Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events

Permission Sensitive Caching auth checker is not working in dispatcher

Avatar

Level 3

Hi,

 

I am doing the POC for Permission Sensitive Caching in dev environment and i have done the dispatcher configuration as per the below

 

 

/auth_checker
  {
  # request is sent to this URL with '?uri=<page>' appended
  /url "/api/permissioncheck"

  # only the requested pages matching the filter section below are checked,
  # all other pages get delivered unchecked
  /filter
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "/content/secure/*.html"
      /type "allow"
      }
    }
  # any header line returned from the auth_checker's HEAD request matching
  # the section below will be returned as well
  /headers
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "Set-Cookie:*"
      /type "allow"
      }
    }
  }

 

 

/cache
{
 ...
 allowAuthorized “1”   
 ...
}

After doing the changes in dispatcher and done the restart iam not seeing the below message in dispatcher log

 

AuthChecker: initialized with URL ‘configured_url‘.

 

Due to this i couldnot able to validate my changes regarding PSC. Even i ignore the above message and wrote the servlet as below and validate in publisher logs it is not coming to the publisher server regarding Auth Checker

 

@component(service = Servlet.class,
property = {
"service.description= Auth checker Servlet",
"sling.servlet.paths=/api/permissioncheck",
"sling.servlet.methods=HEAD"
})

public class AuthcheckerServlet extends SlingSafeMethodsServlet {

private Logger logger = LoggerFactory.getLogger(this.getClass());

public void doHead(SlingHttpServletRequest request, SlingHttpServletResponse response) {
try{
//retrieve the requested URL
String uri = request.getParameter("uri");
//String authtoken = request.getParameter("authtoken");

//obtain the session from the request
Session session = request.getResourceResolver().adaptTo(javax.jcr.Session.class);
//perform the permissions check
try {
/* if (authtoken.equals("1111")) {
response.setStatus(SlingHttpServletResponse.SC_OK);
}*/
session.checkPermission(uri, Session.ACTION_READ);
logger.info("authchecker says OK");
response.setStatus(SlingHttpServletResponse.SC_OK);

} catch(Exception e) {
logger.info("authchecker says READ access DENIED!");
response.setStatus(SlingHttpServletResponse.SC_FORBIDDEN);
}
}catch(Exception e){
logger.error("authchecker servlet exception: " + e.getMessage());
}
}
}

 

Please help me what is the issue which is not executing the auth checker.

 

Thanks & Regards,

Kalyan

4 Replies

Avatar

Level 4

Hi @kalyanchakravarthych 

 

Have you tested after the deployment ?

A 200 response means the user has access to retrieve the file directly from the dispatcher cache.  Other than 200 means the request is not served from cache.

 

Check the Dispatcher log to see the requested url has cache hit statements with [actionhit]

 

Check the Publisher log to see the servlet getting invoked for the requested url.

Avatar

Community Advisor

@kalyanchakravarthych 

 

Are you using Cloud instance?

  • If yes, you would also need to by pass CDN caching.
  • Please verify only the content thats not cached on CDN.

 

These are steps 4-7 on https://techrevel.blog/2023/06/07/securing-content-for-graphql-queries/


Aanchal Sikka

Avatar

Level 9

Hi @kalyanchakravarthych ,

There could be a few reasons why the AuthChecker is not working as expected in your Dispatcher configuration. Here are some possible issues and solutions:

1. Verify Dispatcher Configuration: Double-check your Dispatcher configuration to ensure that it is correctly set up. Make sure that the configuration file is properly included in the Dispatcher configuration (`dispatcher.any` or `dispatcher.conf`). Ensure that the configuration is valid and properly formatted.

2. Check Dispatcher Logs: Check the Dispatcher logs for any error messages or warnings related to the AuthChecker configuration. Look for any issues with the configuration file or any other relevant information that could help identify the problem.

3. Verify Dispatcher Flush: After making changes to the Dispatcher configuration, make sure to flush the Dispatcher cache and restart the Dispatcher service. This ensures that the changes take effect.

4. Check AuthChecker Servlet: Verify that the AuthChecker servlet is deployed and registered correctly in your AEM instance. Check the AEM logs for any error messages related to the servlet registration or deployment. Ensure that the servlet is accessible at the specified path (`/api/permissioncheck`) and that it is responding correctly to the HEAD request.

5. Test the AuthChecker Servlet: To test the AuthChecker servlet, you can try accessing it directly in your browser by appending `?uri=<page>` to the servlet URL. For example, `http://localhost:4503/api/permissioncheck?uri=/content/secure/page.html`. Check the response status code and the logs to see if the servlet is functioning correctly.

6. Verify Permissions: Ensure that the user accessing the page has the necessary permissions to trigger the AuthChecker. Check the user's permissions in AEM and make sure they have the required read access to the requested URI.

If you have checked all of the above and the AuthChecker is still not working, it may be helpful to consult the AEM documentation or reach out to Adobe Support for further assistance. They can provide more specific guidance based on your AEM version and configuration.

Avatar

Administrator

@kalyanchakravarthych Did you find the suggestions from users helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni