Custom permission sensitive caching

Question

We want to use a custom permission sensitive caching (https://docs.adobe.com/docs/en/dispatcher/permissions-cache.html)

Initial situation:
We create our own custom authchecker servlet and configure the dispatcher to use this servlet to check the permissions. We do not use CUG because of the requirements of the customer.

We expect the Dispatcher to not deliver content which the auth checker responds with a 403.
Anyways even in a 403 scenario the dispatcher requests the page and deliveres the content if the content itself is not protected through permissions.

The following diagram shows what is happening for an NON authorized user (screen 1):

The request of the user is passed to the dispatcher
The dispatcher request by using a HEAD request to our custom servlet
Our custom servlet defines that the user has no permission
Our custom servlet returns the status 403
Dispatcher receives the response of our servlet
Dispatcher requests the page for AEM à this we do not understand, why asking for the content if not permitted?
AEM renders the page
AEM returns the page
Dispatcher return the complete page to the client

We do not understand why in step 5 the dispatcher requests the page from AEM when the servlet returns a 403.

We expected that a 403 is return to the client (step 6) (screen2).

Thank you for your help/tips.

Martina

Sham_HC · Accepted Answer

You are misusing PSC for the requirement. When 403 is returned from servlet the request is forwarded to the publish instance as anoymous so that its response like login page is returned. But in your case page is not protected technically and hence serving it.

For your usecase make use of mod_security. One sample usecase at https://helpx.adobe.com/experience-manager/kb/restrict-system-administrator-login-specific.html

martina_schwed · Answer

Thank you for the explanation

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded