Implementing Access Control on AEM EDS Sites

Robert

Will your approach work as well if you have public and restricted content, which should only be shown if user has permission, mixed in the same page? So one users sees only the public part, another the public and the restricted part.

Tomasz Sobczyk

We do stuff like this - we use Edge functions as well to coordinate that. Of course you can also inject content using AJAX

This notably uses CloudFlare via „bring your own CDN”. Any way to do it with the „Adobe-managed CDN (Fastly?)” in e.g. AEMaaCS?

ben-zahler

Fastly does have a feature "Edge Compute" that is comparable to CloudFlare workers and Akamai EdgeWorkers. We did not actually check if an "Edge Compute" actually works, but generally I feel like this feature can be expected from an enterprise-level CDN in 2024.

If you have specific component in a public page but the content that shows this component is specific content for some logged users. Is it possible to manage at component/blocks level?

ben-zahler

personalizing a component is quite a different concept then enforcing access control. If you have multiple versions for different user groups, one thing that works well is to create a second cookie that contains the user segment and implement a way to render variations of your component based on that segment information. Make sure to check on every request that the cookies for FE and the one for authentication are created for the same login id.

puradawid

Probably more question to Adobe: perhaps this mechanism could be incorporated in Edge Delivery Services natively?

Remo Liechti

When you change the headers spreadsheet in EDS, will this flush the outer-CDN cache? How do you ensure that a page that is moved from public to member/secret gets blocked from visitors that had seen it previously?