10 Replies Latest reply on Feb 18, 2013 3:09 AM by katrienj

    Permission sensitive caching

    katrienj Level 1

      Hello,

       

      I am trying to use permission sensitive caching on my website "www.domain.com" for resources that are in a particular location in the DAM. I want to make sure users are logged in when they download resources using this URL: www.domain.com/content/dam/secured/*.*

       

      That "secured" folder has been secured using a CUG.

       

      I've done the following:

       

      1) Configured the dispatcher.any file (under the website directive) with the following /URL:

      /url /custom/path/to/servlet

       

      2) I've configured the filter to check "/content/dam/secured/*.*"

       

      3) After restarting the dispatcher I can see from the logs that auth_checker is configured

       

      4) I've created a servlet that implements the dohead method of SlingAllMethodsServlet. The value of the path has been set to /custom/path/to/servlet. I added quite a bit of logging into this servlet/

       

      From the dispatchers'log file it looks like all is configured correctly. However, the servlet is never called. I don't see anything appear in the error.log (nor the logging I put in, nor any errors with that servlet). When I use the sling resource resolver tool in system/console/ all seems to work fine when I type www.domain.com/custom/path/to/servlet?uri=test in the test box.

       

      Any suggestions about what else I can do to debug this? Has anyone else used sensitive caching before, would you mind sharing your dispatcher exact details + servlet?

       

      Many thanks!

        • 1. Re: Permission sensitive caching
          Sham HC Level 7

          Hi katrienj

           

          What happens if you hit the page directly ?  Clear the webserver cache & reverify.

          Make sure cookie are allowed at dispatcher. Hope you already followed http://helpx.adobe.com/cq/kb/PSCachingDelivery.html

           

          Thanks,

          Sham

          • 2. Re: Permission sensitive caching
            katrienj Level 1

            How do you allow a cookie at the dispatcher, what do you mean with this.

             

            I've tried everything, refreshing cache, etc.

             

            We think the problem may be due to SP2 that we recently installed. Lots of our servlets aren't being called anymore. Could that be an issue?

            • 3. Re: Permission sensitive caching
              Jörg Hoh Adobe Employee

              Hi katrenj,

               

              please doublecheck, that you have configured the right IP address :-) I would also check using wireshark, that the requests from the webserver reach the publish server at all.

               

              Personally I used PSC already multiple times and it is working flawlessly for the purpose it was designed for.

               

              Jörg

              • 4. Re: Permission sensitive caching
                Yogesh Upadhyay Level 4

                Apart from above suggestions make sure that PSC request is not filtered or rewritten. If PSC is working correctly you should see message in dispatcher.log

                 

                Yogesh

                www.wemblog.com

                • 5. Re: Permission sensitive caching
                  katrienj Level 1

                  Hi everyone, thanks for your help, unfortunately this seemingly easy to implement PSC is still not working. But I made a bit progress:

                   

                  * The dispatcher filter: I had to allow everything, otherwise my request never was fwd-ed to the servlet

                  * The error.log in CQ now reports something like this:

                   

                  com.day.cq.wcm.core.impl.components.ComponentCacheImpl No component node found at /custom/path/to/servlet/permissioncheck.servlet

                   

                  * when I use the system/console resource resovler I get the following match:

                   

                  ServletResource, servlet=com.pearson.ped.elt.xxxxxxxxxxx.servlets.AuthcheckerServlet,  path=/custom/path/to/servlet/permissioncheck

                   

                  Any comments really appreciated. Cookies for the header have been allowed, considering I see errors in the error.log, I think the request is not filtered / rewritten.

                  • 6. Re: Permission sensitive caching
                    katrienj Level 1

                    Could anyone please provide the exact servlet they are using to check the permission? I like to see all the configuration of the servlet. We have this at the momen - any obvious issues with this?

                     

                    import org.apache.felix.scr.annotations.Component;

                    import org.apache.felix.scr.annotations.Service;

                    import org.apache.felix.scr.annotations.Property;

                     

                    import org.apache.sling.api.SlingHttpServletRequest;

                    import org.apache.sling.api.SlingHttpServletResponse;

                    import org.apache.sling.api.servlets.SlingSafeMethodsServlet;

                     

                    import org.slf4j.Logger;

                    import org.slf4j.LoggerFactory;

                     

                    import javax.jcr.Session;

                     

                    @Component(metatype=false)

                    @Service

                    public class AuthcheckerServlet extends SlingSafeMethodsServlet {

                        

                        private static final long serialVersionUID = 1L;

                     

                        @Property(value="/custom/path/to/servlet/permissioncheck")

                        static final String SERVLET_PATH="sling.servlet.paths";

                        

                        private Logger logger = LoggerFactory.getLogger(this.getClass());

                        

                        public void doHead(SlingHttpServletRequest request, SlingHttpServletResponse response) {

                           

                            logger.info("AuthcheckerServlet doHead method started");

                           

                            try{

                                //retrieve the requested URL

                                String uri = request.getParameter("uri");

                                logger.info("uri = " + uri);

                               

                                //obtain the session from the request

                                Session session = request.getResourceResolver().adaptTo(javax.jcr.Session.class);     

                                //perform the permissions check

                                try {

                                    session.checkPermission(uri, Session.ACTION_READ);

                                    logger.info("authchecker says OK");

                                    response.setStatus(SlingHttpServletResponse.SC_OK);

                                } catch(Exception e) {

                                    logger.info("authchecker says READ access DENIED!");

                                    response.setStatus(SlingHttpServletResponse.SC_FORBIDDEN);

                                }

                            }catch(Exception e){

                                logger.error("authchecker servlet exception: " + e.getMessage());

                            }

                           

                            logger.info("AuthcheckerServlet doHead method finished");

                        }

                    }

                    • 7. Re: Permission sensitive caching
                      Scott Brodersen Adobe Employee

                      is your custom path to servlet registered in the Apache Sling Servlet/Script Resolver and Error Handler? (Configuration tab of the web console)

                       

                      -scott

                      • 8. Re: Permission sensitive caching
                        katrienj Level 1

                        It is registered in the sling servlet resolver: org.apache.sling.servlets.resolver.SlingServletResolver

                         

                        But not in the error handler. Where is that?

                         

                         

                        EDIT: it's the same thing, right: yes we've configured it there.

                        • 9. Re: Permission sensitive caching
                          katrienj Level 1

                          Hi, I can see that the request is correctly formed (has the /custom/path/permissioncheck?uri=.... showing up in the error log). But I get the following error logged:

                           

                          getAnonymousResolver: Anonymous access not allowed by configuration

                           

                           

                          It's the only error I see. Could I be misconfiguring my servlet? The servlet is included a few posts up.

                          • 10. Re: Permission sensitive caching
                            katrienj Level 1

                            Everyone,

                             

                            I think I finally managed to get it resolved. The problem was INDEED a rewriting conflict. Rather than the custom path, we now use /bin/permissioncheck/html in the servlet, and likewise in the dispatcher file (including the /html in the dispatcher config) and this seems to have FINALLY resolved it.

                             

                            Thanks for your help.