How to customize the "redirect to login" behavior for unauthorized pages

erral · August 3, 2020, 7:46am

When someone browses to a page without the required permission, Plone redirects him to the login page. To do this Plone creates a 302 redirect.

Is this behavior somehow customizable? Can I configure it to return a plain 401 Unauthorized response?

A client has asked us to render a special HTML to the users that access private content. They have already achieved this for 404 Not Found pages in nginx or Apache handling the 404 error. With the 302 redirect to the login page we can't get that, so that's the reason I am asking on how to customize this behavior to have the 401 Unauthorized response.

reinhardt · August 3, 2020, 2:59pm

I don't think this can be changed through Plone configuration, but you could override the RequireLoginView and/or the InsufficientPrivilegesView in the code. (In older Plone versions these are skin scripts.)

I'd have thought you could also customize the behaviour of nginx or apache for status 302. Do you have a specific problem there?

erral · August 4, 2020, 6:30am

The point is that if I add some special behavior for the 302 redirect in nginx/apache, all 302 redirects will be handled and not only the ones created by the "redirect-to-login-form".

I will keep investigating, thanks!

erral · August 4, 2020, 7:16am

After further investigation I got this, Plone's PluggableAuthService's CookieAuthHelper plugin, implements the IChallenge plugin and there redirects the user to the login form.

So I took the following steps:

Go to acl_users -> credentials_cookie_auth and untick the "Challenge" plugin, this way the user will not be redirected to the login form.

Configure nginx to catch the 401 error and show a custom HTML page. This configuration would be as follows:

 upstream plone {
       server 127.0.0.1:3333;
 }

 server {
     listen 80;
     server_name 127.0.0.1.xip.io;
     access_log /var/log/nginx/127.0.0.1.xip.io.log;
     error_log  /var/log/nginx/127.0.0.1.xip.io.error.log;

     gzip            on;
     gzip_min_length 1000;
     gzip_types      application/javascript application/json application/rss+xml application/x-javascript application/xhtml+xml application/xml application/xml+rss text/css text/html text/javascript text/plain text/xml;

     client_max_body_size 20M;

     error_page 401 =200 /custom_401.html;
     location = /custom_401.html {
         auth_basic off;
         root /usr/share/nginx/html;
     }

     location / {
         rewrite ^/(.*)$ /VirtualHostBase/http/127.0.0.1.xip.io:80/Plone/VirtualHostRoot/$1 break;
        # Directly Zope
        proxy_pass http://plone;
        proxy_intercept_errors on;
 }

}

The important bits there are 1) error_page 401 =200 block, to tell nginx to treat the 401 error as a 200 response code and show the /custom _401.html page, which in the following line is mapped to a html page in the file system and 2) proxy_intercept_errors on to let nginx handle errors created by Plone despite using proxy_pass.

djay · August 4, 2020, 7:23am

this plugin is designed to allow you customise this via configuration (content rules)

It hasn't however been updated to 5.2 so a little work to do that might be required.