Limit Access to Certain Pages and Documents to Certain User Groups - BloomReach Experience - Open Source CMS

This article covers a Hippo CMS version 12. There's an updated version available that covers our most recent release.

09-01-2018

Limit Access to Certain Pages and Documents to Certain User Groups

Introduction

Goal

Limit access to certain pages and documents to certain user groups by configuring authorization at sitemap level and at individual document level.

Background

Hippo's delivery tier supports authorization at mount and sitemap item levels, as well as at individual document level using security domains.

This page provides a worked out example of an implementation project with authorization at sitemap item level and at individual document level.

Example

This example is based on a standard implementation project created from the Maven archetype, with the Simple Content feature added.

The requirements this example implements are defined as follows:

  • Users can be a customer or staff member.
  • The 'Content' section of the website (part of the Simple Content feature) can only be accessed by customers and staff members.
  • Individual Simple Content documents can have an optional access level 'customer', 'staff', or both.
  • Documents with access level 'customer' can only be accessed by customers and staff members.
  • Documents with access level 'staff' can only be accessed by staff members.

The approach to implement the requirements is:

  • Use the Selections feature to define a list of access levels and make the access level selectable in a Simple Content document.
  • Create roles and groups for customers and staff members.
  • Configure separate security domains for documents with customer access level, staff access level, and no access level defined.
  • Configure the Simple Content pages to require authentication and customer or staff authorization.
  • Configure the delivery tier to use the session of the logged-in user for authorization at document level.

Prepare the Project

Create a project using Hippo's Maven archetype.

Build and run the project.

In Essentials, add the Simple Content feature to the project.

Rebuild and restart the project.

In the Console, select the node /hst:hst/hst:configurations/hst:default/hst:sitemap/login and change the property hst:scheme from https to http. This configures the login page in the website to use HTTP instead of HTTPS in your local development environment (don't do this in production environments!).

Add an Access Level Field to the Simple Content Document Type

You are going to use the Selections feature to define the different access levels in a value list and make the access level selectable in the Simple Content document type.

In the CMS, create a subfolder inside 'myhippoproject' called 'value lists'. Inside it, create a new Value List document called 'access levels'.

Enter the following values:

Key Label
customer Customer
staff Staff

Save the value list document.

In Essentials, choose Tools, then Selections.

On the Document Types tab, add a new selection field to the Simple Content document type that enables authors to select the access level for a document:

  • Select the 'contenttype' document type.
  • Enter the name 'access level'.
  • Select the selection type 'multiple'.
  • Select presentation 'checkboxes'.
  • Select the value list 'access levels'.
  • Click 'Add new selection field'.

Create Customer and Staff Roles and Groups

You are going to define new customer and staff roles and user groups.

In the Console, select the node /hippo:configuration/hippo:roles and add two new child nodes of type hipposys:role called customer and staff:

/hippo:configuration/hippo:roles:
  /customer:
    jcr:primaryType: hipposys:role
  /staff:
    jcr:primaryType: hipposys:role

In the CMS, create two new user groups called 'customers' and 'staff'.

Create a user 'jane' and add her to the 'customers' group.

Create a user 'helen' and add her to the 'staff' group.

Configure Security Domains

You are going to define two new security domains, one that includes all documents with customer access level and one that includes all documents with staff access level. You are also going to exclude documents with customer or staff access level from the default live-documents domain.

In the Console, browse to /hippo:configuration/hippo:domains.

Select /hippo:configuration/hippo:domains/live-documents and copy it to /hippo:configuration/hippo:domains/customer-live-documents.

Within the customer-live-documents domain's hippo-document domain rule, create a new facet rule called access-level-customer:

/hippo:configuration/hippo:domains:
  /customer-live-documents:
    jcr:primaryType: hipposys:domain
    /hippo-document:
      jcr:primaryType: hipposys:domainrule
      /access-level-customer:
        jcr:primaryType: hipposys:facetrule
        hipposys:equals: true
        hipposys:facet: myhippoproject:accesslevel
        hipposys:filter: true
        hipposys:type: String
        hipposys:value: customer

This domain now selects all documents that have the access level field set to 'customer'.

