Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

How to get a 403 error when trying to access a CUGs protected DAM asset?

Avatar

Avatar
Validate 25
Level 4
jayv25585659
Level 4

Likes

46 likes

Total Posts

123 posts

Correct Reply

0 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Contributor 2
Ignite 5
View profile

Avatar
Validate 25
Level 4
jayv25585659
Level 4

Likes

46 likes

Total Posts

123 posts

Correct Reply

0 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Contributor 2
Ignite 5
View profile
jayv25585659
Level 4

15-07-2019

setup/configuration

  1. using OKTA SSO which I configured using the SAML authentication configuration
  2. Looking at the code base and CRXDE, I can see we are using ACS commons error handling.
  3. I can only see a 404.jsp and a default.jsp in /apps/sling/servlet/errorhandler
  4. I have a 403.html, 404.html and default.html in /content/mysite/en/errors. This path has been configured in com.adobe.acs.commons.errorpagehandler.impl.ErrorPageHandlerImpl.xml
  5. I have several custom user groups in AEM. These includes role-customer, role-staff, role-contractor and many others.
  6. I'm a member of the role-staff.

test I've done

  1. I CUGs protected a published page and all groups can access the page. I can view the published page.
  2. I CUGs protected a published page and restricted access to only role-staff. I can view the published page.
  3. I CUGs protected a published page and restricted access to only role-contractor. I visited the page and I got the 403 page. A 403 is the the expected result.
  4. I CUGs protected a DAM folder (/content/dam/documents/myfolder) and all groups can access the folder. I can view one of the PDFs inside the folder.
  5. I CUGs protected a DAM folder (/content/dam/documents/myfolder) and gave access to role-staff only. I can view one of the PDFs inside the folder.
  6. I CUGs protected a DAM folder (/content/dam/documents/myfolder) with access to only role-contractor. I tried viewing one of the PDFs inside the folder and I got a 404 error instead of a 403.

I looked at https://adobe-consulting-services.github.io/acs-aem-commons/features/error-handler/index.html and there doesn't seemed to be DAM specific configuration required.

Any ideas on how to fix the problem?

Thanks!

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,111 likes

Total Posts

3,145 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,111 likes

Total Posts

3,145 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile
Jörg_Hoh
Employee

15-07-2019

It is security best practices not to indicate a failed authentication, and treat it instead always with the same handling as if the resource is not there at all. As HTTP status codes: Never send a 403, but send a 404 instead.

This is the default implementation for AEM as well. Why do you want to deviate from that practice?

Jörg

Answers (2)

Answers (2)

Avatar

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,111 likes

Total Posts

3,145 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,111 likes

Total Posts

3,145 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile
Jörg_Hoh
Employee

22-07-2019

You need to adapt the error handler. See /libs/sling/servlet/errorhandler/default.jsp for the default. You need to overwrite this logic (by overlaying) and need to find out if it's a real 404 or rather a 403 (use an admin-session and check if this resource is really there or missing).

Avatar

Avatar
Validate 25
Level 4
jayv25585659
Level 4

Likes

46 likes

Total Posts

123 posts

Correct Reply

0 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Contributor 2
Ignite 5
View profile

Avatar
Validate 25
Level 4
jayv25585659
Level 4

Likes

46 likes

Total Posts

123 posts

Correct Reply

0 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Contributor 2
Ignite 5
View profile
jayv25585659
Level 4

21-07-2019

We want to deviate from the default because we have a need.

In addition to that, we have variations/changes to various built-in components (RTE and image component comes to mind) because of our needs as well.

------------------------

Can you please tell me how to change the default to a 404? Thanks