Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events
SOLVED

How to make only logged in users can downloaded DAM asset from published website (live site)

Avatar

Level 3

Hi I have a requirement that all the assets available inside this we.retail folder will be downloaded by only logged-in users in published site and shouldn't be downloaded by anonymous users. How can I achieve this. For log into website we are using some third party tool called forgerock so many users can be created in a life time how all these users can have access to this particular assets?

VedhaSri_0-1706178434150.png

 

1 Accepted Solution

Avatar

Correct answer by
Employee

Hi @VedhaSri 

To ensure that only logged-in users can download assets from the "we.retail" folder on the published site and prevent anonymous users from doing so, a combination of configurations and security measures will need to be implemented within Adobe Experience Manager (AEM) as a Cloud Service. Here's a step-by-step guide to achieving this goal: ### Step 1: Enabling Asset Download Servlet on Publish Instance The AssetDownloadServlet needs to be enabled manually via an OSGi configuration for it to allow downloading assets from the DAM on publish instances. However, it's important to do this cautiously as enabling asset download can have performance implications. 1. Create a configuration folder with a naming convention that targets the publish run mode, e.g., `/apps//config.publish`. 2. Create a file of type `nt:file` named `com.day.cq.dam.core.impl.servlet.AssetDownloadServlet.config`. 3. Configure the servlet with an appropriate maximum download size, for example: ```html

enabled=B"true"
asset.download.prezip.maxcontentsize=I"102400"

``` This sets the maximum size of the ZIP download to not exceed 100 KB. ### Step 2: Blocking Anonymous Asset Downloads To prevent anonymous users from downloading assets, you can update the dispatcher configuration to block any asset download requests from users who are not authenticated. 1. Edit the `dispatcher.any` configuration and add a rule to the filter section to deny asset download requests: ```html

/0100 {
  /type "deny"
  /url "*.assetdownload.zip/assets.zip*"
}

``` ### Step 3: Using Closed User Groups (CUGs) Implement Closed User Groups (CUGs) to restrict access to the "we.retail" folder, which will require users to authenticate before they can access the assets. 1. Open the folder properties in the AEM Assets UI and go to the Permissions tab. 2. Add the appropriate AEM User Groups to the CUGs, which will contain the users authenticated through the third-party tool (forgerock). 3. Enable the login screen for the folder by selecting a login page path in AEM. ```html

  • Enable option: Checked
  • Path to a login page: Specify the path if not using the default

``` 4. Publish the folder and test accessing it from the publish instance; a login screen should be displayed. ### Step 4: Synchronizing Forgerock Users with AEM User Groups For users authenticated through Forgerock to access the assets, you need to ensure that these users are synchronized with AEM User Groups that have access to the "we.retail" folder. 1. Set up an identity provider (IDP) integration between AEM and Forgerock. 2. Map Forgerock user groups to corresponding AEM User Groups that are included in the CUGs for the "we.retail" folder. ### Step 5: Best Practices and Additional Considerations - Ensure that the AssetDownloadServlet is configured to handle the expected load without impacting the server's performance. - Use AEM’s permission management to provide fine-grained access control to the assets for different user groups. - Regularly audit access to the assets using AEM’s reporting tools to ensure compliance with your organization’s policies. ### Sources - Download Assets - Manage Digital Assets - Permission Considerations for Headless Content This approach should help you to ensure that only authenticated users can download assets from the "we.retail" folder on the published site.

View solution in original post

6 Replies

Avatar

Level 8

Hi @VedhaSri 

As you have informed: For log into website we are using some third party tool called forgerock

So, looks like during the logging-in time, you might receive user token from 3rd party system. I think, now in your application, you might save this in cookie.  If not, you might need to save the user details/session in the browser cookie. Then, write logic to read the cookie value. If its present, that means user is logged-in. Then, display the DAM asset.

 

Avatar

Community Advisor

Hi @VedhaSri ,

 

I believe if you are using 3rd party to login to AEM, you might be using SAML as that is the most common approach.

 

What you need to do is :

  • Add all the users who log in to a particular group.
  • And add permissions to the group.

 

Reference: https://experienceleague.adobe.com/docs/experience-manager-65/content/security/saml-2-0-authenticati... 

 

Thanks.

Avatar

Community Advisor

I think it is as simple as:

  1. Deny read access to all users for /content/dam/yourProtectedAssets.

  2. Create a group allowing access to the same path that was denied.

  3. Assign this new group from step 2 to the users who are logged in.

If you are using SAML, in the end, you are just dealing with AEM group users, so you can accomplish the above without any problems. If you are using another custom login based on cookies, you can simply check the cookie and then use a "system user" who is part of the group you created in step 2.

 

Hope this helps.



Esteban Bustamante

Avatar

Correct answer by
Employee

Hi @VedhaSri 

To ensure that only logged-in users can download assets from the "we.retail" folder on the published site and prevent anonymous users from doing so, a combination of configurations and security measures will need to be implemented within Adobe Experience Manager (AEM) as a Cloud Service. Here's a step-by-step guide to achieving this goal: ### Step 1: Enabling Asset Download Servlet on Publish Instance The AssetDownloadServlet needs to be enabled manually via an OSGi configuration for it to allow downloading assets from the DAM on publish instances. However, it's important to do this cautiously as enabling asset download can have performance implications. 1. Create a configuration folder with a naming convention that targets the publish run mode, e.g., `/apps//config.publish`. 2. Create a file of type `nt:file` named `com.day.cq.dam.core.impl.servlet.AssetDownloadServlet.config`. 3. Configure the servlet with an appropriate maximum download size, for example: ```html

enabled=B"true"
asset.download.prezip.maxcontentsize=I"102400"

``` This sets the maximum size of the ZIP download to not exceed 100 KB. ### Step 2: Blocking Anonymous Asset Downloads To prevent anonymous users from downloading assets, you can update the dispatcher configuration to block any asset download requests from users who are not authenticated. 1. Edit the `dispatcher.any` configuration and add a rule to the filter section to deny asset download requests: ```html

/0100 {
  /type "deny"
  /url "*.assetdownload.zip/assets.zip*"
}

``` ### Step 3: Using Closed User Groups (CUGs) Implement Closed User Groups (CUGs) to restrict access to the "we.retail" folder, which will require users to authenticate before they can access the assets. 1. Open the folder properties in the AEM Assets UI and go to the Permissions tab. 2. Add the appropriate AEM User Groups to the CUGs, which will contain the users authenticated through the third-party tool (forgerock). 3. Enable the login screen for the folder by selecting a login page path in AEM. ```html

  • Enable option: Checked
  • Path to a login page: Specify the path if not using the default

``` 4. Publish the folder and test accessing it from the publish instance; a login screen should be displayed. ### Step 4: Synchronizing Forgerock Users with AEM User Groups For users authenticated through Forgerock to access the assets, you need to ensure that these users are synchronized with AEM User Groups that have access to the "we.retail" folder. 1. Set up an identity provider (IDP) integration between AEM and Forgerock. 2. Map Forgerock user groups to corresponding AEM User Groups that are included in the CUGs for the "we.retail" folder. ### Step 5: Best Practices and Additional Considerations - Ensure that the AssetDownloadServlet is configured to handle the expected load without impacting the server's performance. - Use AEM’s permission management to provide fine-grained access control to the assets for different user groups. - Regularly audit access to the assets using AEM’s reporting tools to ensure compliance with your organization’s policies. ### Sources - Download Assets - Manage Digital Assets - Permission Considerations for Headless Content This approach should help you to ensure that only authenticated users can download assets from the "we.retail" folder on the published site.

Avatar

Administrator

@VedhaSri Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni