Adobe Experience Manager Sites & More

kalyanchakravarthych · 5/22/24

Hi,

I am doing the POC for Permission Sensitive Caching in dev environment and i have done the dispatcher configuration as per the below

/auth_checker
  {
  # request is sent to this URL with '?uri=<page>' appended
  /url "/api/permissioncheck"

  # only the requested pages matching the filter section below are checked,
  # all other pages get delivered unchecked
  /filter
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "/content/secure/*.html"
      /type "allow"
      }
    }
  # any header line returned from the auth_checker's HEAD request matching
  # the section below will be returned as well
  /headers
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "Set-Cookie:*"
      /type "allow"
      }
    }
  }

/cache
{
 ...
 allowAuthorized “1”   
 ...
}

After doing the changes in dispatcher and done the restart iam not seeing the below message in dispatcher log

AuthChecker: initialized with URL ‘configured_url‘.

Due to this i couldnot able to validate my changes regarding PSC. Even i ignore the above message and wrote the servlet as below and validate in publisher logs it is not coming to the publisher server regarding Auth Checker

@component(service = Servlet.class,
property = {
"service.description= Auth checker Servlet",
"sling.servlet.paths=/api/permissioncheck",
"sling.servlet.methods=HEAD"
})

public class AuthcheckerServlet extends SlingSafeMethodsServlet {

private Logger logger = LoggerFactory.getLogger(this.getClass());

public void doHead(SlingHttpServletRequest request, SlingHttpServletResponse response) {
try{
//retrieve the requested URL
String uri = request.getParameter("uri");
//String authtoken = request.getParameter("authtoken");

//obtain the session from the request
Session session = request.getResourceResolver().adaptTo(javax.jcr.Session.class);
//perform the permissions check
try {
/* if (authtoken.equals("1111")) {
response.setStatus(SlingHttpServletResponse.SC_OK);
}*/
session.checkPermission(uri, Session.ACTION_READ);
logger.info("authchecker says OK");
response.setStatus(SlingHttpServletResponse.SC_OK);

} catch(Exception e) {
logger.info("authchecker says READ access DENIED!");
response.setStatus(SlingHttpServletResponse.SC_FORBIDDEN);
}
}catch(Exception e){
logger.error("authchecker servlet exception: " + e.getMessage());
}
}
}

Please help me what is the issue which is not executing the auth checker.

Thanks & Regards,

Kalyan

SwetaB · 5/23/24

Hi @kalyanchakravarthych

Have you tested after the deployment ?

A 200 response means the user has access to retrieve the file directly from the dispatcher cache. Other than 200 means the request is not served from cache.

Check the Dispatcher log to see the requested url has cache hit statements with [actionhit]

Check the Publisher log to see the servlet getting invoked for the requested url.

aanchal-sikka · 5/23/24

@kalyanchakravarthych

Are you using Cloud instance?

If yes, you would also need to by pass CDN caching.
Please verify only the content thats not cached on CDN.

These are steps 4-7 on https://techrevel.blog/2023/06/07/securing-content-for-graphql-queries/

Aanchal Sikka

HrishikeshKa · 5/23/24

Hi @kalyanchakravarthych ,

There could be a few reasons why the AuthChecker is not working as expected in your Dispatcher configuration. Here are some possible issues and solutions:

1. Verify Dispatcher Configuration: Double-check your Dispatcher configuration to ensure that it is correctly set up. Make sure that the configuration file is properly included in the Dispatcher configuration (`dispatcher.any` or `dispatcher.conf`). Ensure that the configuration is valid and properly formatted.

2. Check Dispatcher Logs: Check the Dispatcher logs for any error messages or warnings related to the AuthChecker configuration. Look for any issues with the configuration file or any other relevant information that could help identify the problem.

3. Verify Dispatcher Flush: After making changes to the Dispatcher configuration, make sure to flush the Dispatcher cache and restart the Dispatcher service. This ensures that the changes take effect.

4. Check AuthChecker Servlet: Verify that the AuthChecker servlet is deployed and registered correctly in your AEM instance. Check the AEM logs for any error messages related to the servlet registration or deployment. Ensure that the servlet is accessible at the specified path (`/api/permissioncheck`) and that it is responding correctly to the HEAD request.

5. Test the AuthChecker Servlet: To test the AuthChecker servlet, you can try accessing it directly in your browser by appending `?uri=<page>` to the servlet URL. For example, `http://localhost:4503/api/permissioncheck?uri=/content/secure/page.html`. Check the response status code and the logs to see if the servlet is functioning correctly.

6. Verify Permissions: Ensure that the user accessing the page has the necessary permissions to trigger the AuthChecker. Check the user's permissions in AEM and make sure they have the required read access to the requested URI.

If you have checked all of the above and the AuthChecker is still not working, it may be helpful to consult the AEM documentation or reach out to Adobe Support for further assistance. They can provide more specific guidance based on your AEM version and configuration.

kautuk_sahni · 6/4/24

@kalyanchakravarthych Did you find the suggestions from users helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

Adobe Experience Manager Sites & More

Permission Sensitive Caching auth checker is not working in dispatcher

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe