Delivery Tier Authorization Configuration

Introduction

Goal

Configure authorization in Bloomreach Experience Manager's delivery tier.

Note

Below hierarchical checking of authorization has been fixed in 14.0.1 so if you are on 14.0.0 the behavior is a bit different when configuring constraints on Sitemap Items and the Mount. However in practice, this is already a very rare use case

Background

Bloomreach Experience Manager's delivery tier supports authorization at mount and sitemap item levels out-of-the-box. This page describes how to configure authorization at mounts and sitemap item levels.

This authorization ties in into the configuration options for the RepositoryAuthenticationProvider, to see the authorization described here  and RepositoryAuthenticationProvider configuration come together, see the examples at Authentication and Authorisation Walkthroughs.

Authorization Configuration

Web Application Level Authorization

You can secure a Mount and/or Sitemap item (URL) by setting the hst:authenticated boolean property to true : this means a user has to be authenticated before allowed access to the Mount and/or Sitemap item. A URL is only accessible if and only if the the Sitemap Item for the URL is allowed access for the visitor, as well as every ancestor Sitemap Item and the Mount. Every ancestor Sitemap Item and Mount are checked independantly for access. 

Besides setting a Mount or Sitemap Item to require authentication, it is also possible to specify the authorized roles and which specific users are allowed. This is done in the multi-valued string properties hst:roles or hst:users on the Mount or Sitemap item.

For example, if you set the following properties on a mount:

hst:authenticated: true
hst:roles: [staff]

then, the Mount will be accessible only to authenticated users in role staff. If an unauthenticated user accesses this resource, the response is an HTTP Not Authenticated (401) error and the user is redirected to the login form. If the user is authenticated but is not in role staff, then the response will be an HTTP Forbidden error (403).

Instead of protecting the entire mount, it is also possible to protect single or multiple sitemap items, for example by setting 

+ hst:sitemap
  + blog
     - hst:authenticated: true
     - hst:roles: [staff]
     + _any_.html
     + _any_

Then only authenticated users in role staff can access the /blog and descendant URLs. 

Note that even when you have configured the hst:mount to be authenticated, you do need to repeat hst:authenticated again on the Sitemap Item level again if you want to protect the Sitemap Item with extra constraints.

Hierarchical Authorization Check

Assume the following setup: On a Mount you have configured:

hst:authenticated: true
hst:roles: [staff]

And a piece of you Sitemap is as follows:

+ hst:sitemap
  + blog
     - hst:authenticated: true
     - hst:roles: [uberstaff]
     + _any_.html
       - hst:authenticated: true
       - hst:roles: [superstaff]
     + _any_

The above setup means that 

  1. All authenticated users in role staff can access the Mount
  2. All authenticated users in role staff and uberstaff can access /blog and /blog/2019, etc
  3. All authenticated users in role staff, uberstaff and superstaff can access /blog, /blog/2019 and /blog/2019/myblog.html, etc

Multiple Roles

If on the Mount you for example configured

hst:authenticated: true
hst:roles: [staff, customer]

then an authenticated user in role staff or customer is granted access: HST Container checks the user's roles by the Servlet / JAAS standard APIs such as HttpServletRequest#isUserInRole(roleName), and only a single role has to match. 

Users or Roles

Instead of roles, you can also assign explicit users on an authenticated Sitemap Item or Mount. For example 

hst:authenticated: true
hst:users: [john, dick]

With the example configuration above, HST Container checks if the user's principal name is included in the hst:users property values. HST Container will retrieve the user's principal name using HttpServletRequest#getUserPrincipal().getName().

Finally, if both hst:roles and hst:users are present, then HST Container will look up both property values in order to see if the user can access the resource. If the user has any matching role or the user's principal name is included, then the user will be authorized. Thus for example the following configuration

hst:authenticated: true
hst:roles: [ staff, customer ]
hst:users: [ user1, user2 ]

then user1 and user2 are authorized even if they are not in role staff or customer, and for example user3 which is in role staff is also allowed.

Repository Level Authorization Integration

HST also provides repository-level authorization integration, meaning the JCR session used during the request will be tightly integrated with the authenticated user's subject.

To use this option, set the following boolean property for a mount:

hst:subjectbasedsession: true

With the configuration above, the JCR session during the request processing is created with the JCR credentials of the authenticated user's subject per each request. In this case, the JCR session is not borrowed from the internal JCR session pool. This allows authorization in the delivery tier at content level using security domains.

Optionally, the JCR session with this option can be stored in the HTTP session and reused in the following requests for more efficiency. To use this session stateful JCR session usage option, configure the following boolean property for a mount:

hst:sessionstateful: true

Note that this option should be used in limited environments, such as applications with limited users, because it can increase memory size at runtime when used without caution!

Repository-level authorization integration is only supported when using form-based authentication with org.hippoecm.hst.security.servlet.LoginServlet.
It is not supported with Basic authentication or any other method (including form-based authentication if not using the LoginServlet).
Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?