7 Replies Latest reply on Apr 13, 2007 7:03 AM by dcarter

    Globally disallow guest access to Clearspace

      There''s already an issue for this (http://www.jivesoftware.com/issues/browse/CS-16) but this is really important for us (only employees and registered customers will be accessing), and it''s scheduled for 1.1. Any chance it will get in sooner? Is there a workaround that doesn''t involve locking the whole site down using .htaccess or something similar?

        • Re: Globally disallow guest access to Clearspace
          nick

          We will do everything possible to get this issue fixed as soon as possible, but the reason it is marked as fix for 1.1 is because it might require a more fundamental change to the API than we usually like to do in our point releases.

           

          There is a pretty straightforward workaround, but it will require a bit of Java coding. Simply create a filter that checks if the user is logged in and, if not, redirect the user to the login page. The filter would be trivial, something like:

           

          public class GuestFilter implements Filter {
              public void init(FilterConfig config) throws ServletException {
              }
          
              public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
                  HttpServletResponse response = (HttpServletResponse) res;
                  HttpServletRequest request = (HttpServletRequest) req;
                  if (JiveGlobals.isSetup()) {
                      AuthToken authToken = AuthFactory.getAuthToken(request, response);
                      if (authToken.isAnonymous()) {
                          response.sendRedirect(request.getContextPath() + "/login!input.jspa");
                          return;
                      }  
                  }            
                      
                  chain.doFilter(req, res);
              }
          
              public void destroy() {
              }
          }
          

           

          You would then specify the filter in your web.xml as follows:

           

          <filter>
              <filter-name>GuestFilter</filter-name>
              <filter-class>packageName.GuestFilter</filter-class>
          </filter>
          ...
          <filter-mapping>
              <filter-name>GuestFilter</filter-name>
              <url-pattern>*.jspa</url-pattern>
          </filter-mapping>
          

           

          Hope this helps... and keep an eye on that issue as we will do our best to get it taken care of as soon as possible.

           

          Nick

            • Re: Globally disallow guest access to Clearspace

              Note, Nick''s web.xml mapping lists the filter mapping as "UpgradeFilter" but in this case it''s probably more appropriate to call it "GuestFilter". Minor change, but I thought I''d point that out.

               

              Cheers,

              --Bill

                • Re: Globally disallow guest access to Clearspace

                  I did this a while back...will this filter block the actual "login" action as well?

                   

                  Since when you try and login, you''ll need to execute the login action through this filter as an anonymous user...

                   

                  I did something like this:

                   

                   

                              // don''t apply the filter to the admin console, excluded extensions,

                              // or to the login url the user might be being redirected to

                              if (servletPath.indexOf(loginKeyword) < 0 &&

                                      !contains(servletPath, adminConsolePath) &&

                                      !contains(servletPath, "account") &&

                                      !contains(servletPath, "emailPasswordToken") &&

                                      !contains(servletPath, "createProfile") &&

                                      !contains(servletPath, "resetPassword") &&

                                      !excludedExtension(pathInfo, excludedExtensions)) {

                   

                                  // Check 1: look for the Jive authentication token in the user''s session.

                                  AuthToken authToken = null;

                   

                                  try {

                                      authToken = AuthFactory.getAuthToken(httpRequest, httpResponse);

                                  } catch (UnauthorizedException ue) {

                                      Log.debug("UnauthorizedException can be ignored.", ue);

                                  }

                   

                                  // check to see if the AuthToken is anonymous

                                  if (authToken == null || authToken.isAnonymous()) {

                   

                                      // check to see if the page should be excluded

                                      Log.debug(servletContextPath + "/" + redirectUrl);

                                      httpResponse.sendRedirect(servletContextPath + "/" + redirectUrl);

                                      return;

                                  }

                              }

                   

                  I can post the full source if needed...this will also allow images to be served, if you put a more blanketed mask in your web.xml you could then control what gets through  via Jive properties and not web.xml settings.

                   

                  Cheers,

                   

                  Anthony

                    • Re: Globally disallow guest access to Clearspace
                      nick

                      Anthony is correct, the filter will need to check for login/logout request and make sure to let it pass through. It will also need to be mapped carefully as many of the clean URL''s do not use .jspa extension. You can see how sitemesh is applied to the clean urls in the existing web.xml.

                       

                      Another approach is to create a new webwork interceptor (or modify an existing one) to check if the user is logged in. The JiveIOCInterceptor might be a good one. Again, the interceptor will need to be mapped to every action that should be blocked, or rather, be mapped globally and excluded from any actions that should not be blocked (login/logout).

                       

                      The good news is that this issue is currently slated to be fixed in the core product for 1.0.4, coming out in a few weeks.

                       

                      You can follow the issue here:

                      http://www.jivesoftware.com/issues/browse/CS-16

                • Re: Globally disallow guest access to Clearspace
                  dcarter

                  Unfortunately, 1.0.4 has not solved this problem for me.

                  (http://www.jivesoftware.com/issues/browse/CS-16)

                   

                  It''s true, I can set the jive.auth.disallowGuest property, which will stop users at the login page. However, on the login page, it displays an error:

                  You are not authorized to view the selected content. Please login using the form below with an authorized user account.

                   

                  I know I can remove the user bar and bread crumb with a template, but I''m not sure it''s the best way to fix the error message.

                   

                  In addition, the "I forgot my password" link does not work. (after all, without logging in first, you can''t do anything)

                   

                  Are there some additional properties or other configuration needed to clean this up?

                   

                  Doug

                    • Re: Globally disallow guest access to Clearspace
                      Kevin Williams

                      I reopened this issue regarding the "I forgot my password" page not loading.  That makes two pages that should be viewable by guest users (along with the login page).

                       

                      Regarding the error message--why do you not want it to show up?  I thought it was helpful myself

                        • Re: Globally disallow guest access to Clearspace
                          dcarter

                          Actually, there is one more page that should be added. The reset password page that you are sent to after you get mail with the token.

                           

                          As for the error message, my (and I think many other''s) goal is to have a private, members only site. When the user goes to the home page, they get a "Welcome to Clearspace" login page. A few welcome words, a login form and a "I forgot my password" link. Nothing else. If they try to access a page on the site before they login, they should get directed to this page, authorize themselves, then be redirected to the original page.

                           

                          Why would you think that the error message is helpful? Imagine logging into a PC (Linux, Windows, Mac) and above the login form is this error message. Why should an error message print if you haven''t done anything to cause it?