REST API user access management

49 views
Skip to first unread message

Arjen

unread,
Jan 8, 2018, 6:37:51 AM1/8/18
to dotCMS User Group
Hi,

We're mainly using dotCMS as a headless CMS with a custom REST API (plugin) disclosing certain data to the frontend apps/systems.
This itself works fine, but now I have to implement user management, accounts and permissions and was hoping some of you have some suggestions about best practice.

Going over this article (https://dotcms.com/docs/latest/user-management) I understand the difference between backend and frontend users in a non-headless CMS scenario, but am I correct to think that in my case (headless with API) all user accounts would need to be backend users?

And once a user has authenticated, is there a default way to have that user add a token to any future requests to the API (like a session) so he doesn't constantly have to pass his credentials?

If anyone has any suggestions about best practices that would be much appreciated.

Thanks
Arjen

Chris Falzone

unread,
Jan 8, 2018, 10:57:32 AM1/8/18
to dot...@googlegroups.com
Front-End permissions are for if you wanted to run an Intranet-Like deal for your users.  You most likely want Band-End.

dotCMS has some options for login, specifically JWT is what you are looking for I think but the options are:

LDAP Authentication (Enterprise Required):  https://dotcms.com/docs/latest/ldap-configuration 
You can get super custom using dotCMS's Pluggable Authentication.  Requires Enterprise:  https://dotcms.com/docs/latest/pluggable-authentication 

We use Google oAuth2 via plugin which essentially bypasses dotCMS's Authentication completely.  There is an example of how to do this using a plugin here: https://github.com/dotCMS/plugin-dotcms-oauth
It's not updated for 4x but there is PR here:  https://github.com/dotCMS/plugin-dotcms-oauth/pull/7 
I suggest forking the code, merging that PR and using that as base if you plan on going that route.

You are going to want to also but dotCMS behind some sort of SSL and then lock the Back-End down to SSL only:
https://dotcms.com/docs/latest/ssl-secure-backend-login 

There are some Additional Security Best Practices here:

Hope that helps

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dotcms+un...@googlegroups.com.
To post to this group, send email to dot...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/0e96e263-ca7f-49a4-ac10-2c26dcf37ee7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Arjen

unread,
Jan 8, 2018, 12:08:21 PM1/8/18
to dotCMS User Group
Thanks a lot Chris, that makes a lot of sense.

I already had a look at the oAuth plugin and had a feeling that would be roughly what I was after but thanks for your confirmation.

Arjen
Reply all
Reply to author
Forward
0 new messages