Configure the CMS Package Resources Whitelist
Introduction
Goal
Configure which package resources in the CMS web application are accessible by unauthenticated users.
Background
The Hippo CMS web application contains resources bundled in Java packages. Access to these package resources is managed as follows:
- To authenticated users, allow access to all resources.
- To unauthenticated users, allow access to whitelisted resources only and deny access to all other resources.
The main use case for whitelisting is the login page: any package resources used on the login page must be accessible by unauthenticated users. If an implementation project customizes the login page using custom resources, those resources must be added to the whitelist.
Whitelist Configuration
The package resources whitelist is configured in the content repository at the node /hippo:configuration/hippo:frontend/settings, in the multi-valued string property whitelisted.classes.for.package.resources.
The whitelist contains prefixes of fully qualified class names. A resource is accessible only if it is loaded relative to a class whose class name starts with one of the prefixes in the whitelist.
The default whitelist is as follows:
/hippo:configuration/hippo:frontend/settings - whitelisted.classes.for.package.resources = { "org.hippoecm.", "org.apache.wicket.", "org.onehippo.", "wicket.contrib." }
Note that all resources that are accessible to unauthenticated users when using the above default whitelist are also publicly available as part of Hippo CMS open source, available through code.onehippo.org.
Add Custom Resources to the Whitelist
Implementation projects may require additional resources to be accessible to unauthenticated users. For example, when customizing the login page.
Let's say a custom login plugin com.mycompany.CustomLoginPlugin loads a custom CSS resource. This CSS resource must be accessible by unauthenticated users in order to view the login page properly. To achieve this, add com.mycompany. or com.mycompany.CustomLoginPlugin (depending on how strict you want to be) to the package resources whitelist:
/hippo:configuration/hippo:frontend/settings - whitelisted.classes.for.package.resources = { "org.hippoecm.", "org.apache.wicket.", "org.onehippo.", "wicket.contrib.", "com.mycompany.CustomLoginPlugin" }
Modifications to the whitelist become effective after restarting the application.