Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

Custom LoginModule and Closed User Groups

Avatar

Level 2

Hi,

We have the need to store a large number of users in an external system, and restrict areas of our CQ powered site to those users. It looks like the Closed User Group feature is a good fit for this. It also looks like we can create a custom Login Module to authenticate users against the external system.

I'm not clear though how the users would be tied against the closed user group mechanism. It seems that when you define a CUG the ACLs for the tree are updated to restrict access to the group, which is reasonable enough. However, am I right in thinking for the ACL permissions to work the users and groups would need to by synced to the JCR from the external system, similar to how the LDAP LoginModule does ? Or in other words, is it possible to keep all user and group membership details isolated in the external system while using the CUG facility ?

Thanks. 

1 Accepted Solution

Avatar

Correct answer by
Level 5

In theory you don't need user group in CQ for CUG. However you need something in CQ from which users (author) can select principals (user/group) and assign to page. If they can manually enter it,  thats fine as well (In that case you don't need to store any thing). You need to write custom auth handler and login module to resolve principal from external system and may be store in cookie for further handling.

Yogesh

View solution in original post

2 Replies

Avatar

Correct answer by
Level 5

In theory you don't need user group in CQ for CUG. However you need something in CQ from which users (author) can select principals (user/group) and assign to page. If they can manually enter it,  thats fine as well (In that case you don't need to store any thing). You need to write custom auth handler and login module to resolve principal from external system and may be store in cookie for further handling.

Yogesh

Avatar

Level 2

Hi Yogesh,

When an author uses the CUG facility they set the group principal in the page property dialog, which in turn sets the ACLs in the content hierarchy. However, the group principal is selected from groups held in the JCR as far as I can tell. I think I can use the CUG auth handler as it is, but write a login module for the external system.

But what I don't understand is if it's possible for my login handler to associate user principals with group principals held in the JCR for the ACLs against the content. I'm experimenting with the LDAP Login Module to see if I can get this working with the CUG facility without syncing users & groups.

Jon