Adobe Experience Manager Sites & More

jayv25585659 · 7/15/19

setup/configuration

using OKTA SSO which I configured using the SAML authentication configuration
Looking at the code base and CRXDE, I can see we are using ACS commons error handling.
I can only see a 404.jsp and a default.jsp in /apps/sling/servlet/errorhandler
I have a 403.html, 404.html and default.html in /content/mysite/en/errors. This path has been configured in com.adobe.acs.commons.errorpagehandler.impl.ErrorPageHandlerImpl.xml
I have several custom user groups in AEM. These includes role-customer, role-staff, role-contractor and many others.
I'm a member of the role-staff.

test I've done

I CUGs protected a published page and all groups can access the page. I can view the published page.
I CUGs protected a published page and restricted access to only role-staff. I can view the published page.
I CUGs protected a published page and restricted access to only role-contractor. I visited the page and I got the 403 page. A 403 is the the expected result.
I CUGs protected a DAM folder (/content/dam/documents/myfolder) and all groups can access the folder. I can view one of the PDFs inside the folder.
I CUGs protected a DAM folder (/content/dam/documents/myfolder) and gave access to role-staff only. I can view one of the PDFs inside the folder.
I CUGs protected a DAM folder (/content/dam/documents/myfolder) with access to only role-contractor. I tried viewing one of the PDFs inside the folder and I got a 404 error instead of a 403.

I looked at https://adobe-consulting-services.github.io/acs-aem-commons/features/error-handler/index.html and there doesn't seemed to be DAM specific configuration required.

Any ideas on how to fix the problem?

Thanks!

Jörg_Hoh · 7/15/19

It is security best practices not to indicate a failed authentication, and treat it instead always with the same handling as if the resource is not there at all. As HTTP status codes: Never send a 403, but send a 404 instead.

This is the default implementation for AEM as well. Why do you want to deviate from that practice?

Jörg

View solution in original post

Jörg_Hoh · 7/15/19

It is security best practices not to indicate a failed authentication, and treat it instead always with the same handling as if the resource is not there at all. As HTTP status codes: Never send a 403, but send a 404 instead.

This is the default implementation for AEM as well. Why do you want to deviate from that practice?

Jörg

jayv25585659 · 7/21/19

We want to deviate from the default because we have a need.

In addition to that, we have variations/changes to various built-in components (RTE and image component comes to mind) because of our needs as well.

------------------------

Can you please tell me how to change the default to a 404? Thanks

Jörg_Hoh · 7/22/19

You need to adapt the error handler. See /libs/sling/servlet/errorhandler/default.jsp for the default. You need to overwrite this logic (by overlaying) and need to find out if it's a real 404 or rather a 403 (use an admin-session and check if this resource is really there or missing).

Adobe Experience Manager Sites & More

How to get a 403 error when trying to access a CUGs protected DAM asset?

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe