REST API user access management

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

REST API user access management

Arjen
Hi,

We're mainly using dotCMS as a headless CMS with a custom REST API (plugin) disclosing certain data to the frontend apps/systems.
This itself works fine, but now I have to implement user management, accounts and permissions and was hoping some of you have some suggestions about best practice.

Going over this article (https://dotcms.com/docs/latest/user-management) I understand the difference between backend and frontend users in a non-headless CMS scenario, but am I correct to think that in my case (headless with API) all user accounts would need to be backend users?

And once a user has authenticated, is there a default way to have that user add a token to any future requests to the API (like a session) so he doesn't constantly have to pass his credentials?

If anyone has any suggestions about best practices that would be much appreciated.

Thanks
Arjen

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/0e96e263-ca7f-49a4-ac10-2c26dcf37ee7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: REST API user access management

Chris Falzone-2
Front-End permissions are for if you wanted to run an Intranet-Like deal for your users.  You most likely want Band-End.

dotCMS has some options for login, specifically JWT is what you are looking for I think but the options are:

LDAP Authentication (Enterprise Required):  https://dotcms.com/docs/latest/ldap-configuration 
You can get super custom using dotCMS's Pluggable Authentication.  Requires Enterprise:  https://dotcms.com/docs/latest/pluggable-authentication 

We use Google oAuth2 via plugin which essentially bypasses dotCMS's Authentication completely.  There is an example of how to do this using a plugin here: https://github.com/dotCMS/plugin-dotcms-oauth
It's not updated for 4x but there is PR here:  https://github.com/dotCMS/plugin-dotcms-oauth/pull/7 
I suggest forking the code, merging that PR and using that as base if you plan on going that route.

You are going to want to also but dotCMS behind some sort of SSL and then lock the Back-End down to SSL only:
https://dotcms.com/docs/latest/ssl-secure-backend-login 

There are some Additional Security Best Practices here:

Hope that helps

On Mon, Jan 8, 2018 at 6:37 AM Arjen <[hidden email]> wrote:
Hi,

We're mainly using dotCMS as a headless CMS with a custom REST API (plugin) disclosing certain data to the frontend apps/systems.
This itself works fine, but now I have to implement user management, accounts and permissions and was hoping some of you have some suggestions about best practice.

Going over this article (https://dotcms.com/docs/latest/user-management) I understand the difference between backend and frontend users in a non-headless CMS scenario, but am I correct to think that in my case (headless with API) all user accounts would need to be backend users?

And once a user has authenticated, is there a default way to have that user add a token to any future requests to the API (like a session) so he doesn't constantly have to pass his credentials?

If anyone has any suggestions about best practices that would be much appreciated.

Thanks
Arjen

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/0e96e263-ca7f-49a4-ac10-2c26dcf37ee7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/CAMAbHgUf5%3DyExB2v33e48pX-b8umvKDY73wEcVztrzHhJxU1mw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: REST API user access management

Arjen
Thanks a lot Chris, that makes a lot of sense.

I already had a look at the oAuth plugin and had a feeling that would be roughly what I was after but thanks for your confirmation.

Arjen


On Monday, January 8, 2018 at 3:57:32 PM UTC, Chris Falzone wrote:
Front-End permissions are for if you wanted to run an Intranet-Like deal for your users.  You most likely want Band-End.

dotCMS has some options for login, specifically JWT is what you are looking for I think but the options are:

LDAP Authentication (Enterprise Required):  <a href="https://dotcms.com/docs/latest/ldap-configuration" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fldap-configuration\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGr4arAsOs6rSTwyqVuHmxHfhsFFQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fldap-configuration\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGr4arAsOs6rSTwyqVuHmxHfhsFFQ&#39;;return true;">https://dotcms.com/docs/latest/ldap-configuration 
JWT Authentication:    <a href="https://dotcms.com/docs/latest/authentication-using-jwt" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fauthentication-using-jwt\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG5gaz6Ow13mBoRU1n0UL_KtpimeQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fauthentication-using-jwt\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG5gaz6Ow13mBoRU1n0UL_KtpimeQ&#39;;return true;">https://dotcms.com/docs/latest/authentication-using-jwt 
You can get super custom using dotCMS's Pluggable Authentication.  Requires Enterprise:  <a href="https://dotcms.com/docs/latest/pluggable-authentication" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fpluggable-authentication\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFf3bRJ625Yi2eOP328SIe36qxQkA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fpluggable-authentication\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFf3bRJ625Yi2eOP328SIe36qxQkA&#39;;return true;">https://dotcms.com/docs/latest/pluggable-authentication 

