Are there any best practices of protecting contents showing in site module

I faced a requirement that users should login before they can read some restrict contents. In the hippo’s document, there’s security of cms module, viz. restrict the user who can modify the contents. I tried to write the authentication and authorization in the doBeforeRender method of org.onehippo.cms7.essentials.components.CommonComponent class, but don’t know how I can get user login info in the method, and furthermore, is it the best practice for the case?

Do before render in hippo is not very different than doGet in servlet spec, so you can use same things (session etc). Easiest is to hook up spring security, we even have a plugin in for it, an in depth article can be found here:

Thanks a lot for your kind info. And does the plugin use the users and groups stored in hippo repo? If i want to integrate with some external identity service, such as google api, does the plugin support it or I should add only spring security and then implement it by myself?

Both are possible, just use your own security provider instead of hippo one.

forgot to say: if you have a proxy in front of hippo application, you might need following plugin:

In many cases, Spring validates requested URL and fails to do so because it adds /site as a context to incoming URL. You can use above filter to return / instead of /site for example.

Thanks a lot. I’ll try these two plugins.

Hi machak,

Thanks a lot for your help and I can finally integrate the spring security with hippo, and it works perfectly. But there’s still one problem related to logout action behind a proxy. I set the logout action as follows:
<logout logout-success-url="/" logout-url="/logout" invalidate-session="true"/>
and in local dev environment, it links to localhost:8080/site as expected. However, if behind a proxy, it links to which does not exist, and a log message in site module shows the client tried to access localhsot:8080/site/site/. Could you have any idea of it please?