Configure the CMS Package Resources Allowlist - Bloomreach Experience - Open Source CMS
30-09-2020

Configure the CMS Package Resources Allowlist

This feature is available since Hippo CMS 11.1.2.

Introduction

Goal

Configure which package resources in the CMS web application are accessible by unauthenticated users.

Background

The Bloomreach Experience Manager web application contains resources bundled in Java packages. Access to these package resources is managed as follows:

  • To authenticated users, allow access to all resources.
  • To unauthenticated users, allow access to listed resources only and deny access to all other resources.

The main use case for listing allowed resources is the login page: any package resources used on the login page must be accessible by unauthenticated users. If an implementation project customizes the login page using custom resources, those resources must be added to the whitelist.

Allowlist Configuration

The package resources allowlist is configured in the content repository at the node /hippo:configuration/hippo:frontend/settings, in the multi-valued string property whitelisted.classes.for.package.resources.

The allowlist contains prefixes of fully qualified class names. A resource is accessible only if it is loaded relative to a class whose class name starts with one of the prefixes in the allowlist.

The default allowlist is as follows:

/hippo:configuration/hippo:frontend/settings
  - whitelisted.classes.for.package.resources = { "org.hippoecm.",
                                                  "org.apache.wicket.",
                                                  "org.onehippo.",
                                                  "wicket.contrib." }

Note that all resources that are accessible to unauthenticated users when using the above default allowlist are also publicly available as part of Bloomreach Experience Manager open source, available through code.onehippo.org.

Add Custom Resources to the Allowlist

Implementation projects may require additional resources to be accessible to unauthenticated users. For example, when customizing the login page.

Let's say a custom login plugin com.mycompany.CustomLoginPlugin loads a custom CSS resource. This CSS resource must be accessible by unauthenticated users in order to view the login page properly. To achieve this, add com.mycompany. or com.mycompany.CustomLoginPlugin (depending on how strict you want to be) to the package resources allowlist:

/hippo:configuration/hippo:frontend/settings
  - whitelisted.classes.for.package.resources = { "org.hippoecm.",
                                                  "org.apache.wicket.",
                                                  "org.onehippo.",
                                                  "wicket.contrib.",
                                                  "com.mycompany.CustomLoginPlugin" }

Modifications to the allowlist become effective after restarting the application.

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?