Delete the node /hippo:configuration/hippo:domains/customer-live-documents/readonly. This resets permissions in this domain.

Select /hippo:configuration/hippo:domains/live-documents and copy it to /hippo:configuration/hippo:domains/staff-live-documents.

Within the staff-live-documents domain's hippo-document domain rule, create a new facet rule called access-level-staff:

/hippo:configuration/hippo:domains:
  /staff-live-documents:
    jcr:primaryType: hipposys:domain
    /hippo-document:
      jcr:primaryType: hipposys:domainrule
      /access-level-staff:
        jcr:primaryType: hipposys:facetrule
        hipposys:equals: true
        hipposys:facet: myhippoproject:accesslevel
        hipposys:filter: true
        hipposys:type: String
        hipposys:value: staff

This domain now selects all documents that have the access level field set to 'staff'.

Delete the node /hippo:configuration/hippo:domains/staff-live-documents/readonly. This resets permissions in this domain.

Select /hippo:configuration/hippo:domains/live-documents/hippo-document and add two new facet rules exclude-customer-docs and exclude-staff-docs:

/hippo:configuration/hippo:domains:
  /live-documents:
    jcr:primaryType: hipposys:domain
    /hippo-document:
      jcr:primaryType: hipposys:domainrule
      /exclude-customer-docs:
        jcr:primaryType: hipposys:facetrule
        hipposys:equals: false
        hipposys:facet: myhippoproject:accesslevel
        hipposys:filter: true
        hipposys:type: String
        hipposys:value: customer
      /exclude-staff-docs:
        jcr:primaryType: hipposys:facetrule
        hipposys:equals: false
        hipposys:facet: myhippoproject:accesslevel
        hipposys:filter: true
        hipposys:type: String
        hipposys:value: staff

This excludes documents with access level 'customer' or 'staff' from this domain, limiting access for 'normal' users to 'public' documents.

Assign Permissions

You will combine the roles, groups, and security domains you defined in the previous steps to assign permissions at content repository level.

In the CMS, assign the following permissions:

Domain Group Role
everywhere customers customer
everywhere staff staff
webfiles customers readonly
webfiles staff readonly
customer-live-documents customers readonly
customer-live-documents staff readonly
staff-live-documents staff readonly

Protect the Content Sitemap Item

You are going to make authentication required for the Simple Content sitemap items and use the roles you defined to define the required authorization to view Simple Content pages.

In the Console, select /hst:hst/hst:configurations/myhippoproject/hst:sitemap/content.

Set the property hst:authenticated to true and add customer and staff to the hst:roles property:

/hst:hst/hst:configurations/myhippoproject/hst:sitemap/content:
  hst:authenticated: true
  hst:roles: [ customer, staff ]

This configures the delivery tier to require users to login when accessing the content sitemap item. Logged-in users who do not have the customer of staff role will get a 403 Forbidden response.

Protect Individual Documents

You are going to set access levels for individual Simple Content documents.

In the CMS, create some Simple Content documents inside the myhippoproject/content folder and set their access level to 'customer', 'staff', or both.

Save and publish the documents.

Configure Authorization using Logged-In User's Session

You are going to define the delivery tier to use the session of the logged-in user to perform authorization.

In the Console, select the node /hst:hst/hst:hosts/dev-localhost/localhost/hst:root and set the following two properties to true:

/hst:hst/hst:hosts/dev-localhost/localhost/hst:root:
  hst:sessionstateful: true
  hst:subjectbasedsession: true

This configures the delivery tier to perform authorization using the session of the logged-in user instead of the standard liveuser.

Verify Access

You are going to verify that your implementation satifies the requirements.

In the site, select 'Content' from the menu. You should be redirected to a login form.

Log in as 'jane' (the customer). You should have access to the 'Content' overview page and see all documents with 'customer' access level (or no access level set), but none of the documents with only 'staff' access level.

Log out using the URL http://localhost:8080/site/login/logout.

Log in as 'helen' (the staff member). You should have access to the 'Content' overview page and see all documents with 'customer' or 'staff' access level (or no access level set).

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?