0

I have a Plone site which I'd like to hide from read-only access and instead serve the contents from a static mirror (mainly for performance reasons, of course); most contents rarely change.

(How to create that mirror is not the topic of this question.)

Now, some parts of the site are free to any unauthenticated user ("public"), some are for anyone who has a free account ("visible"), and some are for paying customers only ("restricted"), where we have different groups which may map the "Reader" role to certain subtrees of the site. A small number of maintainers would need to be able to write; they'd probably need to be redirected to the (otherwise hidden) Plone backend.

We use Cookie-based authentication; we currently run Apache v2.4.6 on a CentOS Linux v7.9.2009.

How would I plug the access control into our configuration for that static site?

  • Would I integrate some small call to our Plone site which should of course not be visible to the client, and how, i.e.: which Apache module / directives I'd need to use?
  • Or would it be preferable to let our backend maintain an AuthDBMUserFile and one or more AuthDBMGroupFiles (which would arise the question which AuthDBMType to choose and how to maintain it)?
  • Other ideas and/or pointers?

Thank you!

Improve this question

1 Answer 1

Reset to default
0

The solution is mostly on the webserver/proxy side. You could probably use a cookie to decide where to lead a user. Anonymous is simple, but logged-in users you have to put the roles or group info in a cookie to have it in the proxy for all requests.

Editing access can be done by a different url (sub-domain) for the smaller group of editor.

Another idea could be to index all content in something like Typesense and use scoped tokens to access the 3 types of content. This could be search and rendered by any JAMSTACK solution like Astro, Hugo, SvelteKit aso. This is very flexible and fast as well.

Improve this answer
5
  • "... use a cookie to decide where to lead a user" But this is about security, and a cookie is on the client and could be edited. Wouldn't this be insecure? I'm looking for a way to tell the front-end server (Apache 2.4 in my case) whether the requesting user has access to the given path, and prompt for login or reject access like Plone/Zope would do. I'd expect some server-side processing to be necessary, right?
    – Tobias
    Commented May 13 at 13:05
  • If you only have a few users, you can manage the access mapping to the paths sure. This way you can have just static content. If you have a lot of users and groups, you need something to manage that (LDAP, Keycloak, ...), but that's outside of Plone here. Server-side processing is only necessary, if you need to render stuff dynamically. If your content can be divided into a couple of paths, you can get away be statically rendering out and make sure that the right users have access to the correct paths in Apache.
    – MrTango
    Commented May 14 at 14:37
  • And there is a thing called HTTP-only Cookie's, those usually used for this and the cookie should never contain important data. It's usually a session id. But the solution for you is probably to authenticate Plone and Apache against an external source like LDAP or Keycloak or something similar.
    – MrTango
    Commented May 14 at 14:40
  • Yes, the "... and make sure that the right users have access to the correct paths in Apache" part is what I'm interested in: This might become complicated, as I have many users, and I'd like to avoid .htaccess files all over my static mirror.
    – Tobias
    Commented May 14 at 15:06
  • "authenticate Plone and Apache against an external source like LDAP or Keycloak or something similar.": I'm currently looking into Apache's mod_authn_dbd module; it should be possible to move my user and groups base (currently vanilla acl_users in the ZODB) to my PostgreSQL database, right?
    – Tobias
    Commented May 14 at 16:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .