Secure cached content in dispatcher.

sahilg75191328

27-10-2019

Hi Everyone,

I have implemented the auth_checker for secure content in dispatcher. I have added the below configuration in dispatcher

i am using the below documentation for implementing the same.

https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/configuring/permissions-c...

/auth_checker

      {

      /url "/bin/app/permissioncheck"

      /filter

        {

        /0000

          {

          /glob "*"

          /type "deny"

          }

        /0001

          {

  /glob "/content/we-retail/us/en/*.html"

          /type "allow"

          }

        }

      /headers

        {

        /0000

          {

          /glob "*"

          /type "deny"

          }

        /0001

          {

          /glob "Set-Cookie:*"

          /type "allow"

          }

        }

      }

From servlet i am returning the below response

       response.setStatus(SlingHttpServletResponse.SC_FORBIDDEN); 

I am still able to see that content is getting served on dispatcher.

Dispatcher logs.

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Found farm website for localhost:8080

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] checking [/content/we-retail/us/en/men.html]

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] never flushed [C:\software\dispatcher\apache\htdocs\content\we-retail\us\.stat] -> use cache [C:\software\dispatcher\apache\htdocs\content\we-retail\us\en\men.html]

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Dropping socket after 79 seconds of inactivity: localhost:4503

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Creating new socket: localhost:4503

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Authorization checker: connected to backend rend01 (localhost:4503)

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Host

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Pragma

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Cache-Control

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Upgrade-Insecure-Requests

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: User-Agent

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Sec-Fetch-Mode

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Sec-Fetch-User

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Accept

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Sec-Fetch-Site

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Accept-Encoding

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Accept-Language

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Cookie

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Authorization checker: backend answered with status code: 500

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] No socket reuse: response body not fully consumed

[Sun Oct 27 14:39:22 2019] [I] [pid 45516 (tid 1564)] authorization checker denied access: C:\software\dispatcher\apache\htdocs\content\we-retail\us\en\men.html

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] cache-action for [/content/we-retail/us/en/men.html]: NONE

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Creating new socket: localhost:4503

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Connected to backend rend01 (localhost:4503)

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Host

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Pragma

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Cache-Control

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Upgrade-Insecure-Requests

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: User-Agent

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Sec-Fetch-Mode

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Sec-Fetch-User

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Accept

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Sec-Fetch-Site

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Accept-Encoding

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Accept-Language

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Cookie

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Via

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: X-Forwarded-For

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Adding request header: Server-Agent

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] response.status = 200

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] response.headers[Date] = "Sun, 27 Oct 2019 09:09:22 GMT"

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] response.headers[X-Content-Type-Options] = "nosniff"

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] response.headers[Content-Type] = "text/html; charset=UTF-8"

[Sun Oct 27 14:39:22 2019] [D] [pid 45516 (tid 1564)] Storing socket for later reuse: localhost:4503

[Sun Oct 27 14:39:22 2019] [I] [pid 45516 (tid 1564)] "GET /content/we-retail/us/en/men.html" 200 26929 190ms [website/rend01]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1564)] Found farm website for localhost:8080

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1564)] checking [/etc.clientlibs/weretail/clientlibs/clientlib-dependencies.css]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1564)] never flushed [C:\software\dispatcher\apache\htdocs\etc.clientlibs\weretail\clientlibs\.stat] -> use cache [C:\software\dispatcher\apache\htdocs\etc.clientlibs\weretail\clientlibs\clientlib-dependencies.css]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1564)] Authorization checker: URI does not match filter, will not be checked: /etc.clientlibs/weretail/clientlibs/clientlib-dependencies.css

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1564)] cache-action for [/etc.clientlibs/weretail/clientlibs/clientlib-dependencies.css]: DELIVER

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1564)] request declined

[Sun Oct 27 14:39:23 2019] [I] [pid 45516 (tid 1564)] "GET /etc.clientlibs/weretail/clientlibs/clientlib-dependencies.css" - - 3ms [website/-]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1696)] Found farm website for localhost:8080

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1696)] checking [/etc.clientlibs/weretail/clientlibs/clientlib-dependencies.js]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Found farm website for localhost:8080

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] checking [/etc.clientlibs/clientlibs/granite/jquery-ui.css]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1696)] never flushed [C:\software\dispatcher\apache\htdocs\etc.clientlibs\weretail\clientlibs\.stat] -> use cache [C:\software\dispatcher\apache\htdocs\etc.clientlibs\weretail\clientlibs\clientlib-dependencies.js]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1696)] Authorization checker: URI does not match filter, will not be checked: /etc.clientlibs/weretail/clientlibs/clientlib-dependencies.js

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] never flushed [C:\software\dispatcher\apache\htdocs\etc.clientlibs\clientlibs\granite\.stat] -> use cache [C:\software\dispatcher\apache\htdocs\etc.clientlibs\clientlibs\granite\jquery-ui.css]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1696)] cache-action for [/etc.clientlibs/weretail/clientlibs/clientlib-dependencies.js]: DELIVER

