Permission Sensitive Caching (PSC)

Permission Sensitive Caching

In AEM, we have both secured pages as well as public pages. Dispatcher provides the capability to cache all the pages but dispatcher doesn’t know about secured or un-secured pages, so it serves all the pages to an Anonymous user. To get rid of this problem, dispatcher needs to know whether a page is to be served to a particular user. In AEM, Permission Sensitive Caching(PSC) provides this functionality which enables you to cache secured pages. Dispatcher checks user’s access permissions for a page before displaying the cached page.

So, when any request comes to the dispatcher, it hits an AEM servlet to check the user permission.

 

Let’s elaborate PSC integration with AEM 6.4 and Dispatcher 2.4.

Step 1: Dispatcher configurations need to be updated as explained below:

a. Add this code in publish-farm :

/auth_checker
  {
  # request is sent to this URL with '?uri=<page>' appended
  /url "/content.pagePermission.getPermission"    
  # only the requested pages matching the filter section below are checked, all other pages get delivered unchecked
  /filter
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "/content/we-retail/secure-pages/*.html"
      /type "allow"
      }
    }
  # any header line returned from the auth_checker's HEAD request matching the section below will be returned as well
  /headers
    {
    /0000
      {
      /glob "*"
      /type "deny"
      }
    /0001
      {
      /glob "Set-Cookie:*"
      /type "allow"
      }
    }
  }

Brief description about dispatcher configuration:

  • URL: The URL of the servlet that performs the security check.
  • filter: To specify specific folders on which permission sensitive caching is applied.
  • headers: Specifies the HTTP headers that the Authorization Servlet includes in the response.

b. Also, make sure allow Authorized is set to 1 under the cache configuration.

/cache
{
 ...
 allowAuthorized “1”   
 ...
}	

Note: Any page path which matches the PSC filters, the dispatcher will hit AEM servlet before serving the page from cache, so wisely define filters because network calls increase on each page hit.

 

Step 2: Now we must create a servlet in AEM which will check if the resource or page is authorized or not for the user who requests the web content and sends response Header.

Below is the Java Servlet to which dispatcher sends HEAD request :

import java.security.AccessControlException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import org.apache.felix.scr.annotations.sling.SlingServlet;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.servlets.SlingSafeMethodsServlet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
 
/**
* This servlet will validate that the requested page uri is accessible or not and then accordingly set the response header.
*
*/
@Component( service = Servlet.class,
property = { sling.servlet.methods= "HEAD", sling.servlet.resourceTypes = "sling/servlet/default” sling.servlet.selectors = {"pagePermission"}, sling.servlet.extensions = {"getPermission"})
public class AuthcheckerServlet extends SlingSafeMethodsServlet {
 
  /** The Constant LOGGER. */
  private static final Logger logger = LoggerFactory.getLogger(AuthcheckerServlet.class);
 
  /**
   * Method to handle the HEAD request for the servlet.
   * 
   * @param request - The request object.
   * @param response - The response object.
   *
   */
  @Override
  public void doHead(SlingHttpServletRequest request, SlingHttpServletResponse response) {
      logger.debug("Start of doHead Method");
      // retrieve the requested URL
      String uri = request.getParameter("uri");
      uri = uri.replace(HTML, EMPTY);
      // obtain the session from the request
      Session session = request.getResourceResolver().adaptTo(javax.jcr.Session.class);
      if (session != null) {
        try {
     // perform the permissions check
        session.checkPermission(uri, Session.ACTION_READ);
        response.setStatus(SlingHttpServletResponse.SC_OK);
      } catch (AccessControlException | RepositoryException e) {
          response.setStatus(SlingHttpServletResponse.SC_FORBIDDEN);
        }
      }
      else {
        response.setStatus(SlingHttpServletResponse.SC_FORBIDDEN);
      }
      logger.debug("End of doHead Method"); 
  }
}

 

Step 3: Restart the dispatcher and you are all set up.

 

Verification

To check if the Permission sensitive caching is working or not, goto dispatcher.log file, this message must be present there:

AuthChecker: initialized with URL ‘configured_url‘.

 

To Check the AuthChecker Servlet response, hit the following curl command:

  1. Without Authentication

curl –head http://publishserver:port/content.pagePermission.getPermission?uri=/content/we-retail/secure-pages/pageName.html

Response:

HTTP/1.1 403 Forbidden
Date: Tue, 04 Sep 2018 09:38:31 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 0

2. With Authentication

curl –head http://publishserver:port/content.pagePermission.getPermission?uri=/content/we-retail/secure-pages/pageName.html –user username: password

Response:

HTTP/1.1 200 OK
Date: Tue, 04 Sep 2018 09:42:19 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 0

 

AEM Dispatcher Setup for Linux

AEM Dispatcher Setup for Linux

Installing dispatcher for AEM in Apache Web-server in Linux may get little tricky, as documentation provided by Adobe on Installation of Dispatcher in Linux is not sufficient, and if we take it in analogy and try doing same way we do in Windows, then we face some issues locating the appropriate files.

