Add possibility to secure the preview by login

Preview should be possible to have a login, where only certain jcr session users are allowed to view the preview:

Also see the thread started by Jettro:

http://n2.nabble.com/Secure-the-preview-site-tc3864221.html#a3864221

Suggestions from Bart:

------------------------------------------------------------------------------------------------------------------------
An idea is to test if a user has a certain privilege on /content/documents.

Let's call this privilege "hippo:previewViewer".

What you would need to do is:

• create a security:domain "content-documents" which (only) contains
  the "/content/documents" node in /hippo:configuration/hippo:domains
• create a role "previewViewer" with the privilege
  "hippo:preveiwViewer" in /hippo:configuration/hippo:roles
• create a group "previewers" in /hippo:configuration/hippo:groups
  (with the CMS)
• create an authrole which assigns the role previewViewer to the group
  previewers in the domain "content-documents" (with the CMS)
  Now you can maintain all the users who are allowed to see the preview
  in the group previewers with the CMS

Of course the hst also needs support for a login and perform the
privileges check.

------------------------------------------------------------------------------------------------------------------------
You shouldn't use the user for the hst. If you could just stick with
BasicAuth. Then you can just do before you start rendering a page:
1. do login(creds).
2. check privileges op node
3. logout user
4. if 1 and 2 are successful continue rendering preview as normal
(with session pool etc) else show 403 error

------------------------------------------------------------------------------------------------------------------------

Yes this should be trivial and sufficient in most use cases. Something
like (not tested/copy/paste):

protected void doCheck(HttpServletRequest req, HttpServletResponse
res) throws ServletException, IOException {

req.setCharacterEncoding("UTF-8");
res.setContentType("text/html;charset=UTF-8");

String checkPath = "/content/documents";
String username = null;
String password = null;
String authhead = req.getHeader("Authorization");
if (authhead != null)

{ ByteArrayOutputStream out = new ByteArrayOutputStream(); Base64.decode(authhead.substring(6), out); String userpass = new String(out.toByteArray(), "UTF-8"); username = userpass.substring(0, userpass.indexOf(":")); password = userpass.substring(userpass.indexOf(":") + 1); }

else {
if (req.getAuthType() != HttpServletRequest.BASIC_AUTH)

{ res.setHeader("WWW-Authenticate", "Basic realm=\"Repository\""); res.sendError(HttpServletResponse.SC_UNAUTHORIZED, ""); return; }

}

HippoRepository repository;
Session session;
try {
HippoRepository repository =
HippoRepositoryFactory.getHippoRepository(repositoryLocation);
if (repository != null) {
try

{ session = repository.login(username, password.toCharArray()); session.checkPermission(checkPath, "hippo:previewViewer"); }

catch (LoginException ex)

{ res.setHeader("WWW-Authenticate", "Basic realm=\"Repository\""); res.sendError(HttpServletResponse.SC_UNAUTHORIZED, ""); return; }

catch (AccessControlException e)

{ res.sendError(HttpServletResponse.SC_FORBIDDEN ""); return; }

} else

{ res.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); log.error("FAILURE - Failed to obtain repository."); return; }

} catch (RepositoryException ex)

{ res.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); log.error(ex.getClass().getName() + ": " + ex.getMessage()); return; }

finally {
if (repository != null && session != null && session.isLive())

{ session.logout(); }

}
}