How to restrict other user login in nuxeo? Only administrator can login and access to nuxeo.


I have a problem in nuxeo-5.3.1(JBoss).

Administrator can create users and groups in nuxeo.

Only administrator can login and access to nuxeo, other users should not login in nuxeo.

How to restrict other user login in nuxeo?

Can any one help me?

0 votes

2 answers



Why don't you want users to log in Nuxeo whereas the Administrator creates their accounts into Nuxeo?

I don't see the interest of making Nuxeo usable by only one user at all.



In our application users(Including Administrator) have seperate UI(using java, flex technologies) to access nuxeo. By using this UI they can add, delete, modify and view thier documents of nuxeo.

In nuxeo there are some common documents is there. They may delete in that documents or other users documents.

So i need to restrict other user login in nuxeo. only administrator can access in nuxeo.

Can you help me?



You can contribute a specific login module that will implement your own access rules (like checking if user is an administrator.

Documentation is here for your version: and you can take example on default login modules even if they're probably implementing more complicated logics than what you need to do.

1 votes


With the reference of above link,

1) I create an authenticator plugin

import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;

import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo; 
import org.nuxeo.ecm.platform.ui.web.auth.plugins.FormAuthenticator;

  public class AdministratorFilterAuthenticator extends FormAuthenticator {

  protected String usernameKey = "user_name";

  public UserIdentificationInfo handleRetrieveIdentity(
      HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
          String userName = httpRequest.getParameter(usernameKey);
          if ("Administrator".equals(userName)) {
              return super.handleRetrieveIdentity(httpRequest, httpResponse);
          return null;


2) How and where to add my authenticator into the authentication chain

I got this idea from someone.

 <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="authenticators">
  <authenticationPlugin name="ADMINSITRATOR_FILTER_AUTH" enabled="true"
<extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService" point="chain"> 

3) where i have place my plugin in nuxeo?

Anything i missed? Please help me.




Thanks for sending such a wonderful documentations.

I created authenticator plugin. I follow the above docs for creating project. After that,

I add the authenticator plugin to the authentication chain(Create a xml file and paste it into $JBOSS_HOME/server/default/deploy/nuxeo.ear/config folder).

After restart nuxeo-jboss-5.3.1,

The Logs shows

14:26:59,077 ERROR [NuxeoAuthenticationFilter] Auth plugin ADMINSITRATOR_FILTER_AUTH can not be retrieved from service 14:26:59,116 ERROR [DefaultNuxeoExceptionHandler] java.lang.NullPointerException at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.initUnAuthenticatedURLPrefix( at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.bypassAuth( at org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.doFilter( at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( at org.apache.catalina.core.ApplicationFilterChain.doFilter( at org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoRequestControllerFilter.doFilter( at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( at org.apache.catalina.core.ApplicationFilterChain.doFilter( at org.nuxeo.ecm.platform.web.common.exceptionhandling.NuxeoExceptionFilter.doFilter( at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( at org.apache.catalina.core.ApplicationFilterChain.doFilter( at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter( at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( at org.apache.catalina.core.ApplicationFilterChain.doFilter( at org.apache.catalina.core.StandardWrapperValve.invoke( at org.apache.catalina.core.StandardContextValve.invoke( at at at org.apache.catalina.core.StandardHostValve.invoke( at org.apache.catalina.valves.ErrorReportValve.invoke( at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke( at org.apache.catalina.core.StandardEngineValve.invoke( at org.apache.catalina.connector.CoyoteAdapter.service( at org.apache.coyote.http11.Http11Processor.process( at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( at$ at

14:26:59,150 ERROR [nuxeo-error-log] Request Attributes:

NuxeoExceptionHandlerMarker : true securityError : false user_message : an unexpected error occurred

Can you give some more guidence to complete this task?



Hi bjalon, Julien Carsique & Anahide Tchertchian,

Thanks for your guidance. I solved this issue with the help of your previous comments and documents.

Thanks a lot…


The UIs you defined to expose features to users should not be used to manage security access to documents. You must set the right permissions on the documents to ensure a use have the wanted permissions on a given document, independently of the UI used.

If you need to store “common” documents, then you must describe more precisely your use case and probably store them somewhere else than in the default domain or workspace.

You can also use a specific HTTP configuration (in your HTTP server, ie. Apache) in order to forbid or restrict some URLs and redirect the users to the wanted URL (and its associated UI).

1 votes