Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.

Querying asset in CUG

Avatar

Level 2

Hello,

 

I have the need to retrieve assets through GET calls, only if I'm logged in (reserved assets).

I've tried using the CUG, setting an user as a viewer then, when I've published the folder and also the asset, I try with Postman to access the resource with basic authentication (of course the user that is in the CUG settings of the folder) and I get a resource not found 404 error.

What is the correct process to retrieve those assets with a GET call?

 

Thank you,

 

Guglielmo

 

11 Replies

Avatar

Level 2

Updating: 

the error is showing only through the dispatcher, as if I call the asset from the 2 publish instances with the correct basic authentication, the CUG configuration is working as expected. Anybody knows if there is a specific CUG configuration for the dispatchers ?

Avatar

Community Advisor

Hi,

Please check https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-... to implement dispatcher changes in order to protect asset properly and with caching.



Arun Patidar

I'm not sure I've understood fully this guide, because I've implemented the servlet but if I try to call it with this URL :http://localhost:4502/bin/permissioncheck?uri=/content/dam/folder/reserved/image.jpg

the response is :

Method GET not supported

Cannot serve request to /bin/permissioncheck in AuthcheckerServlet

 

Even if I call the servlet from author or publish directly, it doesn't seem to work. 

I've not used the org.apache.felix.scr.annotations, since they are deprecated, but instead i wrote this:

@Component(service = Servlet.class, immediate = true,
property = {
SLING_SERVLET_PATHS + "=/bin/permissioncheck",
})
public class AuthcheckerServlet extends SlingSafeMethodsServlet {

 Could this be the error ? 

Avatar

Community Advisor

Hi,
1. You have to create a servlet , that you already did.

2. Update the /auth_checker section in the dispatcher file

https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-...



Arun Patidar

Ok, i verified that this configuration is working for .html pages but not for assets, which is what I need.

I've tried also with the filter 

/0000
{
/glob "*"
/type "allow"
}
}

and it's still not working for assets 

Avatar

Community Advisor
/filter
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "/content/secure/*.html"
      /type "allow"
      }
      /0010 { /glob "/content/dam/secure/*.pdf" /type "allow"}
      /0012 { /glob "/content/dam/secure/*.doc" /type "allow"}
    }


Arun Patidar

I've already used this kind of filter and it seems to be working, but only for non-secured folders, which is not so useful in my opinion. 
These are the cases for the postman calls:

  •  /content/dam/secure has CUG user set:
    •  Publisher without CUG basic auth: not working 
    •  Publisher with CUG basic auth: working
    •  Dispatcher without CUG basic auth: not working (no HEAD servlet auth call)
    • Dispatcher with CUG basic auth: not working (no HEAD servlet auth call)
  • /content/dam/secure has no CUG user set:
    •  Publisher without CUG basic auth: working
    •  Publisher with CUG basic auth: working
    •  Dispatcher without CUG basic auth: working (HEAD servlet auth call)
    •  Dispatcher with CUG basic auth: working (HEAD servlet auth call)

Avatar

Community Advisor

Hi,

For assets, if you applied cug, it will only applied for the immediate child asset.
Could you try to add cug to asset and check, if you are getting head request or not.

Ideally it should work.

we are also using this feature to protect page as well asset.



Arun Patidar

Avatar

Level 2

I've tried setting the CUG for the single assets but it's not possible. It's also stated in this guide: https://experienceleague.adobe.com/docs/experience-manager-learn/assets/advanced/closed-user-groups....

 

It seems like if the user has no permissions over the CUG protected folder, he/she can't neither call the authentication servlet, which becomes useless. The strange behaviour it's that it happens only with the dispatcher.

Avatar

Level 2

I've managed to resolve the issue:

 

  • The custom authentication servlet was not being called due to a code error inside a custom 404 handler
  • The authentication servlet was not getting the basic authorization information due to "/clientheaders" section of the dispatcher farm not having the "Authorization" header

 

Thank you @arunpatidar for all the support!