Authorization - Permissions for public and secure portions of site | Community
Skip to main content
rohits9014799
rohits9014799
New Participant
October 16, 2015
Solved

Authorization - Permissions for public and secure portions of site

  • October 16, 2015
  • 2 replies
  • 847 views

Hi,

I have two portions of site. One is public to all where as other one is secure (which will have couple of pages) . User will login from the public portion of the site (from Sign-In link in public navigation) and will redirect to Secure portion home page. 

How I have implemented this is by making redirect page in default login component to /content/<mysite>/<secure-home-page>.   I have created a secure-user group and only this group will have read access to the secure portion of the site. So if any user who doesnt belong to this group tries to login, he gets 404 page. But what i want is a custom page or pop-up where user will get a message that He doesnt have access to visit this area.

Can someone please help how this can be done?

Thanks

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Yogesh_Upadhyay

Rohit,

If user do not have access to page then they get 403 status code. But since for CQ no access = pages does not exist, thats why you are seeing 404 page. You can always extend your 404 under /apps/sling/servlet/errorhandler/default.jsp and 404.jsp to show correct behavior. You can also manage your custom redirect or pop up here.

Sample code snippet for default.jsp 

 

int statusCode = (scObject != null) ? scObject.intValue() : HttpServletResponse.SC_INTERNAL_SERVER_ERROR;

    

    if(statusCode==404){

        boolean pageExist = true;

        ResourceResolverFactory rrfac = sling.getService(ResourceResolverFactory.class);

        Map<String,Object> authInfo = new HashMap<String,Object>();

        //Change this code in future to use read only user

        authInfo.put(ResourceResolverFactory.USER_IMPERSONATION,"SOME USER WITH READ ACCESS");

        ResourceResolver rr=null;

        try{

            rr = rrfac.getAdministrativeResourceResolver(authInfo);

            //You want to ideally check for .html resources. All other resources should be egnored

            pageExist = (!slingRequest.getRequestURI().endsWith(".json") && !slingRequest.getRequestURI().endsWith(".xml") && !(rr.resolve(slingRequest,slingRequest.getRequestURI()) instanceof NonExistingResource)); 

        }catch(Exception e){

            pageExist=false;

        }finally{

            if(rr!=null){

                rr.close();

            }

        }

        

    

        // Handle 403

        

        if(pageExist && statusCode==404){

            Externalizer externalizer = sling.getService(Externalizer.class);

            if ( url.contains("/SOMELINK/") ){

                pageURL = YOUR CUSTOM 403 PAGE;

 

             }else{

                 pageURL = SOME OTHER CUSTOM 403;

             }

            

            statusCode = 403;

        }

        

 

Yogesh    

2 replies

Yogesh_Upadhyay
Yogesh_UpadhyayAccepted solution
New Participant
October 16, 2015

Rohit,

If user do not have access to page then they get 403 status code. But since for CQ no access = pages does not exist, thats why you are seeing 404 page. You can always extend your 404 under /apps/sling/servlet/errorhandler/default.jsp and 404.jsp to show correct behavior. You can also manage your custom redirect or pop up here.

Sample code snippet for default.jsp 

 

int statusCode = (scObject != null) ? scObject.intValue() : HttpServletResponse.SC_INTERNAL_SERVER_ERROR;

    

    if(statusCode==404){

        boolean pageExist = true;

        ResourceResolverFactory rrfac = sling.getService(ResourceResolverFactory.class);

        Map<String,Object> authInfo = new HashMap<String,Object>();

        //Change this code in future to use read only user

        authInfo.put(ResourceResolverFactory.USER_IMPERSONATION,"SOME USER WITH READ ACCESS");

        ResourceResolver rr=null;

        try{

            rr = rrfac.getAdministrativeResourceResolver(authInfo);

            //You want to ideally check for .html resources. All other resources should be egnored

            pageExist = (!slingRequest.getRequestURI().endsWith(".json") && !slingRequest.getRequestURI().endsWith(".xml") && !(rr.resolve(slingRequest,slingRequest.getRequestURI()) instanceof NonExistingResource)); 

        }catch(Exception e){

            pageExist=false;

        }finally{

            if(rr!=null){

                rr.close();

            }

        }

        

    

        // Handle 403

        

        if(pageExist && statusCode==404){

            Externalizer externalizer = sling.getService(Externalizer.class);

            if ( url.contains("/SOMELINK/") ){

                pageURL = YOUR CUSTOM 403 PAGE;

 

             }else{

                 pageURL = SOME OTHER CUSTOM 403;

             }

            

            statusCode = 403;

        }

        

 

Yogesh    

rohits9014799
rohits9014799Author
New Participant
October 16, 2015

Thanks Yogesh,

That was a nice explanation. So by your reply i believe my approach using the groups is ok. 

I have another use case here. I have multiple sites and every site will have its own security group. So will this 404 jsp be able to handle for all? 

Thanks

Rohit

Terms & ConditionsAccessibility statement

Loading footer...