Expand my Community achievements bar.

Issues with Auth check servlet in AEM

Avatar

Level 3

Hi Team,

 

I have a requirement for sensitive permission caching in AEM. I followed the documentation
https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-...

 Auth check servlet is receiving the call from dispatcher when ever we hit the page.

String uri = request.getParameter("uri").replace(".html", "");
logger.debug("Request URL {}", uri);


When I print the URL  the value is always : Request URL /content/mysite/en-us/errors/404

It is working as expected in local. Only in Dev it is causing the issue.

It very strange behavior. Can some one please guide me on this. Any help is highly appreciated. 

 

Thanks.

5 Replies

Avatar

Level 3

I created a servlet

@Component(service = Servlet.class, property = {
Constants.SERVICE_DESCRIPTION + "= Authenticate the page based on tags added on the page.",
"sling.servlet.paths=" + "/bin/mysite/authcheck"
})
public class RequestAuthenticationServlet extends SlingSafeMethodsServlet {

 

I override the DO head method

 

@Override
public void doHead(SlingHttpServletRequest request, SlingHttpServletResponse response) {

String uri = request.getParameter("uri").replace(".html", "");
logger.debug("Request URL {}", uri);
logger.debug("RequestAuthenticationServlet:Time before validating the user is {}.", new Date().getTime());
Map<String, Object> serviceParams = new HashMap<>();
serviceParams.put(ResourceResolverFactory.SUBSERVICE, MYSITE_ADMINISTRATIVE_SERVICE);
ResourceResolver resourceResolver = null;
try {
logger.debug("Inside Try block of Auth_Checker_Servlet");

resourceResolver = resolverFactory.getServiceResourceResolver(serviceParams);
boolean isInValid = userGroupService.validateTheUser(resourceResolver, request.getResourceResolver(), uri);
if (isInValid) {
logger.debug("user don't have access on the page {}", uri);
response.setStatus(SC_FORBIDDEN);
} else {
logger.debug("user have access on the page {}", uri);
response.setStatus(SC_OK);
}
} catch (Exception e) {
logger.error("auth checker says READ access DENIED!");
response.setStatus(SC_FORBIDDEN);
}
finally {
if (resourceResolver != null && resourceResolver.isLive()) {
resourceResolver.close();
}
}
logger.debug("RequestAuthenticationServlet:Time after validating the user is {}.", new Date().getTime());
}

Avatar

Level 3

and I enabled Auth checker in dispatcher :  src/conf.dispatcher.d/enabled_farms/mysite.farm

/auth_checker
{
# request is sent to this URL with '?uri=<page>' appended
/url "/bin/mysite/authcheck"

# only the requested pages matching the filter section below are checked,
# all other pages get delivered unchecked
/filter
{
/0000
{
/glob "*"
/type "deny"
}
/0001
{
/glob "/content/mysite/*"
/type "allow"
}
}
# any header line returned from the auth_checker's HEAD request matching
# the section below will be returned as well
/headers
{
/0000
{
/glob "*"
/type "deny"
}
/0001
{
/glob "Set-Cookie:*"
/type "allow"
}
}
}

Avatar

Community Advisor

Can you check CDN caching rule for your site?

Avatar

Community Advisor

hello @Rudra-2024 

 

For any secured content, you need to bypass CDN caching. Look for the sections starting from "Bypass CDN cache for secured content" in the 

Securing content for GraphQL queries – Adobe Experience Manager Blog (techrevel.blog)

 

CDN doesn't know anything about authentication. It will serve content, if cached. To verify the same, look for X-Cache header in the network tab for the page or asset. If a HIT, its cached on CDN. If miss, its from AEM dispatcher/publish.

 

For the instances, where a miss is returned, check dispatcher and publish logs. After turning off caching in CDN, it should always be a MISS. And auth checker servlet would trigger based on filters in "auth_checker" section of dispatcher


Aanchal Sikka

Avatar

Level 3

Hi @aanchal-sikka  @rawvarun 

Thanks for the response.

Yes. I disabled the cache by setting Define DISABLE_DEFAULT_CACHING and private header.

 

# No cache on CDN for GraphQL queries serving securing content

<LocationMatch "^/content/mysite/en-us/.*(\.html)$>"

Header unset Cache-Control

Header unset Expires

Header always set Cache-Control "private"

</LocationMatch>

 

In browser also in response headers we can see below

X-Cache: MISS
Dispatcher: hit
 
AS I mentioned earlier , Every time Auth checker is getting called. But request url is wrong
 
For Example If I hit the page /contnet/mysite/en-us/test.html
 
with the below code 
String uri = request.getParameter("uri").replace(".html", "");
logger.debug("Request URL {}", uri);
expectation is Log will be Request URL /contnet/mysite/en-us/test
 Actual log is /contnet/mysite/en-us/404
 
Any inputs/suggestions on this please.