Add a preview channel and limit access

Introduction

Goal

Limit access to the preview channel outside the CMS to certain user groups by configuring authorization at mount level.

Background

Bloomreach Experience Manager's delivery tier supports authorization at mount level. Also the preview which is normally exposed in the Channel Manager can be exposed outside the CMS with an explicit mount configuration. 

Example

Prepare the Project

Create a project using the Bloomreach Experience Manager Maven archetype.

Build and run the project.

In Essentials, add the News feature to the project.

Rebuild and restart the project.

In the Console, select the node /hst:myproject/hst:configurations/hst:default/hst:sitemap/login and change the property hst:scheme from https to http. This configures the login page in the website to use HTTP instead of HTTPS in your local development environment (don't do this in production environments!).

The archetype create project has bootstrap configuration for a single channel (mount), something like below:

+ hst:myproject
  + hst:hosts
    + dev-localhost
      + hst:root

The live channel can be accessed when running the application over http://localhost:8080/site. Exposing the preview channel + content outside the CMS is simple and can be achieved by adding a mount with hst:type = preview, for example:

+ hst:myproject
  + hst:hosts
    + dev-localhost
      + hst:root
        + mypreview
          - hst:type = preview 

Now when accessing http://localhost:8080/site/mypreview, the preview of the channel will be rendered, aka the preview hst channel configuration and the unpublished documents. 

Protect the preview

Protecting the preview is trivial:

+ hst:myproject
  + hst:hosts
    + dev-localhost
      + hst:root
        + mypreview
          - hst:type = preview 
          - hst:authenticated = true

Now the preview is configured to be not accessible without authentication and will redirect to a login screen. However, since we did not add any hst:roles or hst:users (see Delivery Tier Authorization Configuration) that are allowed to view the preview after authentication, anyone that can login will still get a 403 unauthorized.

Allowing certain users access

Allowing a set of users access is trivial as well, just configure the users that have access, for example

+ mypreview
   - hst:type = preview 
   - hst:authenticated = true
   - hst:users = [admin, john]

Allowing certain roles to have access

Using roles scales better than granting individual users access to the preview. Assume we only want to allow users in role staff access to the preview. The preview configuration then becomes

+ mypreview
   - hst:type = preview 
   - hst:authenticated = true
   - hst:roles = [staff]

Next to the above configuration you want to make sure that the users that should be able to see the preview are in role staff. This can be achieved as follows, which requires some configuration also documentated at AuthenticationProvider Configuration

Below /hippo:configuration/hippo:userroles add

/site.staff:
  jcr:primaryType: hipposys:userrole
  hipposys:system: true

It is correct that the userrole is called in this example site.staff and not just staff, see configuration below.

In your project site webapp hst-config.properties add:

security.authentication.included.userrole.prefix = site.
security.authentication.strip.included.userrole.prefix = true

The above will make sure that userroles configured in the repository for an authenticated (JCR) user

  1. are only included when they start with site.
  2. get the site. prefix removed

If you now make sure that the users / groups that need to be able to see http://localhost:8080/site/mypreview get the userrole

site.staff

added to the  hipposys:userroles, then these users will be able to access the mypreview mount.

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?