03 18:30:18 2020] [D] [pid 10546] Cache file successfully created: /mnt/var/www/html/content/consumer-portal/en_CA/cugpage.html
[Thu Dec 03 18:30:18 2020] [I] [pid 10546] "GET /content/consumer-portal/en_CA/cugpage.html" - + 688ms [cugfarm/0]

Avatar

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

954

Correct Reply

1.0K

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

954

Correct Reply

1.0K
Jörg_Hoh
Employee

03-12-2020

When you use CUGs and want to cache protected content, you should use "Permission Sensitive Caching", see the documentation at https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-...

Avatar

Avatar

Mayukh007

Avatar

Mayukh007

Mayukh007

03-12-2020

Jörg_Hoh , I am not trying to cache CUG pages. My expectation is CUG pages by default never cache in Dispatcher, otherwise if it gets cached into Dispatcher the Authentication will not happen for next user onwards as Dispatcher will serve the page without checking the Authentication...My problem is my CUG pages getting cached and I dont want that to happen.

Avatar

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

954

Correct Reply

1.0K

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

954

Correct Reply

1.0K
Jörg_Hoh
Employee

03-12-2020

Hi,

 

by default the dispatcher does not cache any files, for which the request has certain "authentication" headers. That is an "authorization" header or a cookie "authorization" resp "login-token". If any of these are present, the dispatcher won't cache the files, unless you explicitly configure it to do so.