Limit Access to Certain Pages and Documents to Certain User Groups
Introduction
Goal
Limit access to certain pages and documents to certain user groups by configuring authorization at sitemap level and at individual document level.
Background
Hippo's delivery tier supports authorization at mount and sitemap item levels, as well as at individual document level using security domains.
This page provides a worked out example of an implementation project with authorization at sitemap item level and at individual document level.
Example
This example is based on a standard implementation project created from the Maven archetype, with the Simple Content feature added.
The requirements this example implements are defined as follows:
- Users can be a customer or staff member.
- The 'Content' section of the website (part of the Simple Content feature) can only be accessed by customers and staff members.
- Individual Simple Content documents can have an optional access level 'customer', 'staff', or both.
- Documents with access level 'customer' can only be accessed by customers and staff members.
- Documents with access level 'staff' can only be accessed by staff members.
The approach to implement the requirements is:
- Use the Selections feature to define a list of access levels and make the access level selectable in a Simple Content document.
- Create roles and groups for customers and staff members.
- Configure separate security domains for documents with customer access level, staff access level, and no access level defined.
- Configure the Simple Content pages to require authentication and customer or staff authorization.
- Configure the delivery tier to use the session of the logged-in user for authorization at document level.
Prepare the Project
Create a project using Hippo's Maven archetype.
In Essentials, add the Simple Content feature to the project.
Rebuild and restart the project.
In the Console, select the node /hst:hst/hst:configurations/hst:default/hst:sitemap/login and change the property hst:scheme from https to http. This configures the login page in the website to use HTTP instead of HTTPS in your local development environment (don't do this in production environments!).
Add an Access Level Field to the Simple Content Document Type
You are going to use the Selections feature to define the different access levels in a value list and make the access level selectable in the Simple Content document type.
In the CMS, create a subfolder inside 'myhippoproject' called 'value lists'. Inside it, create a new Value List document called 'access levels'.
Enter the following values:
Key | Label |
---|---|
customer | Customer |
staff | Staff |
Save the value list document.
In Essentials, choose Tools, then Selections.
On the Document Types tab, add a new selection field to the Simple Content document type that enables authors to select the access level for a document:
- Select the 'contenttype' document type.
- Enter the name 'access level'.
- Select the selection type 'multiple'.
- Select presentation 'checkboxes'.
- Select the value list 'access levels'.
- Click 'Add new selection field'.
Create Customer and Staff Roles and Groups
You are going to define new customer and staff roles and user groups.
In the Console, select the node /hippo:configuration/hippo:roles and add two new child nodes of type hipposys:role called customer and staff:
/hippo:configuration/hippo:roles: /customer: jcr:primaryType: hipposys:role /staff: jcr:primaryType: hipposys:role
In the CMS, create two new user groups called 'customers' and 'staff'.
Create a user 'jane' and add her to the 'customers' group.
Create a user 'helen' and add her to the 'staff' group.
Configure Security Domains
You are going to define two new security domains, one that includes all documents with customer access level and one that includes all documents with staff access level. You are also going to exclude documents with customer or staff access level from the default live-documents domain.
In the Console, browse to /hippo:configuration/hippo:domains.
Select /hippo:configuration/hippo:domains/live-documents and copy it to /hippo:configuration/hippo:domains/customer-live-documents.
Within the customer-live-documents domain's hippo-document domain rule, create a new facet rule called access-level-customer:
/hippo:configuration/hippo:domains: /customer-live-documents: jcr:primaryType: hipposys:domain /hippo-document: jcr:primaryType: hipposys:domainrule /access-level-customer: jcr:primaryType: hipposys:facetrule hipposys:equals: true hipposys:facet: myhippoproject:accesslevel hipposys:filter: true hipposys:type: String hipposys:value: customer
This domain now selects all documents that have the access level field set to 'customer'.
Delete the node /hippo:configuration/hippo:domains/customer-live-documents/readonly. This resets permissions in this domain.
