Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
Register!
SOLVED

How to get a 403 error when trying to access a CUGs protected DAM asset?

Avatar

Level 8
Level 8
7/15/19 9:00:10 PM

setup/configuration

  1. using OKTA SSO which I configured using the SAML authentication configuration
  2. Looking at the code base and CRXDE, I can see we are using ACS commons error handling.
  3. I can only see a 404.jsp and a default.jsp in /apps/sling/servlet/errorhandler
  4. I have a 403.html, 404.html and default.html in /content/mysite/en/errors. This path has been configured in com.adobe.acs.commons.errorpagehandler.impl.ErrorPageHandlerImpl.xml
  5. I have several custom user groups in AEM. These includes role-customer, role-staff, role-contractor and many others.
  6. I'm a member of the role-staff.

test I've done

  1. I CUGs protected a published page and all groups can access the page. I can view the published page.
  2. I CUGs protected a published page and restricted access to only role-staff. I can view the published page.
  3. I CUGs protected a published page and restricted access to only role-contractor. I visited the page and I got the 403 page. A 403 is the the expected result.
  4. I CUGs protected a DAM folder (/content/dam/documents/myfolder) and all groups can access the folder. I can view one of the PDFs inside the folder.
  5. I CUGs protected a DAM folder (/content/dam/documents/myfolder) and gave access to role-staff only. I can view one of the PDFs inside the folder.
  6. I CUGs protected a DAM folder (/content/dam/documents/myfolder) with access to only role-contractor. I tried viewing one of the PDFs inside the folder and I got a 404 error instead of a 403.

I looked at https://adobe-consulting-services.github.io/acs-aem-commons/features/error-handler/index.html and there doesn't seemed to be DAM specific configuration required.

Any ideas on how to fix the problem?

Thanks!

Views

2.1K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
7/15/19 11:53:01 PM

It is security best practices not to indicate a failed authentication, and treat it instead always with the same handling as if the resource is not there at all. As HTTP status codes: Never send a 403, but send a 404 instead.

This is the default implementation for AEM as well. Why do you want to deviate from that practice?

Jörg

View solution in original post

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Correct answer by
Employee Advisor
Employee Advisor
7/15/19 11:53:01 PM

It is security best practices not to indicate a failed authentication, and treat it instead always with the same handling as if the resource is not there at all. As HTTP status codes: Never send a 403, but send a 404 instead.

This is the default implementation for AEM as well. Why do you want to deviate from that practice?

Jörg

Views

1.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 8
Level 8
7/21/19 7:43:31 PM

We want to deviate from the default because we have a need.

In addition to that, we have variations/changes to various built-in components (RTE and image component comes to mind) because of our needs as well.

------------------------

Can you please tell me how to change the default to a 404? Thanks

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
7/22/19 10:17:38 AM

You need to adapt the error handler. See /libs/sling/servlet/errorhandler/default.jsp for the default. You need to overwrite this logic (by overlaying) and need to find out if it's a real 404 or rather a 403 (use an admin-session and check if this resource is really there or missing).

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate