Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

How to get a 403 error when trying to access a CUGs protected DAM asset?

jayv25585659
Level 6
Level 6

setup/configuration

  1. using OKTA SSO which I configured using the SAML authentication configuration
  2. Looking at the code base and CRXDE, I can see we are using ACS commons error handling.
  3. I can only see a 404.jsp and a default.jsp in /apps/sling/servlet/errorhandler
  4. I have a 403.html, 404.html and default.html in /content/mysite/en/errors. This path has been configured in com.adobe.acs.commons.errorpagehandler.impl.ErrorPageHandlerImpl.xml
  5. I have several custom user groups in AEM. These includes role-customer, role-staff, role-contractor and many others.
  6. I'm a member of the role-staff.

test I've done

  1. I CUGs protected a published page and all groups can access the page. I can view the published page.
  2. I CUGs protected a published page and restricted access to only role-staff. I can view the published page.
  3. I CUGs protected a published page and restricted access to only role-contractor. I visited the page and I got the 403 page. A 403 is the the expected result.
  4. I CUGs protected a DAM folder (/content/dam/documents/myfolder) and all groups can access the folder. I can view one of the PDFs inside the folder.
  5. I CUGs protected a DAM folder (/content/dam/documents/myfolder) and gave access to role-staff only. I can view one of the PDFs inside the folder.
  6. I CUGs protected a DAM folder (/content/dam/documents/myfolder) with access to only role-contractor. I tried viewing one of the PDFs inside the folder and I got a 404 error instead of a 403.

I looked at https://adobe-consulting-services.github.io/acs-aem-commons/features/error-handler/index.html and there doesn't seemed to be DAM specific configuration required.

Any ideas on how to fix the problem?

Thanks!

1 Accepted Solution
Jörg_Hoh
Correct answer by
Employee
Employee

It is security best practices not to indicate a failed authentication, and treat it instead always with the same handling as if the resource is not there at all. As HTTP status codes: Never send a 403, but send a 404 instead.

This is the default implementation for AEM as well. Why do you want to deviate from that practice?

Jörg

View solution in original post

3 Replies
Jörg_Hoh
Correct answer by
Employee
Employee

It is security best practices not to indicate a failed authentication, and treat it instead always with the same handling as if the resource is not there at all. As HTTP status codes: Never send a 403, but send a 404 instead.

This is the default implementation for AEM as well. Why do you want to deviate from that practice?

Jörg

View solution in original post

jayv25585659
Level 6
Level 6

We want to deviate from the default because we have a need.

In addition to that, we have variations/changes to various built-in components (RTE and image component comes to mind) because of our needs as well.

------------------------

Can you please tell me how to change the default to a 404? Thanks

Jörg_Hoh
Employee
Employee

You need to adapt the error handler. See /libs/sling/servlet/errorhandler/default.jsp for the default. You need to overwrite this logic (by overlaying) and need to find out if it's a real 404 or rather a 403 (use an admin-session and check if this resource is really there or missing).