We want to use a custom permission sensitive caching (https://docs.adobe.com/docs/en/dispatcher/permissions-cache.html)
Initial situation:
We create our own custom authchecker servlet and configure the dispatcher to use this servlet to check the permissions. We do not use CUG because of the requirements of the customer.
We expect the Dispatcher to not deliver content which the auth checker responds with a 403.
Anyways even in a 403 scenario the dispatcher requests the page and deliveres the content if the content itself is not protected through permissions.
The following diagram shows what is happening for an NON authorized user (screen 1):
- The request of the user is passed to the dispatcher
- The dispatcher request by using a HEAD request to our custom servlet
- Our custom servlet defines that the user has no permission
- Our custom servlet returns the status 403
- Dispatcher receives the response of our servlet
- Dispatcher requests the page for AEM à this we do not understand, why asking for the content if not permitted?
- AEM renders the page
- AEM returns the page
- Dispatcher return the complete page to the client
We do not understand why in step 5 the dispatcher requests the page from AEM when the servlet returns a 403.
We expected that a 403 is return to the client (step 6) (screen2).
Thank you for your help/tips.
Martina
