Configure the CMS Package Resources Allowlist
Introduction
Goal
Configure which package resources in the CMS web application are accessible by unauthenticated users.
Background
The Bloomreach Experience Manager web application contains resources bundled in Java packages. Access to these package resources is managed as follows:
- To authenticated users, allow access to all resources.
- To unauthenticated users, allow access to listed resources only and deny access to all other resources.
The main use case for listing allowed resources is the login page: any package resources used on the login page must be accessible by unauthenticated users. If an implementation project customizes the login page using custom resources, those resources must be added to the allowlist.
Allowlist Configuration
The package resources allowlist is configured in the content repository at the node /hippo:configuration/hippo:frontend/settings, in the multi-valued string property whitelisted.classes.for.package.resources.
The allowlist contains prefixes of fully qualified class names. A resource is accessible only if it is loaded relative to a class whose class name starts with one of the prefixes in the allowlist.
The default allowlist is as follows:
/hippo:configuration/hippo:frontend/settings - whitelisted.classes.for.package.resources = { "org.hippoecm.", "org.apache.wicket.", "org.onehippo.", "wicket.contrib." }
Note that all resources that are accessible to unauthenticated users when using the above default allowlist are also publicly available as part of Bloomreach Experience Manager open source, available through code.onehippo.org.
Add Custom Resources to the Allowlist
Implementation projects may require additional resources to be accessible to unauthenticated users. For example, when customizing the login page.
Let's say a custom login plugin com.mycompany.CustomLoginPlugin loads a custom CSS resource. This CSS resource must be accessible by unauthenticated users in order to view the login page properly. To achieve this, add com.mycompany. or com.mycompany.CustomLoginPlugin (depending on how strict you want to be) to the package resources allowlist:
/hippo:configuration/hippo:frontend/settings - whitelisted.classes.for.package.resources = { "org.hippoecm.", "org.apache.wicket.", "org.onehippo.", "wicket.contrib.", "com.mycompany.CustomLoginPlugin" }
Modifications to the allowlist become effective after restarting the application.