Prerequisites for Dispatcher Setup
  • Apache 2.2 web-server – In Ubuntu 12.0 and higher, Apache 2.2 web-server is pre-installed, but in case it is not there, you can find the installation instructions here.
  • Dispatcher Module – Appropriate dispatcher module can be downloaded from Adobe Package Share.
Installation Instructions
  1. Considering Apache web-server is already setup in system, go ahead and extract dispatcher module using following command:
     tar -xvzf <dispatcher..xxxx..yyyy.tar.gz>
  2. Once you have extracted the files, now you have to move the appropriate files to their respective apt path.
  3. Move “dispatcher-apache2.x-4.1.x.so” to “/usr/lib/apache2/modules”. There you will find all the modules already being loaded by apache 2 webserver.
  4. Adobe recommends to give a soft name to your dispatcher module, but you don’t need it as once setup is done, you will be hardly using it again.
  5. Now go ahead and create a folder conf under “/etc/apache2/”, and move “dispatcher.any” file under this folder. Make sure that you don’t move your dispatcher.any file to ‘conf.d’ folder which is already present.
  6. Now is the time to edit and map module file that you added and map the dispatcher.any file. Go ahead and edit apache2.conf file present under “etc/apache2/”.
  7. Scroll to the end, put some nice comments about you adding some new configs, and add following:
    LoadModule dispatcher_module /usr/lib/apache2/modules/dispatcher-apache2.2-4.1.5.so
    
    <IfModule disp_apache2.c>
    # location of the configuration file. eg: 'conf/dispatcher.any'
    DispatcherConfig conf/dispatcher.any
    
    # location of the dispatcher log file. eg: 'logs/dispatcher.log'
    DispatcherLog /var/log/apache2/dispatcher.log
    
    # log level for the dispatcher log
    # 0 Errors
    # 1 Warnings
    # 2 Infos
    # 3 Debug
    DispatcherLogLevel 3
    
    # if turned to 1, the dispatcher looks like a normal module
    DispatcherNoServerHeader 0
    
    # if turned to 1, request to / are not handled by the dispatcher
    # use the mod_alias then for the correct mapping
    DispatcherDeclineRoot 0
    
    # if turned to 1, the dispatcher uses the URL already processed
    # by handlers preceeding the dispatcher (i.e. mod_rewrite)
    # instead of the original one passed to the web server.
    DispatcherUseProcessedURL 0
    
    # if turned to 1, the dispatcher does not spool an error
    # response to the client (where the status code is greater
    # or equal than 400), but passes the status code to
    # Apache, which e.g. allows an ErrorDocument directive
    # to process such a status code.
    DispatcherPassError 0
    </IfModule>
  8. Also add the following config to the end of apache2.conf file, which loads the dispatcher in web-server.
    <Directory />
    
    <IfModule disp_apache2.c> 
    # enable dispatcher for ALL request. if this is too restrictive, 
    # move it to another location
    SetHandler dispatcher-handler
    </IfModule>
    
    Options FollowSymLinks
    AllowOverride None
    
    </Directory>

    Comments given above are self explanatory but, you can still go and edit configs if needed as per following descriptions:

    • DispatcherConfig: Location and name of the configuration file (Can be given as an absolute or relative path)
    • DispatcherLog: Location and name of the log file (Can be given as an absolute or relative path)
    • DispatcherLogLevel: Log level for the log file
    • DispatcherNoServerHeader: Whether to use the Apache or CQ server header
    • DispatcherDeclineRoot: Defines whether to decline requests to the root “/”
    • DispatcherUseProcessedURL: Defines whether to use the original request URL or to use one already processed by other handlers (ie: mod_rewrite)
      • Note: This is essential for rewriting incoming links (stripping away the ‘content/{site_name}’)
    • DispatcherPassError: Defines whether CQ or Apache will handle HTTP 40x error codes
    • SetHandler (Apache parameter): Forces all matching files to be processed by a handler
  9. Make sure, that path that is provided for load module, matches with the path where you placed your dispatcher module. Also match the name and version of dispatcher module, and change the config as required.
  10. Now configure dispatcher.any file. Edit /renders section in dispatcher.any.
    /renders
    {
    /rend01
    {
    /hostname "localhost"
    [2]--> /port "80"
    }
    }
    /cache
    {
    /docroot "/var/cache/apache2/<cqcache>"
    }

    By default you may find port set to 8000 or 8080, change it to 80.
    Give whatever soft-name you want to give to your cache folder in place of “cqcache”

  11. Restart the apache server to let webserver take effect. You can restart apache server by using following command:
    sudo /etc/init.d/apache2 restart
  12. Once server is restarted and you get [OK] message, go and check /var/log/apache2/dispatcher.log file. If it says dispatcher initialized with correct cache path, it means dispatcher is successfully setup and ready to be used.

Now you just need to configure your CQ replication agent, and point dispatcher flush agents to correct port.

I tested this today itself i.e. 14th Oct 2013 on Ubuntu 13 64 bit debian based OS. It worked like wonder for me. Please post your comments and queries if you have any issues with it, and also if there are better ways to do it. Cheeeerz.