Configure the CMS Package Resources Allowlist

Introduction

Goal

Configure which package resources in the CMS web application are accessible by unauthenticated users.

Background

The Bloomreach Experience Manager web application contains resources bundled in Java packages. Access to these package resources is managed as follows:

• To authenticated users, allow access to all resources.
• To unauthenticated users, allow access to listed resources only and deny access to all other resources.

The main use case for listing allowed resources is the login page: any package resources used on the login page must be accessible by unauthenticated users. If an implementation project customizes the login page using custom resources, those resources must be added to the allowlist.

Allowlist Configuration

The package resources allowlist is configured in the content repository at the node /hippo:configuration/hippo:frontend/settings, in the multi-valued string property named allowlisted.classes.for.package.resources in v15.x and whitelisted.classes.for.package.resources in v14.x.

The allowlist contains prefixes of fully qualified class names. A resource is accessible only if it is loaded relative to a class whose class name starts with one of the prefixes in the allowlist.

The default allowlist is as follows:

In Bloomreach Experience Manager v15.x:

/hippo:configuration/hippo:frontend/settings
  - allowlisted.classes.for.package.resources = { "org.hippoecm.",
                                                  "org.apache.wicket.",
                                                  "org.onehippo.",
                                                  "wicket.contrib." }

In Bloomreach Experience Manager v14.x:

/hippo:configuration/hippo:frontend/settings
  - whitelisted.classes.for.package.resources = { "org.hippoecm.",
                                                  "org.apache.wicket.",
                                                  "org.onehippo.",
                                                  "wicket.contrib." }

Note that all resources that are accessible to unauthenticated users when using the above default allowlist are also publicly available as part of Bloomreach Experience Manager open source, available through https://github.com/bloomreach/brxm.

Add Custom Resources to the Allowlist

Implementation projects may require additional resources to be accessible to unauthenticated users. For example, when customizing the login page.

Let's say a custom login plugin com.mycompany.CustomLoginPlugin loads a custom CSS resource. This CSS resource must be accessible by unauthenticated users in order to view the login page properly. To achieve this, add com.mycompany. or com.mycompany.CustomLoginPlugin (depending on how strict you want to be) to the package resources allowlist:

/hippo:configuration/hippo:frontend/settings
  - allowlisted.classes.for.package.resources = { "org.hippoecm.",
                                                  "org.apache.wicket.",
                                                  "org.onehippo.",
                                                  "wicket.contrib.",
                                                  "com.mycompany.CustomLoginPlugin" }

(In Bloomreach Experience Manager v14.x, replace allowlisted.classes.for.package.resources with whitelisted.classes.for.package.resources)

Modifications to the allowlist become effective after restarting the application.