Select /hippo:configuration/hippo:domains/live-documents and copy it to /hippo:configuration/hippo:domains/staff-live-documents.
Within the staff-live-documents domain's hippo-document domain rule, create a new facet rule called access-level-staff:
/hippo:configuration/hippo:domains: /staff-live-documents: jcr:primaryType: hipposys:domain /hippo-document: jcr:primaryType: hipposys:domainrule /access-level-staff: jcr:primaryType: hipposys:facetrule hipposys:equals: true hipposys:facet: myhippoproject:accesslevel hipposys:filter: true hipposys:type: String hipposys:value: staff
This domain now selects all documents that have the access level field set to 'staff'.
Delete the node /hippo:configuration/hippo:domains/staff-live-documents/readonly. This resets permissions in this domain.
Select /hippo:configuration/hippo:domains/live-documents/hippo-document and add two new facet rules exclude-customer-docs and exclude-staff-docs:
/hippo:configuration/hippo:domains: /live-documents: jcr:primaryType: hipposys:domain /hippo-document: jcr:primaryType: hipposys:domainrule /exclude-customer-docs: jcr:primaryType: hipposys:facetrule hipposys:equals: false hipposys:facet: myhippoproject:accesslevel hipposys:filter: true hipposys:type: String hipposys:value: customer /exclude-staff-docs: jcr:primaryType: hipposys:facetrule hipposys:equals: false hipposys:facet: myhippoproject:accesslevel hipposys:filter: true hipposys:type: String hipposys:value: staff
This excludes documents with access level 'customer' or 'staff' from this domain, limiting access for 'normal' users to 'public' documents.
Assign Permissions
You will combine the roles, groups, and security domains you defined in the previous steps to assign permissions at content repository level.
In the CMS, assign the following permissions:
Domain | Group | Role |
---|---|---|
everywhere | customers | customer |
everywhere | staff | staff |
webfiles | customers | readonly |
webfiles | staff | readonly |
customer-live-documents | customers | readonly |
customer-live-documents | staff | readonly |
staff-live-documents | staff | readonly |
Protect the Content Sitemap Item
You are going to make authentication required for the Simple Content sitemap items and use the roles you defined to define the required authorization to view Simple Content pages.
In the Console, select /hst:hst/hst:configurations/myhippoproject/hst:sitemap/content.
Set the property hst:authenticated to true and add customer and staff to the hst:roles property:
/hst:hst/hst:configurations/myhippoproject/hst:sitemap/content: hst:authenticated: true hst:roles: [ customer, staff ]
This configures the delivery tier to require users to login when accessing the content sitemap item. Logged-in users who do not have the customer of staff role will get a 403 Forbidden response.
Protect Individual Documents
You are going to set access levels for individual Simple Content documents.
In the CMS, create some Simple Content documents inside the myhippoproject/content folder and set their access level to 'customer', 'staff', or both.
Save and publish the documents.
Configure Authorization using Logged-In User's Session
You are going to define the delivery tier to use the session of the logged-in user to perform authorization.
In the Console, select the node /hst:hst/hst:hosts/dev-localhost/localhost/hst:root and set the following two properties to true:
/hst:hst/hst:hosts/dev-localhost/localhost/hst:root: hst:sessionstateful: true hst:subjectbasedsession: true
This configures the delivery tier to perform authorization using the session of the logged-in user instead of the standard liveuser.
Verify Access
You are going to verify that your implementation satifies the requirements.
In the site, select 'Content' from the menu. You should be redirected to a login form.
Log in as 'jane' (the customer). You should have access to the 'Content' overview page and see all documents with 'customer' access level (or no access level set), but none of the documents with only 'staff' access level.
Log out using the URL http://localhost:8080/site/login/logout.
Log in as 'helen' (the staff member). You should have access to the 'Content' overview page and see all documents with 'customer' or 'staff' access level (or no access level set).