Adobe Experience Manager Sites & More

Rudra-2024 · 6/12/23

Hi Team,

I have a requirement for sensitive permission caching in AEM. I followed the documentation
https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-...

Auth check servlet is receiving the call from dispatcher when ever we hit the page.

String uri = request.getParameter("uri").replace(".html", "");
logger.debug("Request URL {}", uri);

When I print the URL the value is always : Request URL /content/mysite/en-us/errors/404

It is working as expected in local. Only in Dev it is causing the issue.

It very strange behavior. Can some one please guide me on this. Any help is highly appreciated.

Thanks.

Rudra-2024 · 6/12/23

I created a servlet

@Component(service = Servlet.class, property = {
        Constants.SERVICE_DESCRIPTION + "= Authenticate the page based on tags added on the page.",
        "sling.servlet.paths=" + "/bin/mysite/authcheck"
})
public class RequestAuthenticationServlet extends SlingSafeMethodsServlet {

I override the DO head method

@Override
public void doHead(SlingHttpServletRequest request, SlingHttpServletResponse response) {

    String uri = request.getParameter("uri").replace(".html", "");
    logger.debug("Request URL {}", uri);
    logger.debug("RequestAuthenticationServlet:Time before validating the user  is {}.", new Date().getTime());
    Map<String, Object> serviceParams = new HashMap<>();
    serviceParams.put(ResourceResolverFactory.SUBSERVICE, MYSITE_ADMINISTRATIVE_SERVICE);
    ResourceResolver resourceResolver = null;
    try {
        logger.debug("Inside Try block of Auth_Checker_Servlet");

        resourceResolver = resolverFactory.getServiceResourceResolver(serviceParams);
        boolean isInValid = userGroupService.validateTheUser(resourceResolver, request.getResourceResolver(), uri);
        if (isInValid) {
            logger.debug("user don't have access on the page {}", uri);
            response.setStatus(SC_FORBIDDEN);
        } else {
            logger.debug("user have access on the page {}", uri);
            response.setStatus(SC_OK);
        }
    } catch (Exception e) {
        logger.error("auth checker says READ access DENIED!");
        response.setStatus(SC_FORBIDDEN);
    }
    finally {
        if (resourceResolver != null && resourceResolver.isLive()) {
            resourceResolver.close();
        }
    }
    logger.debug("RequestAuthenticationServlet:Time after validating the user  is {}.", new Date().getTime());
}

Rudra-2024 · 6/12/23

and I enabled Auth checker in dispatcher : src/conf.dispatcher.d/enabled_farms/mysite.farm

/auth_checker
   {
     # request is sent to this URL with '?uri=<page>' appended
     /url "/bin/mysite/authcheck"

     # only the requested pages matching the filter section below are checked,
     # all other pages get delivered unchecked
     /filter
       {
       /0000
         {
         /glob "*"
         /type "deny"
         }
       /0001
         {
         /glob "/content/mysite/*"
         /type "allow"
         }
       }
     # any header line returned from the auth_checker's HEAD request matching
     # the section below will be returned as well
     /headers
       {
       /0000
         {
         /glob "*"
         /type "deny"
         }
       /0001
         {
         /glob "Set-Cookie:*"
         /type "allow"
         }
       }
   }

rawvarun · 6/12/23

Can you check CDN caching rule for your site?

aanchal-sikka · 6/12/23

hello @Rudra-2024

For any secured content, you need to bypass CDN caching. Look for the sections starting from "Bypass CDN cache for secured content" in the

Securing content for GraphQL queries – Adobe Experience Manager Blog (techrevel.blog)

CDN doesn't know anything about authentication. It will serve content, if cached. To verify the same, look for X-Cache header in the network tab for the page or asset. If a HIT, its cached on CDN. If miss, its from AEM dispatcher/publish.

For the instances, where a miss is returned, check dispatcher and publish logs. After turning off caching in CDN, it should always be a MISS. And auth checker servlet would trigger based on filters in "auth_checker" section of dispatcher

Aanchal Sikka

Rudra-2024 · 6/14/23

Hi @aanchal-sikka @rawvarun

Thanks for the response.

Yes. I disabled the cache by setting Define DISABLE_DEFAULT_CACHING and private header.

# No cache on CDN for GraphQL queries serving securing content

<LocationMatch "^/content/mysite/en-us/.*(\.html)$>"

Header unset Cache-Control

Header unset Expires

Header always set Cache-Control "private"

</LocationMatch>

In browser also in response headers we can see below

X-Cache: MISS

Dispatcher: hit

AS I mentioned earlier , Every time Auth checker is getting called. But request url is wrong

For Example If I hit the page /contnet/mysite/en-us/test.html

with the below code

String uri = request.getParameter("uri").replace(".html", "");
logger.debug("Request URL {}", uri);

expectation is Log will be Request URL /contnet/mysite/en-us/test

Actual log is /contnet/mysite/en-us/404

Any inputs/suggestions on this please.

Adobe Experience Manager Sites & More

Issues with Auth check servlet in AEM

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe