AnsweredAssumed Answered

Authentication / permissioning configuration query in 3.2 E

Question asked by chrisb on Mar 9, 2010
Latest reply on Mar 10, 2010 by stevegreenbaum
We have a website that is being generated dynamically via webscripts running from within the Data Dictionary area of the main Alfresco repository.

The website needs to support the following types of access:

1. Pages accessible by anyone coming to the site without requiring any form of login (i.e. publicly visible pages)

2. Pages that display publicly visible content and additional user specific content *if* the user is logged in

3. Pages that are only visible to logged in users.

We have done some test implementations for use case 1. using webscripts with guest authentication setup in the webscript config xml file, and then invoking the webscript with the URL param guest=true appended to the URL. This works as expected, allowing public access to the pages without triggering a login request.

Use case 2 & 3 are proving a bit trickier though, as although we have set the webscripts to have user level authentication, this still seems to allow guest users to run them. Is this correct behaviour? If so what webscript authentication level should we use to make sure that guest users are prompted to authenticate using a named user account?

The alternative approach is to set the authentication level on webscripts to "none" and then use a call to runAs inside the controller JS code to access any repository content required.

The WCM approach didn't seem a good fit for what we are trying to do as we make extensive use of aspects/associations and the Lucene search API to generate our dynamic pages, but open to suggestions on whether we should reconsider this.

We would be interested to hear other people's experiences with implementing this type of usage, especially examples of selectively displaying webpage content based on user permission levels.