I have been put on to a project using Nuxeo, late in it's lifecycle and need to change a few things before it goes live.
I am having trouble finding out where I need to look to lock down a Nuxeo based application so that a user is redirected to the login page if they are unauthorised and access a restricted page.
Can someone please shoot my some direction on where this sort of logic is kept or defined?
This documentation should give you information about how Nuxeo authentication works: http://doc.nuxeo.org/5.3/books/nuxeo-book/html/auth-users-groups.html#authentication-framework
A more direct answer to your question is: by default some URLs are protected (*.faces, .seam, /nxdoc/, /nxpath/*...), if you need to protect your own you should add to your deployment-fragment.xml file the following:
<filter-mapping>
<filter-name>NuxeoAuthenticationFilter</filter-name>
<url-pattern>/mypattern/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
And if this kind of URL is bookmarkable (e.g. it holds all the needed information for your application to restore the context), you can declare it as a valid start URL in a contribution to the PluggableAuthenticationService:
<extension
target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
point="startURL">
<startURLPattern>
<patterns>
<pattern>mypattern/</pattern>
</patterns>
</startURLPattern>
</extension>
If you do so, people who type this URL and are redirected to the login page, will be re-redirected to the original URL after a successful login (instead of home page).
HTH, even after more than 1 year ;)
anahide.