Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Custom permission sensitive caching

Avatar

Level 1

We want to use a custom permission sensitive caching (https://docs.adobe.com/docs/en/dispatcher/permissions-cache.html)

Initial situation:
We create our own custom authchecker servlet and configure the dispatcher to use this servlet to check the permissions. We do not use CUG because of the requirements of the customer.

 

We expect the Dispatcher to not deliver content which the auth checker responds with a 403.
Anyways even in a 403 scenario the dispatcher requests the page and deliveres the content if the content itself is not protected through permissions.

 

The following diagram shows what is happening for an NON authorized user (screen 1):

  •        The request of the user is passed to the dispatcher
  •        The dispatcher request by using a HEAD request to our custom servlet
  •        Our custom servlet defines that the user has no permission
  •        Our custom servlet returns the status 403
  •        Dispatcher receives the response of our servlet
  •        Dispatcher requests the page for AEM à this we do not understand, why asking for the content if not permitted?
  •        AEM renders the page
  •        AEM returns the page
  •        Dispatcher return the complete page to the client

 

We do not understand why in step 5 the dispatcher requests the page from AEM when the servlet returns a 403.

We expected that a 403 is return to the client (step 6) (screen2).

 

Thank you for your help/tips.

Martina

1 Accepted Solution

Avatar

Correct answer by
Level 10

You are misusing PSC for the requirement. When 403 is returned from servlet the request is forwarded to the publish instance as anoymous so that its response like login page is returned.   But in your case page is not protected technically and hence serving it.

For your usecase make use of mod_security.  One sample usecase at https://helpx.adobe.com/experience-manager/kb/restrict-system-administrator-login-specific.html

View solution in original post

2 Replies

Avatar

Correct answer by
Level 10

You are misusing PSC for the requirement. When 403 is returned from servlet the request is forwarded to the publish instance as anoymous so that its response like login page is returned.   But in your case page is not protected technically and hence serving it.

For your usecase make use of mod_security.  One sample usecase at https://helpx.adobe.com/experience-manager/kb/restrict-system-administrator-login-specific.html