Add a preview channel and limit access
Introduction
Goal
Limit access to the preview channel outside the CMS to certain user groups by configuring authorization at mount level.
Background
Bloomreach Experience Manager's delivery tier supports authorization at mount level. Also the preview which is normally exposed in the Channel Manager can be exposed outside the CMS with an explicit mount configuration.
Example
Prepare the Project
Create a project using the Bloomreach Experience Manager Maven archetype.
In Essentials, add the News feature to the project.
Rebuild and restart the project.
In the Console, select the node /hst:myproject/hst:configurations/hst:default/hst:sitemap/login and change the property hst:scheme from https to http. This configures the login page in the website to use HTTP instead of HTTPS in your local development environment (don't do this in production environments!).
The archetype create project has bootstrap configuration for a single channel (mount), something like below:
+ hst:myproject + hst:hosts + dev-localhost + hst:root
The live channel can be accessed when running the application over http://localhost:8080/site. Exposing the preview channel + content outside the CMS is simple and can be achieved by adding a mount with hst:type = preview, for example:
+ hst:myproject + hst:hosts + dev-localhost + hst:root + mypreview - hst:type = preview
Now when accessing http://localhost:8080/site/mypreview, the preview of the channel will be rendered, aka the preview hst channel configuration and the unpublished documents.
Protect the preview
Protecting the preview is trivial:
+ hst:myproject + hst:hosts + dev-localhost + hst:root + mypreview - hst:type = preview - hst:authenticated = true
Now the preview is configured to be not accessible without authentication and will redirect to a login screen. However, since we did not add any hst:roles or hst:users (see Delivery Tier Authorization Configuration) that are allowed to view the preview after authentication, anyone that can login will still get a 403 unauthorized.
Allowing certain users access
Allowing a set of users access is trivial as well, just configure the users that have access, for example
+ mypreview - hst:type = preview - hst:authenticated = true - hst:users = [admin, john]
Allowing certain roles to have access
Using roles scales better than granting individual users access to the preview. Assume we only want to allow users in role staff access to the preview. The preview configuration then becomes
+ mypreview - hst:type = preview - hst:authenticated = true - hst:roles = [staff]
Next to the above configuration you want to make sure that the users that should be able to see the preview are in role staff. This can be achieved as follows, which requires some configuration also documentated at AuthenticationProvider Configuration.
Below /hippo:configuration/hippo:userroles add
/site.staff: jcr:primaryType: hipposys:userrole hipposys:system: true
It is correct that the userrole is called in this example site.staff and not just staff, see configuration below.
In your project site webapp hst-config.properties add:
security.authentication.included.userrole.prefix = site. security.authentication.strip.included.userrole.prefix = true
The above will make sure that userroles configured in the repository for an authenticated (JCR) user
- are only included when they start with site.
- get the site. prefix removed
If you now make sure that the users / groups that need to be able to see http://localhost:8080/site/mypreview get the userrole
site.staff
added to the hipposys:userroles, then these users will be able to access the mypreview mount.