Expand my Community achievements bar.

SOLVED

Issues in Permission Sensitive Caching : Auth checker path in Sling Authenticator

Avatar

Level 4

Hi Team,

We have configured OKTA SAML for our project content directory /content/xyz and enabled auth_checker for all the secured pages in AEM (AEM as a Cloud Service) by following the below documentation :
 https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-...
https://www.danklco.com/posts/2021/04/saml-authentication-aem-permissions-sensitive-caching.html


We enabled dispatcher caching and disabled CDN caching for secured content.

So, In new session when we hit the page URL directly in browser for first time (no cache) it's redirecting to OKTA page correctly but when the file is already in cache and if we hit that page URL in browser it's trying to invoke auth_checker service (/bin/auth/permissioncheck.html) with the SAML enabled url path.
Since user is anonymous user it's redirecting to forbidden page (403 ) instead of OKTA redirect.

When I exclude auth_checker path (/bin/auth/permissioncheck.html)) in Sling Authenticator , this 403 redirection  is happening.

 

org.apache.sling.engine.impl.auth.SlingAuthenticator.cfg.json


If I include auth checker path in in Sling Authenticator and page is cached , then page request is going to 404 with below error

/libs/granite/core/content/login.html?resource=%2Fbin%%2Fauthcheck%3Furi%3D%2Fcontent%2Fxyz%2Fen-us%2Fcollections%2Fall-products%2abc.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown

In summary, When content is cached in Dispatcher , the page request has  issues in below 2  scenarios.

1. If I include auth checker path in Sling Authenticator, --------->404
2. If I exclude auth checker path in Sling Authenticator, --------->403

What should we in this scenario.

Expectation:

if Page is cached and active session is not there , then the new request to AEM page should redirect to OKTA page instead of 403 or 404.

 

Any idea /suggestions on this issue.


CC: @kautuk_sahni  @Jörg_Hoh  @arunpatidar @aanchal_sikka 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @Rudra-2024 
Auth check servlet will be called for all the request if file is cached and rules are matched.

Dispatcher calls Auth check servlet to check the authentication status, there is no way dispatcher can check login status by itself, hence dispatcher ask publisher. 



Arun Patidar

View solution in original post

6 Replies

Avatar

Community Advisor

Hi,

You need to create your own servlet instedaof relying on /bin/auth/permissioncheck.html

1. In your servlet yo check what is the status of user and if user is not logged in redirect to login page.

2. If user is logged in but does not have permission to access the page then your serve 403



Arun Patidar

Avatar

Level 4

Hi Arun, Thanks for the response. 

Yes. I have my own servlet. For security sake I didn't mention actual path in question( it is like /bin/auth/xx/yy/authcheck)  



1. In your servlet yo check what is the status of user and if user is not logged in redirect to login page.

Am checking the user status and user is anonymous ( means not logged in). I can redirect to login/Okta page here. 
My doubt is auth check servlet should not gets called if the user is not logged-in 

2. If user is logged in but does not have permission to access the page then your serve 403

yes. It is taken care in servlet and working as expected

Avatar

Administrator

@Rudra-2024 Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni

Avatar

Level 4

My doubt/Question is not cleared yet.

Question:  Auth check servlet should not gets called if the user is not logged-in .
Is it possible with any configuration ( like sling authenticator or dispatcher configs)

Avatar

Correct answer by
Community Advisor

Hi @Rudra-2024 
Auth check servlet will be called for all the request if file is cached and rules are matched.

Dispatcher calls Auth check servlet to check the authentication status, there is no way dispatcher can check login status by itself, hence dispatcher ask publisher. 



Arun Patidar

Avatar

Level 4

I felt the same @arunpatidar . But, I thought there will be an option in dispatcher based on request headers  or cookies. Seems we have to write the logic in auth check servlet it self. 

Thanks for the response and /confirmation