4. 4
PROVISIONING & AUTHORING
1 Authentication
Best Practices
Keep it Simple
• Don’t micro-manage access rights for individual users or on individual pages
• Use groups to assign access rights
• Structure content around groups
• Use Allow statements to specify group access rights
5. 5
PROVISIONING & AUTHORING
1 Authentication
Authentication Handler
Implements the method by which visitors provide credentials.
It must implement:
• Request Credentials
• Extract Credentials
• Drop Credentials
Example of implementations:
• HTTP Basic
• Form based
• Token based
• OpenID
• SAML 2.0
6. 6
PROVISIONING & AUTHORING
1 Authentication
Login Module
Implements the method by which the server verifies the credentials.
Steps to add Login Modules:
• OSGi fragment bundle (since 5.5)
• Edit repository.xml file & jaas.conf file
• Update your startup script
• Restart CQ
Example Login Modules:
• CRX
• LDAP
7. 7
PROVISIONING & AUTHORING
1 Authentication
LDAP Login Module
Useful Features
• Creates the users in the repository
• Can assign users to groups from LDAP
• Has a cache (with timeout and size settings)
• Can sync all users or a list of them at once
• Callbacks can be registered on user and group creation
8. 8
PROVISIONING & AUTHORING
1 Authentication
Restful user & group management
Create a user
curl -u admin:admin -FcreateUser=
-FauthorizableId=myUserName
-Frep:password=myPassword
-Fmembership=myGroupName
-Fprofile/myPropertyName=myPropertyValue
http://localhost:4502/libs/granite/security/post/authorizables
Create a group
curl -u admin:admin –FcreateGroup=
-FauthorizableId=myGroupName
http://localhost:4502/libs/granite/security/post/authorizables
9. 9
PROVISIONING & AUTHORING
1 Authentication
Restful user & group management
Edit an existing user
$ curl -u admin:admin -Fprofile/myPropertyName=myPropertyValue
http://localhost:4502/home/users/m/myUserName.rw.html
Set a user’s group memberships (overwriting existing group memberships)
$ curl -u admin:admin -Fmembership=myGroupName1 -Fmembership=myGroupName2
http://localhost:4502/home/users/m/myUserName.rw.html
Add/Remove users to/from a group (not impacting other memberships)
$ curl -u admin:admin
-FaddMembers=myUserName1 -FaddMembers=myUserName2
-FremoveMembers=myUserName3 -FremoveMembers=myUserName4
http://localhost:4502/home/groups/m/myGroupName.rw.html
10. 10
PROVISIONING & AUTHORING
1 Authentication
Restful user & group management
Get current user’s information
$ curl -u admin:admin http://localhost:4502/libs/granite/security/currentuser.json
Delete a user or group
$ curl -u admin:admin –FdeleteAuthorizable=
http://localhost:4502/home/users/m/myUserName
12. 12
PROVISIONING & AUTHORING
2 Resource Provisioning
Best Practice
Keep it simple
• Keep number of templates low
• Keep number of components low
• Leverage CSS
• Build CSS-friendly markup
• Set smart classes on the pages
13. 13
PROVISIONING & AUTHORING
2 Resource Provisioning
Blueprints
• Page structure ready to be provisioned
• Page structure can be customized (to some extent)
• A site owner can be defined (typically a group)
• Simple copy or LiveCopy is possible (for keeping pages in sync)
• A RolloutConfig can be added (to configure the components used for rendering)
14. 14
PROVISIONING & AUTHORING
2 Resource Provisioning
From Actions & Workflows
Useful when resouces needs to be provisioned on demand.
Looking at the CQ 5.6+ New Community feature:
• Form for creating a new community
• Workflow for creating the content and setting ACL
15. 15
PROVISIONING & AUTHORING
2 Resource Provisioning
New Community – deconstructing how it works:
1. New Community Form:
• Custom form component
• Configurable properties (livecopy & blueprint paths)
• Form action => forward.jsp
2. Forward.jsp
• Verifies values of submitted form
• Opens an admin session
• Creates a workflow node (below /etc/social/groups/)
• Adds to the workflow payload:
• form payload
• form properties
• current user id
16. 16
PROVISIONING & AUTHORING
2 Resource Provisioning
New Community – deconstructing how it works:
3. Workflow launcher
• Has a workflow listening to node creations under /etc/social/groups/
4. “Create Community Live Copy” Workflow
• Creates a Live Copy from the master Community pages
• Activates the pages (which is probably not what you would do)
• Moves the workflow payload to the created parent page
17. 17
PROVISIONING & AUTHORING
2 Resource Provisioning
6. “New Social Community Group” Workflow
• Creates admin group
• Adds original user to the admin group
• Sets ACL to the content for the admin group
New Community – deconstructing how it works:
5. Workflow launcher
• Has a workflow listening to page creation that has a payload
19. 19
PROVISIONING & AUTHORING
3 Author Scalability
Vertical Scalability
• Setup an Author Dispatcher
• Optimize Hardware
• Increase CPU, RAM & Disk speed
• Server load is affected by
• Image rendering & digital asset processing
• MSM Rollout
• Workflows
• Simple Editing
Sufficient for at least 50 editors editing content concurrently.
Approximation of # of logged-in users (of which only a fraction is editing concurrently!):
$ grep access.log
20. 20
PROVISIONING & AUTHORING
3 Author Scalability
Horizontal Scalability
Sharding 1: Split different sites (or parts of sites) into separate author instances.
Publish instances are shared.
A
site 1
A
site 2
A
site 3
editing
editing
editing
P
P
P
replication
21. 21
PROVISIONING & AUTHORING
3 Author Scalability
Horizontal Scalability
Sharding 2: Split different sites into separate author instances, but replicate to one
main author, e.g. for shared workflow processes.
A
site 1
A
site 2
A
site 3
editing
editing
editing
A
replication
P
replication