Restricting Repository Access: How to force login on initial visit and hide all metadata from anonymous users?

46 views
Skip to first unread message

AFA

unread,
May 21, 2026, 2:35:52 AMMay 21
to DSpace Technical Support
Hi DSpace Community,
I am looking for guidance on how to completely restrict our repository so that it requires authentication before displaying any content.
By default, DSpace exposes the homepage and metadata publicly. We want to change this behavior so that when a user visits our DSpace site URL, the system immediately redirects them to the login page. Only after a successful login should the user be allowed to view the homepage, search, or access any metadata and content.
Could anyone point me to the best practices for achieving this workflow? Specifically:
  • How do we configure the user interface to force a redirect to the login page upon initial visit?
  • Do we need to combine this with database authorization policies (e.g., removing READ from the Anonymous group), or is it handled entirely via frontend routing configuration?
For reference, we are currently using DSpace 9.2
Thank you in advance for your help!
Best regards,

DSpace Technical Support

unread,
Jun 15, 2026, 10:57:53 AMJun 15
to DSpace Technical Support
Hello!

That kind of "dark archive" restriction has sometimes been implemented in the past via a firewall or proxy layer in front of the site (such as with Apache or Nginx) that is configured to require SSO authentication from the user. 
  • For example, this old thread still has some applicable content.
  • This documentation for Apache auth modules might be an option; you could configure top level directories/paths in your site to require authentication.  
  • Note - I haven't tried the above solutions myself or know of someone who has done so recently, so if anyone has similar setups for their instance, please chime in!
Overall, since DSpace is built mostly with open access repositories in mind, this use case is not well supported by default.  It may also be possible to set up manually, but would likely be messy.  If you were to try in the way you describe, yes it would be necessary to set authorization policies for all of your communities and collections (see also this thread). 

Hope that gives you some ideas. Best,

~Lia


Reply all
Reply to author
Forward
0 new messages