Force Anonymous Login

So, How do you force the login page for anonymous users?

Any ideas?

Thank you.

Jose.

Long story: We have configured anonymous access so that we can directly link and download nuxeo documents (blob files) from an external site.

However we don't want to allow anonymous users to access the nuxeo web application, so I would like to force the login page for anonymous users. How can we achieve this?

I have played with the forceAnonymousLogin parameter, but with little success.

0 votes

2 answers

1725 views

ANSWER



Hi,

How about overriding the StartupHelper ? This is done in the Social Collaboration Module and in CMF.. something like:

/**
 * Overwrite default StartupHelper to provide custom startup page.
 */
@Name("startupHelper")
@Scope(SESSION)
@Install(precedence = Install.DEPLOYMENT)
public class MyStartupHelper extends StartupHelper {

    private static final long serialVersionUID = 1L;

    @Override
    @Begin(id = "#{conversationIdGenerator.nextMainConversationId}", join = true)
    public String initDomainAndFindStartupPage(String domainTitle, String viewId) {
        String result = super.initDomainAndFindStartupPage(domainTitle, viewId);

        NuxeoPrincipal principal = (NuxeoPrincipal) documentManager.getPrincipal();

        if (principal.isAdministrator()) {
            return result;
        } else if (principal.isAnonymous()) {
            try {
                FacesContext.getCurrentInstance().getExternalContext().redirect(NXAuthConstants.LOGOUT_PAGE);
            } catch (IOException e) { }
            return null;
        } else {
            return dashboardNavigationHelper.navigateToDashboard();
        }
    }
}
1 votes



That would avoid anonymous users to browse the repository using the JSF UI but documents would still be accessible and browsable through any other UI…
04/16/2013

Yes. You still have to filter unwanted actions with not_anonymous ("home", etc) and set the proper permissions in the repository but I guess it solves the "don't want to allow anonymous users to access the nuxeo web application" bit…
04/16/2013

I have decided yo use this approach for now, maybe we will filter actions as well. I really need to open access to all documents, blobs and metadata and I am already overriding StartupHelper to change the default landing page to the DAM tab, so this was a one line solution for me. The only issue I found is that documentManager was null, so instead I used

<pre> Principal currentUser = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal();

if ("Guest".equals(currentUser.getName())) { … } </pre>

I really would like to mark both replies as answer, but since I only can mark one, and this is the one I have implemented, there you go. Thank you.

04/18/2013


Hi,

If you force the login page for anonymous users, then there is no more anonymous access :)
You must define the URLs/paths which will be anonymously accessible (read rights to the Guest user). Then, any other URL/path including the login page will require a login.

1 votes



Hi Julien, I want to force the login page only when someone enters the nuxeo home page, but at the same time allow direct links for downloading blobs. The reason is that I am linking directly the videos in Nuxeo DAM from external video players, and I need them to be available anonymously. But I would like to avoid anonymous users to browse the repository. Would that be possible? Thank you
04/15/2013

So, instead of defining an anonymous access which is based on documents and not actions on those documents, you could simply open some URLs (those matching the direct links) with PluggableAuthenticationService–openUrl; something like:

&lt;extension point=&quot;openUrl&quot;
  target=&quot;org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService&quot;&gt;
  &lt;openUrl name=&quot;OpenSocialRPCInquiry&quot;&gt;
    &lt;grantPattern&gt;/nuxeo/nxfile/.*/blobholder.*/*&lt;/grantPattern&gt;
  &lt;/openUrl&gt;
&lt;/extension&gt;

You should be as much precise as possible since you're opening the matching URLs to no authentication at all.

You could also play with the org.nuxeo.ecm.platform.ui.web.auth.plugins.AnonymousAuthenticator, override default chains and define specificChains to restrict the anonymous access; or write your own authenticator…

04/15/2013

The openUrl extension point is a neat solution, since you can fine grain the urls according to your needs. Thank you very much for the tip.
04/18/2013