Adobe Experience Manager Sites & More

Rudra-2024 · 10/29/23

Hi Team,

We have configured OKTA SAML for our project content directory /content/xyz and enabled auth_checker for all the secured pages in AEM (AEM as a Cloud Service) by following the below documentation :
https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-...
https://www.danklco.com/posts/2021/04/saml-authentication-aem-permissions-sensitive-caching.html

We enabled dispatcher caching and disabled CDN caching for secured content.

So, In new session when we hit the page URL directly in browser for first time (no cache) it's redirecting to OKTA page correctly but when the file is already in cache and if we hit that page URL in browser it's trying to invoke auth_checker service (/bin/auth/permissioncheck.html) with the SAML enabled url path.
Since user is anonymous user it's redirecting to forbidden page (403 ) instead of OKTA redirect.

When I exclude auth_checker path (/bin/auth/permissioncheck.html)) in Sling Authenticator , this 403 redirection is happening.

org.apache.sling.engine.impl.auth.SlingAuthenticator.cfg.json

If I include auth checker path in in Sling Authenticator and page is cached , then page request is going to 404 with below error

/libs/granite/core/content/login.html?resource=%2Fbin%%2Fauthcheck%3Furi%3D%2Fcontent%2Fxyz%2Fen-us%2Fcollections%2Fall-products%2abc.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown

In summary, When content is cached in Dispatcher , the page request has issues in below 2 scenarios.

1. If I include auth checker path in Sling Authenticator, --------->404
2. If I exclude auth checker path in Sling Authenticator, --------->403

What should we in this scenario.

Expectation:

if Page is cached and active session is not there , then the new request to AEM page should redirect to OKTA page instead of 403 or 404.

Any idea /suggestions on this issue.

CC: @kautuk_sahni @Jörg_Hoh @arunpatidar @aanchal_sikka

arunpatidar · 10/31/23

Hi @Rudra-2024
Auth check servlet will be called for all the request if file is cached and rules are matched.

Dispatcher calls Auth check servlet to check the authentication status, there is no way dispatcher can check login status by itself, hence dispatcher ask publisher.

Arun Patidar

View solution in original post

arunpatidar · 10/30/23

Hi,

You need to create your own servlet instedaof relying on /bin/auth/permissioncheck.html

1. In your servlet yo check what is the status of user and if user is not logged in redirect to login page.

2. If user is logged in but does not have permission to access the page then your serve 403

Arun Patidar

Rudra-2024 · 10/30/23

Hi Arun, Thanks for the response.

Yes. I have my own servlet. For security sake I didn't mention actual path in question( it is like /bin/auth/xx/yy/authcheck)

1. In your servlet yo check what is the status of user and if user is not logged in redirect to login page.

Am checking the user status and user is anonymous ( means not logged in). I can redirect to login/Okta page here.
My doubt is auth check servlet should not gets called if the user is not logged-in

2. If user is logged in but does not have permission to access the page then your serve 403

yes. It is taken care in servlet and working as expected

kautuk_sahni · 10/30/23

@Rudra-2024 Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

Kautuk Sahni

Rudra-2024 · 10/30/23

My doubt/Question is not cleared yet.

Question: Auth check servlet should not gets called if the user is not logged-in .
Is it possible with any configuration ( like sling authenticator or dispatcher configs)

arunpatidar · 10/31/23

Hi @Rudra-2024
Auth check servlet will be called for all the request if file is cached and rules are matched.

Dispatcher calls Auth check servlet to check the authentication status, there is no way dispatcher can check login status by itself, hence dispatcher ask publisher.

Arun Patidar

Rudra-2024 · 11/2/23

I felt the same @arunpatidar . But, I thought there will be an option in dispatcher based on request headers or cookies. Seems we have to write the logic in auth check servlet it self.

Thanks for the response and /confirmation

Adobe Experience Manager Sites & More

Issues in Permission Sensitive Caching : Auth checker path in Sling Authenticator

Arun Patidar

Arun Patidar

Kautuk Sahni

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe