• Technical Overview
  • Overview
    • What is Jahia?
    • The closer View
    • Technical Requirements
    • Everything is Content, whatever the type or source
      • Integrator and Developer Customization
    • Integrated technologies
    • Architecture Overview
    • Modules
    • Jahia's Different Actors
  • Web Layers
    • Content Flows
    • Templates and Views
    • The Jahia Template Studio
      • Page templates
      • Content Templates
    • REST API
      • Actions
      • Example : native iPhone/iPad application
    • Mobile Rendering
    • Macros
    • Filters
  • Back-end Layer
    • Workflow
    • JBoss Drools and event listeners
    • File Repository
    • Searching and Indexing
      • Full text queries using search tag librairies
      • Query Languages
    • Enterprise Jahia Tool - Authentication and Authorization
    • Import / Export
    • Enterprise Jahia Tool - Distant Server Publications
    • Portlets
      • Portlets vs. Modules
  • Enterprise Jahia Tool - Optimizing deployment and performance
  • Additional Resources

Enterprise Jahia Tool - Authentication and Authorization

One of Jahia’s strengths has always been its powerful authentication and authorization sub-system. It allows for modular yet precise controls of permissions on a wide-variety of objects or actions. Permissions may be very granular or as coarse as desired, which makes it a great tool for deployment in small to large enterprises.

Default and Advanced Roles and permissions

New to Jahia 6.5 is the introduction of full-fledged roles. Roles are basically a collection of permissions, regrouped under a logical name. For example an “editor” role regroups permissions for editing content and starting workflow processes. Jahia comes with default roles built-in.

Enterprise Jahia subscribers can use an advanced role management module with a powerful UI to modify the default assignments.

Integrators may of course define their own roles and permissions, as well as change the default assignments. It is also possible to add permissions in modules and automatically assign them to existing roles upon deployment.

Roles can then be assigned to users and/or groups at any location in the content repository. For example, you may define a role “editor” to a specific group in a specific section of the website. They will be able to act as that role only in that specific location in the content repository, and nowhere else. This makes it easy to delegate responsibilities in order to collaborate on content editing, reviewing and overall content management. It is of course recommended to re-use roles through the various sites and sections, as a minimal set of roles will be good both for site management and authorization performance (as HTML caching is also using roles to determine which content is viewable or not).

Single Sign On (SSO)

Jahia integrates with the following SSO frameworks:

• Central Authentication Service (CAS) SSO, http://www.jasig.org/cas

• Java EE container authentication support

• Pluggable authentication pipeline that can be easily implemented to add support for more SSO solutions

The last framework is useful in the case of integration with non-standard SSO technologies or custom-built ones. One possible example would be the case of a mobile service provider that uses phone numbers as authentication logins. Interfacing with a custom database will integrate into Jahia’s back-end, exposing user and group information directly to Jahia’s UI and permissions.

While it is possible to integrate with Kerberos http://web.mit.edu/kerberos/  (the authentication valve is present in the distribution) this integration is not officially part of the tested and supported stack for Jahia 6.6.0 version

Please get in touch with the company to know the usage conditions.

Once the user is properly identified, the authorization sub-system is composed of:

• Access control lists on content objects

• Roles the user may participate in

• Permissions on any user actions for a specific role

In order to be able to set access control lists, user and group services are provided, and are of course also pluggable. By default Jahia comes with it’s own user and group provider service as well as a connector to LDAP repositories, but it is also possible to develop custom services to plugin to either a custom database or a remote service. Jahia is also capable of storing properties and user information for external users and groups inside it’s own services, making it possible to store personalization data in Jahia. It should also be noted that all these service implementations are available at the same time, so there is no need to replace one with the other.