Hi Team,
I have a requirement for sensitive permission caching in AEM. I followed the documentation
https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-...
Auth check servlet is receiving the call from dispatcher when ever we hit the page.
String uri = request.getParameter("uri").replace(".html", "");
logger.debug("Request URL {}", uri);
When I print the URL the value is always : Request URL /content/mysite/en-us/errors/404
It is working as expected in local. Only in Dev it is causing the issue.
It very strange behavior. Can some one please guide me on this. Any help is highly appreciated.
Thanks.
Views
Replies
Total Likes
I created a servlet
@Component(service = Servlet.class, property = {
Constants.SERVICE_DESCRIPTION + "= Authenticate the page based on tags added on the page.",
"sling.servlet.paths=" + "/bin/mysite/authcheck"
})
public class RequestAuthenticationServlet extends SlingSafeMethodsServlet {
I override the DO head method
@Override
public void doHead(SlingHttpServletRequest request, SlingHttpServletResponse response) {
String uri = request.getParameter("uri").replace(".html", "");
logger.debug("Request URL {}", uri);
logger.debug("RequestAuthenticationServlet:Time before validating the user is {}.", new Date().getTime());
Map<String, Object> serviceParams = new HashMap<>();
serviceParams.put(ResourceResolverFactory.SUBSERVICE, MYSITE_ADMINISTRATIVE_SERVICE);
ResourceResolver resourceResolver = null;
try {
logger.debug("Inside Try block of Auth_Checker_Servlet");
resourceResolver = resolverFactory.getServiceResourceResolver(serviceParams);
boolean isInValid = userGroupService.validateTheUser(resourceResolver, request.getResourceResolver(), uri);
if (isInValid) {
logger.debug("user don't have access on the page {}", uri);
response.setStatus(SC_FORBIDDEN);
} else {
logger.debug("user have access on the page {}", uri);
response.setStatus(SC_OK);
}
} catch (Exception e) {
logger.error("auth checker says READ access DENIED!");
response.setStatus(SC_FORBIDDEN);
}
finally {
if (resourceResolver != null && resourceResolver.isLive()) {
resourceResolver.close();
}
}
logger.debug("RequestAuthenticationServlet:Time after validating the user is {}.", new Date().getTime());
}
and I enabled Auth checker in dispatcher : src/conf.dispatcher.d/enabled_farms/mysite.farm
/auth_checker
{
# request is sent to this URL with '?uri=<page>' appended
/url "/bin/mysite/authcheck"
# only the requested pages matching the filter section below are checked,
# all other pages get delivered unchecked
/filter
{
/0000
{
/glob "*"
/type "deny"
}
/0001
{
/glob "/content/mysite/*"
/type "allow"
}
}
# any header line returned from the auth_checker's HEAD request matching
# the section below will be returned as well
/headers
{
/0000
{
/glob "*"
/type "deny"
}
/0001
{
/glob "Set-Cookie:*"
/type "allow"
}
}
}
Can you check CDN caching rule for your site?
hello @Rudra-2024
For any secured content, you need to bypass CDN caching. Look for the sections starting from "Bypass CDN cache for secured content" in the
Securing content for GraphQL queries – Adobe Experience Manager Blog (techrevel.blog)
CDN doesn't know anything about authentication. It will serve content, if cached. To verify the same, look for X-Cache header in the network tab for the page or asset. If a HIT, its cached on CDN. If miss, its from AEM dispatcher/publish.
For the instances, where a miss is returned, check dispatcher and publish logs. After turning off caching in CDN, it should always be a MISS. And auth checker servlet would trigger based on filters in "auth_checker" section of dispatcher
Hi @aanchal-sikka @rawvarun
Thanks for the response.
Yes. I disabled the cache by setting Define DISABLE_DEFAULT_CACHING and private header.
# No cache on CDN for GraphQL queries serving securing content
<LocationMatch "^/content/mysite/en-us/.*(\.html)$>"
Header unset Cache-Control
Header unset Expires
Header always set Cache-Control "private"
</LocationMatch>
In browser also in response headers we can see below
String uri = request.getParameter("uri").replace(".html", "");
logger.debug("Request URL {}", uri);
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies