Using Nuxeo, how do I lock down a page so that it redirects to the login page if the user is unauthenticated?

Question

I have been put on to a project using Nuxeo, late in it's lifecycle and need to change a few things before it goes live.

I am having trouble finding out where I need to look to lock down a Nuxeo based application so that a user is redirected to the login page if they are unauthorised and access a restricted page.

Can someone please shoot my some direction on where this sort of logic is kept or defined?

Answer 1

This documentation should give you information about how Nuxeo authentication works: http://doc.nuxeo.org/5.3/books/nuxeo-book/html/auth-users-groups.html#authentication-framework

A more direct answer to your question is: by default some URLs are protected (*.faces, .seam, /nxdoc/, /nxpath/*...), if you need to protect your own you should add to your deployment-fragment.xml file the following:

<filter-mapping>
  <filter-name>NuxeoAuthenticationFilter</filter-name>
  <url-pattern>/mypattern/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>FORWARD</dispatcher>
</filter-mapping>

And if this kind of URL is bookmarkable (e.g. it holds all the needed information for your application to restore the context), you can declare it as a valid start URL in a contribution to the PluggableAuthenticationService:

<extension
  target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
  point="startURL">

  <startURLPattern>
    <patterns>
      <pattern>mypattern/</pattern>
    </patterns>
  </startURLPattern>

</extension>

If you do so, people who type this URL and are redirected to the login page, will be re-redirected to the original URL after a successful login (instead of home page).

HTH, even after more than 1 year ;)

anahide.