Details
-
Improvement
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
None
-
None
Description
Preview should be possible to have a login, where only certain jcr session users are allowed to view the preview:
Also see the thread started by Jettro:
http://n2.nabble.com/Secure-the-preview-site-tc3864221.html#a3864221
Suggestions from Bart:
------------------------------------------------------------------------------------------------------------------------
An idea is to test if a user has a certain privilege on /content/documents.
Let's call this privilege "hippo:previewViewer".
What you would need to do is:
- create a security:domain "content-documents" which (only) contains
the "/content/documents" node in /hippo:configuration/hippo:domains - create a role "previewViewer" with the privilege
"hippo:preveiwViewer" in /hippo:configuration/hippo:roles - create a group "previewers" in /hippo:configuration/hippo:groups
(with the CMS) - create an authrole which assigns the role previewViewer to the group
previewers in the domain "content-documents" (with the CMS)
Now you can maintain all the users who are allowed to see the preview
in the group previewers with the CMS
Of course the hst also needs support for a login and perform the
privileges check.
------------------------------------------------------------------------------------------------------------------------
You shouldn't use the user for the hst. If you could just stick with
BasicAuth. Then you can just do before you start rendering a page:
1. do login(creds).
2. check privileges op node
3. logout user
4. if 1 and 2 are successful continue rendering preview as normal
(with session pool etc) else show 403 error
------------------------------------------------------------------------------------------------------------------------
Yes this should be trivial and sufficient in most use cases. Something
like (not tested/copy/paste):
protected void doCheck(HttpServletRequest req, HttpServletResponse
res) throws ServletException, IOException {
req.setCharacterEncoding("UTF-8");
res.setContentType("text/html;charset=UTF-8");
String checkPath = "/content/documents";
String username = null;
String password = null;
String authhead = req.getHeader("Authorization");
if (authhead != null)
else {
if (req.getAuthType() != HttpServletRequest.BASIC_AUTH)
}
HippoRepository repository;
Session session;
try {
HippoRepository repository =
HippoRepositoryFactory.getHippoRepository(repositoryLocation);
if (repository != null) {
try
catch (LoginException ex)
{ res.setHeader("WWW-Authenticate", "Basic realm=\"Repository\""); res.sendError(HttpServletResponse.SC_UNAUTHORIZED, ""); return; }catch (AccessControlException e)
{ res.sendError(HttpServletResponse.SC_FORBIDDEN ""); return; }} else
{ res.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); log.error("FAILURE - Failed to obtain repository."); return; }} catch (RepositoryException ex)
{ res.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); log.error(ex.getClass().getName() + ": " + ex.getMessage()); return; } finally {
if (repository != null && session != null && session.isLive())
}
}