Issues in Permission Sensitive Caching : Auth checker path in Sling Authenticator | Community
Skip to main content
R
Rudra-2024
New Participant
October 30, 2023
Solved

Issues in Permission Sensitive Caching : Auth checker path in Sling Authenticator

  • October 30, 2023
  • 2 replies
  • 1430 views

Hi Team,

We have configured OKTA SAML for our project content directory /content/xyz and enabled auth_checker for all the secured pages in AEM (AEM as a Cloud Service) by following the below documentation :
 https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-cache.html?lang=en
https://www.danklco.com/posts/2021/04/saml-authentication-aem-permissions-sensitive-caching.html


We enabled dispatcher caching and disabled CDN caching for secured content.

So, In new session when we hit the page URL directly in browser for first time (no cache) it's redirecting to OKTA page correctly but when the file is already in cache and if we hit that page URL in browser it's trying to invoke auth_checker service (/bin/auth/permissioncheck.html) with the SAML enabled url path.
Since user is anonymous user it's redirecting to forbidden page (403 ) instead of OKTA redirect.

When I exclude auth_checker path (/bin/auth/permissioncheck.html)) in Sling Authenticator , this 403 redirection  is happening.

 

org.apache.sling.engine.impl.auth.SlingAuthenticator.cfg.json


If I include auth checker path in in Sling Authenticator and page is cached , then page request is going to 404 with below error

/libs/granite/core/content/login.html?resource=%2Fbin%%2Fauthcheck%3Furi%3D%2Fcontent%2Fxyz%2Fen-us%2Fcollections%2Fall-products%2abc.html&$$login$$=%24%24login%24%24&j_reason=unknown&j_reason_code=unknown

In summary, When content is cached in Dispatcher , the page request has  issues in below 2  scenarios.

1. If I include auth checker path in Sling Authenticator, --------->404
2. If I exclude auth checker path in Sling Authenticator, --------->403

What should we in this scenario.

Expectation:

if Page is cached and active session is not there , then the new request to AEM page should redirect to OKTA page instead of 403 or 404.

 

Any idea /suggestions on this issue.


CC: @kautuk_sahni  @joerghoh  @arunpatidar @aanchalsikka 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by arunpatidar

Hi @rudra-2024 
Auth check servlet will be called for all the request if file is cached and rules are matched.

Dispatcher calls Auth check servlet to check the authentication status, there is no way dispatcher can check login status by itself, hence dispatcher ask publisher. 

2 replies

kautuk_sahni
kautuk_sahni
Employee
October 30, 2023

@rudra-2024 Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

Kautuk Sahni
R
Rudra-2024Author
New Participant
October 30, 2023

My doubt/Question is not cleared yet.

Question:  Auth check servlet should not gets called if the user is not logged-in .
Is it possible with any configuration ( like sling authenticator or dispatcher configs)

    arunpatidar
    arunpatidarAccepted solution
    New Participant
    October 31, 2023

    Hi @rudra-2024 
    Auth check servlet will be called for all the request if file is cached and rules are matched.

    Dispatcher calls Auth check servlet to check the authentication status, there is no way dispatcher can check login status by itself, hence dispatcher ask publisher. 

    Arun Patidar
      arunpatidar
      arunpatidar
      New Participant
      October 30, 2023

      Hi,

      You need to create your own servlet instedaof relying on /bin/auth/permissioncheck.html

      1. In your servlet yo check what is the status of user and if user is not logged in redirect to login page.

      2. If user is logged in but does not have permission to access the page then your serve 403

      Arun Patidar
        R
        Rudra-2024Author
        New Participant
        October 30, 2023

        Hi Arun, Thanks for the response. 

        Yes. I have my own servlet. For security sake I didn't mention actual path in question( it is like /bin/auth/xx/yy/authcheck)  



        1. In your servlet yo check what is the status of user and if user is not logged in redirect to login page.

        Am checking the user status and user is anonymous ( means not logged in). I can redirect to login/Okta page here. 
        My doubt is auth check servlet should not gets called if the user is not logged-in 

        2. If user is logged in but does not have permission to access the page then your serve 403

        yes. It is taken care in servlet and working as expected

          Terms & ConditionsAccessibility statement

          Loading footer...