Skip to content

Netcentric/envelop

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits

.github

.github

 
 

blocks

blocks

 
 

fonts

fonts

 
 

icons

icons

 
 

scripts

scripts

 
 

styles

styles

 
 

.eslintignore

.eslintignore

 
 

.eslintrc.js

.eslintrc.js

 
 

.gitignore

.gitignore

 
 

.hlxignore

.hlxignore

 
 

.renovaterc.json

.renovaterc.json

 
 

.stylelintrc.json

.stylelintrc.json

 
 

404.html

404.html

 
 

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

favicon.ico

favicon.ico

 
 

fstab.yaml

fstab.yaml

 
 

head.html

head.html

 
 

helix-query.yaml

helix-query.yaml

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

Repository files navigation

Envelop

A reference example on how to use Edge Delivery Services for partially protected content (similar to AEM Closed User Groups).

Starting Point

Edge Delivery Services allow to protect the content of a site using the Microsoft IdP as documented at Configuring Site Authentication. The mechanism supports only to authentication, authorisation on a fine-grained page level is not supported. This means logged in users can see everything while not-logged users get redirected to the Microsoft Login page.

Implementing page-level access control

To get started with page-level access control, the authors need to be able to maintain an Access Control List (ACL). Document based authoring allows to set metadata per document (Metadata per Page) or in bulk via glob patterns (Bulk Metadata). For this implementation we add a property roles that defines what roles may see what pages. Maintaining the roles being allowed via bulk metadata and its glob patterns is usually more practical as often whole folders are to be protected.

To ensure the roles property is checked and respected the following building blocks are needed:

  • The site needs to be protected with Site Authentication to ensure by default, no access is possible. Access with API key needs to be setup to allow "outer infrastructure" to access the pages.
  • A BYO CDN has to be set up that
    • Manages the login state of the users and receives the user's roles from a third party IdP
    • Matches incoming requests for the current user against the ACL of a page
    • For the case access is allowed, accesses the Edge Delivery Backend using the configured API key, otherwise trigger "no access handling" (that could be a plain Http 403 response, but usually it is a redirect to the login page or a more user friendely 404 message)
  • A github action in the Edge Delivery Services repo that pushes any changes to the ACLs to the CDN
  • To ensure links to pages, that a user cannot access are not shown in navigation, the navigation needs to be delivered via JSON using the Indexing functionality. The CDN can intercept those requests and filter entries that the user may not see to deliver a users-specific version of the navigation to the browser.

Working with the example this repository

Environments

Installation

npm i

Linting

npm run lint

Local development

  1. Install the AEM CLI: npm install -g @adobe/aem-cli
  2. Start AEM Proxy: aem up (opens your browser at http://localhost:3000)
  3. Open the {repo} directory in your favorite IDE and start coding :)

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

1 star

Watchers

11 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages