How to setup CUG

Question

How to setup Closed User Group (CUG) in CQ5?

CUGs are sections on a public website that need login to access.

Goal

it must be possible to define a page or a tree of pages on the author to be protected on the publish instance
protected means that it's necessary to login to see the corresponding page(s) on the publish instance
it must be possible to select a group per CUG. All members of this group must have read access to the page(s) in the CUG

Answer, Resolution

Scenario Setup

You need an author and a publish instance with activated replication.

Preparation

Important: Install HotFix 24321 on the author and publish system. You will most likely need to restart the systems after installing the content package, as the included security module is a dependency of a number of other core CQ components and the system doesn't seem to recover from the live bundle update well enough.

A. Users & Groups

create a new group "membersonly"
create a new user "mister x"
make "mister x" user member of the "membersonly" group
make "membersonly" group member of the "surfer" group
make "anonymous" user member of the "surfer" group (because of (1))
activate (Note: The order below is important! Group memberships are not correctly replicated if the members do not already exist on publish)
- "mister x"
- "membersonly"
- "surfer"
remove "anonymous" user membership from the "surfer" group - and do not activate (because of (1))

(1): The "anonymous" user hast to be member of the "surfer" group on publish instances only, but not on author instances (otherwise it's not necessary to login on an author instance anymore and everyone can see your whole author instance!)

Note: If you don't want to do this procedure with adding and removing the" anonymous" user membership from the "surfer" group you can also create a separate group (i.e. CugRootGroup) which is member of the surfer group and set the specific CUG groups (as i.e. group "membersonly") as member of this group. With this you have to activate the "surfer" group just one time and after only this separate group when you add a specific CUG group.

B. Secure Content

choose a page you want to secure
open page properties on the tab "CUG"
enable CUG and select the "membersonly" group - see screenshot
activate the page

C. Provide access

create a link on a public page to a page inside the CUG
activate that page
go to publish instance
visit the page last activated
1. click on the link
2. you get redirected to the login page - login with "mister x"
3. you should now see the content that is secured

Product Issues / Workarounds

Bug 22360: link checker removes links into CUG:

Workaround:

login to http://<host>:<port>/system/console/configMgr/com.day.cq.rewriter.linkchecker.impl.LinkCheckerImpl
add your CUG path into the "Link Check Override Patterns" - see screenshot
save the configuration

Bug 23060: membership changes not replicate on member

Workaround:

replicate the group too

Bug 24422: CUG: Group member replication order is important

Workaround:

always activate users first, then the groups containing those users, and finally groups containing groups (e.g. the surfer group)

Bug 24983: configured login page is ignored

Workaround:

you can overlay the login form component at /libs/wcm/auth/components/login on the publish instance with one in apps (/apps/wcm/auth/components/login). In the /apps/wcm/auth/components/login/login.jsp you can for example add your project specific logic for separate login forms per CUG i.e. by redirect or implementing directly in this jsp.

Note: There are some isolated reports of the OSGi configuration settings or the JSP and JavaScript files in the content package not getting activated when the package is installed. In such cases:

refresh your browser cache (if you see activation problems in the User Manager)
check and re-save (cug.supported should be true, no changes needed) the OSGi configuration of the HTTPAuthHandler component (if CUG pages are not protected on publish)
update the jcr:lastModified date of the /libs/sling/servlet/errorhandler/404.jsp/jcr:content node in CRX explorer (if you get a 404 error instead of the login screen for CUG pages on publish)