Expand my Community achievements bar.

SOLVED

How to get a 403 error when trying to access a CUGs protected DAM asset?

Avatar

Level 9

setup/configuration

  1. using OKTA SSO which I configured using the SAML authentication configuration
  2. Looking at the code base and CRXDE, I can see we are using ACS commons error handling.
  3. I can only see a 404.jsp and a default.jsp in /apps/sling/servlet/errorhandler
  4. I have a 403.html, 404.html and default.html in /content/mysite/en/errors. This path has been configured in com.adobe.acs.commons.errorpagehandler.impl.ErrorPageHandlerImpl.xml
  5. I have several custom user groups in AEM. These includes role-customer, role-staff, role-contractor and many others.
  6. I'm a member of the role-staff.

test I've done

  1. I CUGs protected a published page and all groups can access the page. I can view the published page.
  2. I CUGs protected a published page and restricted access to only role-staff. I can view the published page.
  3. I CUGs protected a published page and restricted access to only role-contractor. I visited the page and I got the 403 page. A 403 is the the expected result.
  4. I CUGs protected a DAM folder (/content/dam/documents/myfolder) and all groups can access the folder. I can view one of the PDFs inside the folder.
  5. I CUGs protected a DAM folder (/content/dam/documents/myfolder) and gave access to role-staff only. I can view one of the PDFs inside the folder.
  6. I CUGs protected a DAM folder (/content/dam/documents/myfolder) with access to only role-contractor. I tried viewing one of the PDFs inside the folder and I got a 404 error instead of a 403.

I looked at https://adobe-consulting-services.github.io/acs-aem-commons/features/error-handler/index.html and there doesn't seemed to be DAM specific configuration required.

Any ideas on how to fix the problem?

Thanks!

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

It is security best practices not to indicate a failed authentication, and treat it instead always with the same handling as if the resource is not there at all. As HTTP status codes: Never send a 403, but send a 404 instead.

This is the default implementation for AEM as well. Why do you want to deviate from that practice?

Jörg

View solution in original post

3 Replies

Avatar

Correct answer by
Employee Advisor

It is security best practices not to indicate a failed authentication, and treat it instead always with the same handling as if the resource is not there at all. As HTTP status codes: Never send a 403, but send a 404 instead.

This is the default implementation for AEM as well. Why do you want to deviate from that practice?

Jörg

Avatar

Level 9

We want to deviate from the default because we have a need.

In addition to that, we have variations/changes to various built-in components (RTE and image component comes to mind) because of our needs as well.

------------------------

Can you please tell me how to change the default to a 404? Thanks

Avatar

Employee Advisor

You need to adapt the error handler. See /libs/sling/servlet/errorhandler/default.jsp for the default. You need to overwrite this logic (by overlaying) and need to find out if it's a real 404 or rather a 403 (use an admin-session and check if this resource is really there or missing).