403 Forbidden errors for email campaign links clicked in email clients
This article addresses 403 Forbidden errors that occur when you click email campaign links in an email client, while the same links work when you open them directly in a browser. The issue affects friendly campaign URLs that are rewritten and evaluated by Dispatcher authorization logic. To fix this, review the Dispatcher auth_checker configuration, confirm rewrite handling, and restrict authorization checks to protected paths only.
Description description
Environment
Adobe Experience Manager (AEM) with Dispatcher
Issue/Symptoms
- Links in email campaigns return a 403 Forbidden error when you click them in an email client.
- The same URLs work correctly when you copy and open them directly in a browser.
- Affected URLs typically use friendly paths such as
/sc/...and include tracking parameters such asmkt_tok. - No changes were made to the AEM or Dispatcher configuration when the issue appeared or resolved.
Example error:
403 Forbidden You don’t have permission to access this resource.
Cause
The issue occurs when the Dispatcher auth_checker is configured too broadly, causing public campaign pages to be treated as protected content. This results in 403 errors for legitimate public links when friendly URLs are rewritten and evaluated against secured paths.
Resolution resolution
To address the issue, follow these steps:
-
Open the Dispatcher farm configuration file for the affected site and review the
auth_checkersection. Review thefilterorurlpatterns that determine which requests are evaluated by the authorization check. -
Review the rewrite rules for the affected campaign URLs.
- Confirm that friendly URLs such as
/sc/...are rewritten to/content/...paths. - Verify that
DispatcherUseProcessedURL 1is enabled so Dispatcher evaluates the rewritten URL.
- Confirm that friendly URLs such as
-
Restrict the scope of
auth_checkerso it is not applied broadly to public campaign paths (for example,/sc/*.html) and is limited only to paths that require authentication (for example,/content/secure/...). Use a configuration pattern such as the following:code language-none /auth_checker { ... /filter { /0001 { /glob "/content/secure/*" /type "allow" } /0002 { /glob "*" /type "deny" } } } -
Confirm that tracking parameters such as
mkt_tokdo not affect Dispatcher cache or authorization logic for public pages. -
Send a test email and verify that links under
/sc/...no longer return 403 Forbidden when you click them in an email client.