Expand my Community achievements bar.

SOLVED

Permission Sensitive Caching auth checker is not working in dispatcher

Avatar

Level 3
Level 3
5/22/24 4:54:29 PM

Hi,

 

I am doing the POC for Permission Sensitive Caching in dev environment and i have done the dispatcher configuration as per the below

 

 

/auth_checker
  {
  # request is sent to this URL with '?uri=<page>' appended
  /url "/api/permissioncheck"

  # only the requested pages matching the filter section below are checked,
  # all other pages get delivered unchecked
  /filter
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "/content/secure/*.html"
      /type "allow"
      }
    }
  # any header line returned from the auth_checker's HEAD request matching
  # the section below will be returned as well
  /headers
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "Set-Cookie:*"
      /type "allow"
      }
    }
  }

 

 

/cache
{
 ...
 allowAuthorized “1”   
 ...
}

After doing the changes in dispatcher and done the restart iam not seeing the below message in dispatcher log

 

AuthChecker: initialized with URL ‘configured_url‘.

 

Due to this i couldnot able to validate my changes regarding PSC. Even i ignore the above message and wrote the servlet as below and validate in publisher logs it is not coming to the publisher server regarding Auth Checker

 

@component(service = Servlet.class,
property = {
"service.description= Auth checker Servlet",
"sling.servlet.paths=/api/permissioncheck",
"sling.servlet.methods=HEAD"
})

public class AuthcheckerServlet extends SlingSafeMethodsServlet {

private Logger logger = LoggerFactory.getLogger(this.getClass());

public void doHead(SlingHttpServletRequest request, SlingHttpServletResponse response) {
try{
//retrieve the requested URL
String uri = request.getParameter("uri");
//String authtoken = request.getParameter("authtoken");

//obtain the session from the request
Session session = request.getResourceResolver().adaptTo(javax.jcr.Session.class);
//perform the permissions check
try {
/* if (authtoken.equals("1111")) {
response.setStatus(SlingHttpServletResponse.SC_OK);
}*/
session.checkPermission(uri, Session.ACTION_READ);
logger.info("authchecker says OK");
response.setStatus(SlingHttpServletResponse.SC_OK);

} catch(Exception e) {
logger.info("authchecker says READ access DENIED!");
response.setStatus(SlingHttpServletResponse.SC_FORBIDDEN);
}
}catch(Exception e){
logger.error("authchecker servlet exception: " + e.getMessage());
}
}
}

 

Please help me what is the issue which is not executing the auth checker.

 

Thanks & Regards,

Kalyan

Views

162

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 4
Level 4
5/23/24 3:15:28 AM

Hi @kalyanchakravarthych 

 

Have you tested after the deployment ?

A 200 response means the user has access to retrieve the file directly from the dispatcher cache.  Other than 200 means the request is not served from cache.

 

Check the Dispatcher log to see the requested url has cache hit statements with [actionhit]

 

Check the Publisher log to see the servlet getting invoked for the requested url.

View solution in original post

Views

118

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Correct answer by
Level 4
Level 4
5/23/24 3:15:28 AM

Hi @kalyanchakravarthych 

 

Have you tested after the deployment ?

A 200 response means the user has access to retrieve the file directly from the dispatcher cache.  Other than 200 means the request is not served from cache.

 

Check the Dispatcher log to see the requested url has cache hit statements with [actionhit]

 

Check the Publisher log to see the servlet getting invoked for the requested url.

Views

119

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Community Advisor
Community Advisor
5/23/24 5:21:42 AM

@kalyanchakravarthych 

 

Are you using Cloud instance?

  • If yes, you would also need to by pass CDN caching.
  • Please verify only the content thats not cached on CDN.

 

These are steps 4-7 on https://techrevel.blog/2023/06/07/securing-content-for-graphql-queries/

Aanchal Sikka

Views

113

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
5/23/24 6:26:27 AM

Hi @kalyanchakravarthych ,

There could be a few reasons why the AuthChecker is not working as expected in your Dispatcher configuration. Here are some possible issues and solutions:

1. Verify Dispatcher Configuration: Double-check your Dispatcher configuration to ensure that it is correctly set up. Make sure that the configuration file is properly included in the Dispatcher configuration (`dispatcher.any` or `dispatcher.conf`). Ensure that the configuration is valid and properly formatted.

2. Check Dispatcher Logs: Check the Dispatcher logs for any error messages or warnings related to the AuthChecker configuration. Look for any issues with the configuration file or any other relevant information that could help identify the problem.

3. Verify Dispatcher Flush: After making changes to the Dispatcher configuration, make sure to flush the Dispatcher cache and restart the Dispatcher service. This ensures that the changes take effect.

4. Check AuthChecker Servlet: Verify that the AuthChecker servlet is deployed and registered correctly in your AEM instance. Check the AEM logs for any error messages related to the servlet registration or deployment. Ensure that the servlet is accessible at the specified path (`/api/permissioncheck`) and that it is responding correctly to the HEAD request.

5. Test the AuthChecker Servlet: To test the AuthChecker servlet, you can try accessing it directly in your browser by appending `?uri=<page>` to the servlet URL. For example, `http://localhost:4503/api/permissioncheck?uri=/content/secure/page.html`. Check the response status code and the logs to see if the servlet is functioning correctly.

6. Verify Permissions: Ensure that the user accessing the page has the necessary permissions to trigger the AuthChecker. Check the user's permissions in AEM and make sure they have the required read access to the requested URI.

If you have checked all of the above and the AuthChecker is still not working, it may be helpful to consult the AEM documentation or reach out to Adobe Support for further assistance. They can provide more specific guidance based on your AEM version and configuration.

Views

93

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
6/4/24 1:29:00 AM

@kalyanchakravarthych Did you find the suggestions from users helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni

Views

26

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Fields having "granite/ui/components/coral/foundation/container" as resourceType are not working correctly after upgrading to SP1 on AEM6.5 Solved

Views

125

Likes

0

Replies

5
AEM as a Cloud Service SDK - Dispatcher Tools - Docker image

Views

64

Likes

0

Replies

2
Is it safe to delete 'data*.tar.bak' files form segment store

Views

37

Likes

0

Replies

1
Bulk updating headings component in AEM

Views

84

Likes

0

Replies

3
EPS file is not generating the thumbnail even after installed the image magic

Views

47

Likes

0

Replies

1