Adobe Experience Manager Sites & More

Guglielmo_Francesconi · 11/19/21

Hello,

I have the need to retrieve assets through GET calls, only if I'm logged in (reserved assets).

I've tried using the CUG, setting an user as a viewer then, when I've published the folder and also the asset, I try with Postman to access the resource with basic authentication (of course the user that is in the CUG settings of the folder) and I get a resource not found 404 error.

What is the correct process to retrieve those assets with a GET call?

Thank you,

Guglielmo

Guglielmo_Francesconi · 11/19/21

Updating:

the error is showing only through the dispatcher, as if I call the asset from the 2 publish instances with the correct basic authentication, the CUG configuration is working as expected. Anybody knows if there is a specific CUG configuration for the dispatchers ?

arunpatidar · 11/19/21

Hi,

Please check https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-... to implement dispatcher changes in order to protect asset properly and with caching.

Arun Patidar

Guglielmo_Francesconi · 11/23/21

I'm not sure I've understood fully this guide, because I've implemented the servlet but if I try to call it with this URL :http://localhost:4502/bin/permissioncheck?uri=/content/dam/folder/reserved/image.jpg

the response is :

Method GET not supported

Cannot serve request to /bin/permissioncheck in AuthcheckerServlet

Even if I call the servlet from author or publish directly, it doesn't seem to work.

I've not used the org.apache.felix.scr.annotations, since they are deprecated, but instead i wrote this:

@Component(service = Servlet.class, immediate = true,
    property = {
        SLING_SERVLET_PATHS + "=/bin/permissioncheck",
    })
public class AuthcheckerServlet extends SlingSafeMethodsServlet {

Could this be the error ?

arunpatidar · 11/23/21

Hi,
1. You have to create a servlet , that you already did.

2. Update the /auth_checker section in the dispatcher file

https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-...

Arun Patidar

Guglielmo_Francesconi · 11/23/21

Ok, i verified that this configuration is working for .html pages but not for assets, which is what I need.

I've tried also with the filter

/0000
  {
  /glob "*"
  /type "allow"
  }
}

and it's still not working for assets

arunpatidar · 11/23/21

/filter
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "/content/secure/*.html"
      /type "allow"
      }
      /0010 { /glob "/content/dam/secure/*.pdf" /type "allow"}
      /0012 { /glob "/content/dam/secure/*.doc" /type "allow"}
    }

Arun Patidar

Guglielmo_Francesconi · 11/24/21

I've already used this kind of filter and it seems to be working, but only for non-secured folders, which is not so useful in my opinion.
These are the cases for the postman calls:

/content/dam/secure has CUG user set:
- Publisher without CUG basic auth: not working
- Publisher with CUG basic auth: working
- Dispatcher without CUG basic auth: not working (no HEAD servlet auth call)
- Dispatcher with CUG basic auth: not working (no HEAD servlet auth call)
/content/dam/secure has no CUG user set:
- Publisher without CUG basic auth: working
- Publisher with CUG basic auth: working
- Dispatcher without CUG basic auth: working (HEAD servlet auth call)
- Dispatcher with CUG basic auth: working (HEAD servlet auth call)

arunpatidar · 11/24/21

Hi,

For assets, if you applied cug, it will only applied for the immediate child asset.
Could you try to add cug to asset and check, if you are getting head request or not.

Ideally it should work.

we are also using this feature to protect page as well asset.

Arun Patidar

Guglielmo_Francesconi · 11/25/21

I've tried setting the CUG for the single assets but it's not possible. It's also stated in this guide: https://experienceleague.adobe.com/docs/experience-manager-learn/assets/advanced/closed-user-groups....

It seems like if the user has no permissions over the CUG protected folder, he/she can't neither call the authentication servlet, which becomes useless. The strange behaviour it's that it happens only with the dispatcher.

Guglielmo_Francesconi · 11/25/21

I've managed to resolve the issue:

The custom authentication servlet was not being called due to a code error inside a custom 404 handler
The authentication servlet was not getting the basic authorization information due to "/clientheaders" section of the dispatcher farm not having the "Authorization" header

Thank you @arunpatidar for all the support!

arunpatidar · 11/27/21

I am glad that finally it works for you.

Adobe Experience Manager Sites & More

Querying asset in CUG

Arun Patidar

Method GET not supported

Arun Patidar

Arun Patidar

Arun Patidar

Arun Patidar

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe