We are implementing authentication on our AEMaaCS website. We have created a custom Authentication Handler, and have login working correctly.
Our login is unique and we needed to roll our own implementation, with an integration to our in-house user group and permissions service. Within our authentication handler, we are checking if the user's permissions (coming from a 3rd party integration) matches the permissions demanded by the page. If they do, we return a valid auth result and let the user view the page. If they don't, we set the response code to a 403 and do not allow the user to view the contents.
In the event that a user does not have permissions to a page, we are sending back a 403 status code. This results in a default 403 error page being shown.
How can we customize the 403 behavior such that:
- The URL is preserved. For instance, if the user accesses /content/mysite/home/protected-page.html via mysite.com/protected-page (we use sling mappings to shorten urls and remove html extensions), we need to keep the user on mysite.com/protected-page but show an error.
- The response contains a 403 status code
- The page contents contains the output of another page in our website. For instance, we store a content authorable 403 page at /content/mysite/error-pages/403.html. When the user access mysite.com/protected-page, and encounters a 403 error, we need to show the contents of the /content/mysite/error-pages/403.html resource.
Is there a customization we can make in the Dispatcher to pull this off, or do we need to implement java code?
Thanks!