We use Google oAuth2 via plugin which essentially bypasses dotCMS's Authentication completely.  There is an example of how to do this using a plugin here: <a href="https://github.com/dotCMS/plugin-dotcms-oauth" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FdotCMS%2Fplugin-dotcms-oauth\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFlUn4IDgmslpGU9J_qjjJpdvi58A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FdotCMS%2Fplugin-dotcms-oauth\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFlUn4IDgmslpGU9J_qjjJpdvi58A&#39;;return true;">https://github.com/dotCMS/plugin-dotcms-oauth
It's not updated for 4x but there is PR here:  <a href="https://github.com/dotCMS/plugin-dotcms-oauth/pull/7" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FdotCMS%2Fplugin-dotcms-oauth%2Fpull%2F7\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEXAvZ1Aue8wMzpklTJdkq4POrXRQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2FdotCMS%2Fplugin-dotcms-oauth%2Fpull%2F7\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEXAvZ1Aue8wMzpklTJdkq4POrXRQ&#39;;return true;">https://github.com/dotCMS/plugin-dotcms-oauth/pull/7 
I suggest forking the code, merging that PR and using that as base if you plan on going that route.

You are going to want to also but dotCMS behind some sort of SSL and then lock the Back-End down to SSL only:
<a href="https://dotcms.com/docs/latest/ssl-secure-backend-login" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fssl-secure-backend-login\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFkPNy3R3K-RWa4QJ6AxE1kmeCqkw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fssl-secure-backend-login\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFkPNy3R3K-RWa4QJ6AxE1kmeCqkw&#39;;return true;">https://dotcms.com/docs/latest/ssl-secure-backend-login 

There are some Additional Security Best Practices here:
<a href="https://dotcms.com/docs/latest/security-best-practices" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fsecurity-best-practices\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGDt7Ea0jhn6RaIaF6uZQpVSPVQjA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fsecurity-best-practices\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGDt7Ea0jhn6RaIaF6uZQpVSPVQjA&#39;;return true;">https://dotcms.com/docs/latest/security-best-practices

Hope that helps

On Mon, Jan 8, 2018 at 6:37 AM Arjen <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="NsarAXy2BQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">schip...@...> wrote:
Hi,

We're mainly using dotCMS as a headless CMS with a custom REST API (plugin) disclosing certain data to the frontend apps/systems.
This itself works fine, but now I have to implement user management, accounts and permissions and was hoping some of you have some suggestions about best practice.

Going over this article (<a href="https://dotcms.com/docs/latest/user-management" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fuser-management\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvsQAQ5c7hS4j9t3rt2I4ySBicwA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fdotcms.com%2Fdocs%2Flatest%2Fuser-management\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFvsQAQ5c7hS4j9t3rt2I4ySBicwA&#39;;return true;">https://dotcms.com/docs/latest/user-management) I understand the difference between backend and frontend users in a non-headless CMS scenario, but am I correct to think that in my case (headless with API) all user accounts would need to be backend users?

And once a user has authenticated, is there a default way to have that user add a token to any future requests to the API (like a session) so he doesn't constantly have to pass his credentials?

If anyone has any suggestions about best practices that would be much appreciated.

Thanks
Arjen

--
<a href="http://dotcms.com" target="_blank" rel="nofollow" onmousedown="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;" onclick="this.href=&#39;http://www.google.com/url?q\x3dhttp%3A%2F%2Fdotcms.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGFT4ej1MQxQ2vu3iAUqYQgS59efw&#39;;return true;">http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="NsarAXy2BQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dotcms+un...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="NsarAXy2BQAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">dot...@....
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/dotcms/0e96e263-ca7f-49a4-ac10-2c26dcf37ee7%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/dotcms/0e96e263-ca7f-49a4-ac10-2c26dcf37ee7%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/dotcms/0e96e263-ca7f-49a4-ac10-2c26dcf37ee7%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/dotcms/0e96e263-ca7f-49a4-ac10-2c26dcf37ee7%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
http://dotcms.com - Open Source Java Content Management
---
You received this message because you are subscribed to the Google Groups "dotCMS User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/dotcms/79493e9e-3975-42d5-bc2b-695b5e3c09f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.