Security Management Configuration
Introduction
The Bloomreach Experience Manager (brXM) security management iself is configurable with a few global settings and support for integration with external security providers like LDAP.
Configuration location
The security management configuration is stored on and below the following path and node of type hipposys:securityfolder:
/hippo:configuration/hippo:security
hipposys:securityfolder node type definition
[hipposys:securityfolder] > nt:base - hipposys:userspath (string) // obsolete, no longer user - hipposys:groupspath (string) // obsolete, no longer used - hipposys:rolespath (string) // obsolete, no longer used - hipposys:domainspath (string) // obsolete, no longer used - hipposys:passwordmaxagedays (double) // obsolete, use the property with type long instead - hipposys:passwordmaxagedays (long) + hipposys:accessmanager (hipposys:accessmanager) = hipposys:accessmanager + * (hipposys:securityprovider) = hipposys:securityprovider
In the past the storage location for users, groups, roles and domains were configurable, but in practice never were (or could be) different from the default.
Since brXM v14 this no longer is configurable and these configuration properties are now obsolete and no longer user.
The users, groups, roles and (global) domains, as well as the new userroles, must all be stored in the following predefined paths:
- /hippo:configuration/hippo:users
- /hippo:configuration/hippo:groups
- /hippo:configuration/hippo:roles
- /hippo:configuration/hippo:userroles
- /hippo:configuration/hippo:domains
The property hipposys:passwordmaxagedays can be used to configure after how many days a user password expires since its last modification. By default passwords will not expire automatically. Furthermore, this only is effective for internal and non-system users.
The access manager and security providers configuration is described below.
Access Manager Configuration
The configuration of the access manager is stored as a separate child node of type hipposys:accessmanager at:
/hippo:configuration/hippo:security/hipposys:accessmanager
hipposys:accessmanager node type definition
[hipposys:accessmanager] > nt:base - hipposys:permissioncachesize (long) = '20000' mandatory autocreated
Cache
The access manager has a user-based cache for read access. It caches which nodes a user is allowed to read or not to read. Write operations are always checked at run time. The cache is configured in the numbers of items per user. An item is a node or a property. The cache can be configured by setting the hipposys:permissioncachesize property.
Security Providers
The default internal security provider, and optionally additional custom security providers, are configured as separate child nodes of type hipposys:securityprovider:
/hippo:configuration/hippo:security/internal
A security provider also can provide a custom user provider and a custom group provider. Such a custom security provider is the LDAP security provider which synchronizes users and groups with the repository.
hipposys:securityprovider node type definition
[hipposys:securityprovider] > nt:base orderable - hipposys:classname (string) mandatory + hipposys:userprovider (hipposys:userprovider) = hipposys:userprovider + hipposys:groupprovider (hipposys:groupprovider) = hipposys:groupprovider + hipposys:roleprovider (hipposys:roleprovider) = hipposys:roleprovider // obsolete, not used
hipposys:userprovider node type definition
[hipposys:userprovider] > nt:base - hipposys:dirlevels (long) = '0' autocreated
hipposys:groupprovider node type definition
[hipposys:groupprovider] > nt:base - hipposys:dirlevels (long) = '0' autocreated