I know I can activate caching for pages that are called by an authorized user via
/allowAuthorized "1"
in the /cache section.
But if a page is cached it will be delivered to everyone calling it, even to anonymous users. Can I somehow check if the user is allowed to see the content or not?
Take a look at (1).
You can configure a section /auth_checker that defines
url: url to a script / servlet that will be called with a HEAD request if a valid page is requested. A page is valid, if it is in the filter section with /type "allow"filter: defines which paths should be checked and which are delivered unchecked.headers: configure additional headers here that are set in the servlet and should go to the frontendHere is an example configuration from the Adobe online documentation:
/auth_checker
{
# request is sent to this URL with '?uri=<page>' appended
/url "/bin/permissioncheck"
# only the requested pages matching the filter section below are checked,
# all other pages get delivered unchecked
/filter
{
/0000
{
/glob "*"
/type "deny"
}
/0001
{
/glob "/content/secure/*.html"
/type "allow"
}
}
# any header line returned from the auth_checker's HEAD request matching
# the section below will be returned as well
/headers
{
/0000
{
/glob "*"
/type "deny"
}
/0001
{
/glob "Set-Cookie:*"
/type "allow"
}
}
}
On the page there is also a sample servlet that can be used to check the user's permissions in AEM.
(1): https://docs.adobe.com/docs/en/dispatcher/permissions-cache.html