Objective

How to enable the permission sensitive caching feature of the dispatcher module.

Steps

 

This feature requires an additional servlet, that will be deployed to AEM (you need to code a servlet that responds to HEAD requests to return the correct HTTP code). After deployment, checking whether a user is allowed to access some cached URI is done by requesting /bin/permissioncheck.html?uri=<handle>

  1. In order to enable permission sensitive caching, add the following section to your farm in the dispatcher.any configuration file.  The sample configuration below enables checking for html pages only.

    # Authorization checker: before a page in the cache is delivered, a HEAD
    # request is sent to the URL specified in 'url' with the query string
    # '?uri=<page>'. If the response status is 200 (OK), the page is returned
    # from the cache. Otherwise, the request is forwarded to the render and
    # its response returned.
    /auth_checker
      {
      # request is sent to this URL with '?uri=<page>' appended
      /url "/bin/permissioncheck.html"
          
      # only the requested pages matching the filter section below are checked,
      # all other pages get delivered unchecked
      /filter
        {
        /0000
          {
          /glob "*"
          /type "deny"
          }
        /0001
          {
          /glob "*.html"
          /type "allow"
          }
        }
      # any header line returned from the auth_checker's HEAD request matching
      # the section below will be returned as well
      /headers
        {
        /0000
          {
          /glob "*"
          /type "deny"
          }
        /0001
          {
          /glob "Set-Cookie:*"
          /type "allow"
          }
        }
      }
  2. Next, implement and deploy a servlet like the example one below that responds to HEAD requests.  Note that a 200 response means the user has access to retrieve the file directly from the dispatcher cache.  Any other status than 200 means the request would not be served from cache.

    Below is sample code that implements the servlet for AEM 6 (thanks to Dominique):

     

    
    	
    
    
    
    
    

[1] Sample Code

Merk:

Sample code for the permission sensitive caching servlet.  The servlet below responds to HEAD requests with a 200 response if the authenticated user has access to view the specified URI.

dispatcher-psc-permissioncheck/core/src/main/java/com/adobe/support/security/dispatcher/PermissionHeadServlet.java
package com.adobe.support.security.dispatcher;

import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.servlets.SlingSafeMethodsServlet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component
@Service
@Property(name="sling.servlet.paths", value= {"/bin/permissioncheck"})
public class PermissionHeadServlet extends SlingSafeMethodsServlet {
    private static final Logger log = LoggerFactory.getLogger(PermissionHeadServlet.class);
    
    public void doHead(SlingHttpServletRequest request, SlingHttpServletResponse response) {
        String uri = request.getParameter("uri");
        Resource test = request.getResourceResolver().resolve(uri);
        if(test != null && !test.isResourceType(Resource.RESOURCE_TYPE_NON_EXISTING)) {
        	response.setStatus(SlingHttpServletResponse.SC_OK);
        } else {
        	response.setStatus(SlingHttpServletResponse.SC_UNAUTHORIZED);
        }
    }
}

Applies To

Dispatcher 4.0.2+ and AEM 6.x

Dette produktet er lisensiert i henhold til Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Innlegg på Twitter™ og Facebook dekkes ikke av Creative Commons-vilkår.

Juridiske merknader   |   Regler for personvern på nettet