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Authorization checker: URI does not match filter, will not be checked: /etc.clientlibs/clientlibs/granite/jquery-ui.css

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1696)] request declined

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] cache-action for [/etc.clientlibs/clientlibs/granite/jquery-ui.css]: DELIVER

[Sun Oct 27 14:39:23 2019] [I] [pid 45516 (tid 1696)] "GET /etc.clientlibs/weretail/clientlibs/clientlib-dependencies.js" - - 4ms [website/-]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] request declined

[Sun Oct 27 14:39:23 2019] [I] [pid 45516 (tid 1884)] "GET /etc.clientlibs/clientlibs/granite/jquery-ui.css" - - 4ms [website/-]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1564)] Found farm website for localhost:8080

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1564)] checking [/etc.clientlibs/weretail/clientlibs/clientlib-base.css]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1564)] never flushed [C:\software\dispatcher\apache\htdocs\etc.clientlibs\weretail\clientlibs\.stat] -> use cache [C:\software\dispatcher\apache\htdocs\etc.clientlibs\weretail\clientlibs\clientlib-base.css]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1564)] Authorization checker: URI does not match filter, will not be checked: /etc.clientlibs/weretail/clientlibs/clientlib-base.css

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1564)] cache-action for [/etc.clientlibs/weretail/clientlibs/clientlib-base.css]: DELIVER

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1564)] request declined

[Sun Oct 27 14:39:23 2019] [I] [pid 45516 (tid 1564)] "GET /etc.clientlibs/weretail/clientlibs/clientlib-base.css" - - 3ms [website/-]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Found farm website for localhost:8080

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] checking [/etc/designs/we-retail.css]

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] cachefile does not exist: C:\software\dispatcher\apache\htdocs\etc\designs\we-retail.css

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] try to create new cachefile: C:\software\dispatcher\apache\htdocs\etc\designs\we-retail.css

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] cache-action for [/etc/designs/we-retail.css]: CREATE

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Reusing socket: localhost:4503

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Connected to backend rend01 (localhost:4503)

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: Host

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: Pragma

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: Cache-Control

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: Sec-Fetch-Mode

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: User-Agent

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: Accept

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: Sec-Fetch-Site

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: Referer

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: Accept-Encoding

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: Accept-Language

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: Cookie

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: Via

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: X-Forwarded-For

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] Adding request header: Server-Agent

[Sun Oct 27 14:39:23 2019] [I] [pid 45516 (tid 1884)] Zero content length, cache file C:\software\dispatcher\apache\htdocs\etc\designs\we-retail.css won't be created

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] response.status = 200

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] response.headers[Date] = "Sun, 27 Oct 2019 09:09:23 GMT"

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] response.headers[X-Content-Type-Options] = "nosniff"

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] response.headers[Content-Type] = "text/css; charset=UTF-8"

[Sun Oct 27 14:39:23 2019] [D] [pid 45516 (tid 1884)] response.headers[Content-Length] = "0"

Can some one please help me what else can be the reason that why this is serving the content even in dispatcher logs i am able to see

authorization checker denied access: C:\software\dispatcher\apache\htdocs\content\we-retail\us\en\men.html

Thanks in advance.

https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/configuring/permissions-c...

Accepted Solutions (1)

Accepted Solutions (1)

Jörg_Hoh

Employee

28-10-2019

Then both the authchecker servlet as well as the page rendering need to do the same: Check this cookie. The authchecker returns a non-200 status code and the page rendering will return also a non-200 status code.

While on the authchecker this can be easy implemented, but for the check before the page rendering you need more complex logic. I would write a request filter and check the cookie if these page(s) are requested.

Answers (2)

Answers (2)

sahilg75191328

28-10-2019

Thanks jorg for replying.

We have the use case where we have few protected pages in aem which contains secured data and we have to return this content on the basis of token value kept inside browser cookie to achieve this we have added the configuration auth_checker in dispatcher and servlet is validating the token but that is not working with this approach.

So, can you please suggest some approach how we an achieve this use case.

Jörg_Hoh

Employee

27-10-2019

I typically explain the behavior of permission sensitive caching (PSC) like this:

* It acts as a cache, trying to eliminate the heavy process of rendering the page. But nevertheless it has to validate that the incoming request is allowed to see the requested content.

* Thus PSC does a request to the URL specified. If this URL returns a "200", the file is delivered from the cache.

* In any other case, PSC assumes that something more complex is required, and forwards the initial request to AEM; and then the response from AEM is streamed back to the requester.

Thus: If your authchecker server returns a statuscode not equal to 200, the dispatcher will perform the request as if PSC was not configured at all. That means, to properly use PSC you need to enable CUG as well. You cannot implement a permission model only based on the authchecker servlet.