[Hippo-cms7-user] Protectecting/Securing the binary resources!

victor vguevara at gmail.com
Thu Apr 26 13:46:35 CEST 2012

Ard wrote
> But I assume you are using http sessions to 'know' if someone is
> logged in, right? If you on your sitemap /mount that protects the url
> also set sessionstateful = true, then you keep the jcr session on the
> http session as well. If you then fork the binaries servlet to first
> try to use the jcr session from the http session, then, you can use a
> different one for logged in vs not logged in users.

To keep the session open we use <c:url> at jsp level. However, we have
different roles (and user groups) having different access rights. We have
people having specific roles (managers, team members, visitors, decision
makers) but are part of multiple groups.

Fon instance, on the sitemap, we provide access to 'News' to most of the
roles but my 'Reports' are available only to decision makers and managers. 
Bob, who is a manager, is able to open almost all reports (PDFs) while
Alice, should not have access.

In this case, even if Alice is logged into the site, she is not supposed to
open the PDF report. 

Ard wrote
> you then in the cms also need to make sure that normal siteusers do
> not have read access on the embedded resources, and the 'siteuserplus'
> do have read access

Here, we not only need to check wherever the user is authenticated but also
having the right role on the asset. Having a servlet per role is not
scalable. My question is then if there is a mechanism such as the sitemap
If not, from the URL request to the asset, is it possible to know to which
document belongs to?

View this message in context: http://hippo.2275632.n2.nabble.com/Protectecting-Securing-the-binary-resources-tp7480569p7502600.html
Sent from the Hippo CMS 7 mailing list archive at Nabble.com.

More information about the Hippo-cms7-user mailing list