Dispatcher only cache when authenticated

Avatar

Avatar

James_R_Green

Avatar

James_R_Green

James_R_Green

19-06-2019

Hi,

I am using j_security_check to authenticate users which works fine.

When the user is not logged in and tries to access a protected page they are redirected to the login page as expected. When the login suceedes the resource query string parameter is used to forward them to the original protected page.

This works without issue on the publish instance.

The problem I have is our dispatcher has several rewrites e.g for removing html extension and replacing with /

These redirects (301s) are cached.

Therefore if a user tries to a protected page say /protected/page1, they are taken to the login page, when they login successfully the cached 301 for the /protected/page1 is actually the login page.

Has anyone else encountered this?

Can I treat unauthenticated attempts to access pages differently to prevent this issue?

Thanks,

Jim

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

James_R_Green

Avatar

James_R_Green

James_R_Green

25-06-2019

Browser level.

In the end we disabled html caching at the browser level

Answers (3)

Answers (3)

Avatar

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

910

Correct Answer

1.0K

Avatar

Jörg_Hoh

Employee

Total Posts

3.0K

Likes

910

Correct Answer

1.0K
Jörg_Hoh
Employee

22-06-2019

At what level are the redirects cached?

Avatar

Avatar

James_R_Green

Avatar

James_R_Green

James_R_Green

21-06-2019

A modified version of the code below seems to do the trick. Set the headers to not cache in the requestCredentials method (the original 302)

I will mark this as closed once fully tested.

acs-aem-samples/SampleLoginHookAuthenticationHandler.java at master · Adobe-Consulting-Services/acs-...

Avatar

Avatar

James_R_Green

Avatar

James_R_Green

James_R_Green

21-06-2019

Tried to use this:

https://helpx.adobe.com/experience-manager/kb/PSCachingDelivery.html

However, it appears to be hitting the Sling Authentication Handler before the dispatcher/auth_checker (?) meaning that I cannot handle redirects differently for restricted pages. I get a 302 redirect for the restricted page and the first page that hits the auth_checker is the login page.

All I want to do is avoid being stuck in a loop when I:

* Request a restricted page

* Get redirected to login page

* Login successfully

* Should go to resource originally requested, actually goes back to login page.

Has anyone encountered problems with this in the past?