Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Querying asset in CUG

Guglielmo_Francesconi
Level 2
Level 2

Hello,

 

I have the need to retrieve assets through GET calls, only if I'm logged in (reserved assets).

I've tried using the CUG, setting an user as a viewer then, when I've published the folder and also the asset, I try with Postman to access the resource with basic authentication (of course the user that is in the CUG settings of the folder) and I get a resource not found 404 error.

What is the correct process to retrieve those assets with a GET call?

 

Thank you,

 

Guglielmo

 

11 Replies
Guglielmo_Francesconi
Level 2
Level 2

Updating: 

the error is showing only through the dispatcher, as if I call the asset from the 2 publish instances with the correct basic authentication, the CUG configuration is working as expected. Anybody knows if there is a specific CUG configuration for the dispatchers ?

Guglielmo_Francesconi
Level 2
Level 2

I'm not sure I've understood fully this guide, because I've implemented the servlet but if I try to call it with this URL :http://localhost:4502/bin/permissioncheck?uri=/content/dam/folder/reserved/image.jpg

the response is :

Method GET not supported

Cannot serve request to /bin/permissioncheck in AuthcheckerServlet

 

Even if I call the servlet from author or publish directly, it doesn't seem to work. 

I've not used the org.apache.felix.scr.annotations, since they are deprecated, but instead i wrote this:

@Component(service = Servlet.class, immediate = true,
property = {
SLING_SERVLET_PATHS + "=/bin/permissioncheck",
})
public class AuthcheckerServlet extends SlingSafeMethodsServlet {

 Could this be the error ? 

Guglielmo_Francesconi
Level 2
Level 2

Ok, i verified that this configuration is working for .html pages but not for assets, which is what I need.

I've tried also with the filter 

/0000
{
/glob "*"
/type "allow"
}
}

and it's still not working for assets 

Arun_Patidar
Community Advisor
Community Advisor
/filter
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "/content/secure/*.html"
      /type "allow"
      }
      /0010 { /glob "/content/dam/secure/*.pdf" /type "allow"}
      /0012 { /glob "/content/dam/secure/*.doc" /type "allow"}
    }
Guglielmo_Francesconi
Level 2
Level 2

I've already used this kind of filter and it seems to be working, but only for non-secured folders, which is not so useful in my opinion. 
These are the cases for the postman calls:

  •  /content/dam/secure has CUG user set:
    •  Publisher without CUG basic auth: not working 
    •  Publisher with CUG basic auth: working
    •  Dispatcher without CUG basic auth: not working (no HEAD servlet auth call)
    • Dispatcher with CUG basic auth: not working (no HEAD servlet auth call)
  • /content/dam/secure has no CUG user set:
    •  Publisher without CUG basic auth: working
    •  Publisher with CUG basic auth: working
    •  Dispatcher without CUG basic auth: working (HEAD servlet auth call)
    •  Dispatcher with CUG basic auth: working (HEAD servlet auth call)
Arun_Patidar
Community Advisor
Community Advisor

Hi,

For assets, if you applied cug, it will only applied for the immediate child asset.
Could you try to add cug to asset and check, if you are getting head request or not.

Ideally it should work.

we are also using this feature to protect page as well asset.

Guglielmo_Francesconi
Level 2
Level 2

I've tried setting the CUG for the single assets but it's not possible. It's also stated in this guide: https://experienceleague.adobe.com/docs/experience-manager-learn/assets/advanced/closed-user-groups....

 

It seems like if the user has no permissions over the CUG protected folder, he/she can't neither call the authentication servlet, which becomes useless. The strange behaviour it's that it happens only with the dispatcher.

Guglielmo_Francesconi
Level 2
Level 2

I've managed to resolve the issue:

 

  • The custom authentication servlet was not being called due to a code error inside a custom 404 handler
  • The authentication servlet was not getting the basic authorization information due to "/clientheaders" section of the dispatcher farm not having the "Authorization" header

 

Thank you @Arun_Patidar for all the support!