Last month, one POC came to our team to enable our internal content for external authorized customers through a web site. We were planning to do this with Java, something like Spring, Struts or Hibernate, since almost of us are Java guys. But I didn’t think it’s good to build such application from skeleton. Based on my personal limited experience about Drupal, I knew it should be done by Drupal with several modules and a little coding. But the result is amazing: the whole POC is done very quickly (about one afternoon, I think you will do more quickly since I'm newbie for Drupal), and without any coding. The POC made great result for our team. Today, I would like to share our experience about it. Hope this will help you if you are looking for such solution.
First, the Requirement:
1. The site will only open to invited user, no public registration
2. The site content only can be accessed when user logon
3. Our BU can send invite code/link to their customers and the registration form will only show when user access with given invite code.
4. BU and Admin can withdraw invite code
5. Admin can block user account
6. Use email address as account username
7. Password never shows up on clear text also never send the password to anyone
8. User Registration with Invite Code and only can register with invite code, invite code will be expired in 72 hours.
9. Additional required fields on user register form (Company, Phone, and Address.)
10. User have to answer 2 Security questions during registration
11. Password setup link will send to user via mail after submit form
12. When user reset password, she/he will input email address & CAPTCHA code, then answer one security question, then submit.
13. Password reset link will send to user via mail (one time login, and will expired in 24 hours)
14. User Login/Registration/Reset with CAPTCHA code (image CAPTCHA)
15. When user logon, he/she can access additional content (actually, our published internal content).
16. External Web application will deploy to DMZ.
Second, Setup Environment
Before we start our tour, we have to setup an environment which can offer all the service such as PHP, Application Server, MySQL, Mail Server and others. Thanks to Acquia, they offering one free out-of-box desktop application “Dev Desktop”, you can find more detail from following link (also can find the download link on that page):
Below image shows the main screen when it running:
Next, we will setup one site with Drupal 7:
Go to “Settings”, click “Sites” Tab then click “New”, input name of your site, refer to following image:
When you finish generate site, click “Go to my site” to open it:
And then, the most exciting part, Drupal Modules. With module combination, we can build web site for variety requirements.
How to install module on the fly:
Login as administrator and go to “Modules” in admin menu, click “Install new module” as below:
In the install window, copy and paste the link into “Install From URL”, it will download and install module automatically, for example:
After installed, you have to enable it, go to modules and make sure the checkbox be selected:
Then, you can tune the setting for each module to fit the real requirements. I will go through the majority settings which used for our POC as descripted above.
Modules and Configuration:
1. User Initiation
For requirements #1, #3, #4, we chosen Invite module:
When you installed it, go to “Configuration””Account Settings”, we used Invitees Only” option to only allow user who have invite code for register:
And make sure only allow administrator who can send invite only:
Items Value Comments
Invitation expiry 3 days Invite will expire in 72 hours
Others Keep as default
For avoid anti-spam and make sure the user is human beings.
On CAPTCHA tab, we switch “Default challenge type” to Image, and enable CAPTCHA for user login, register and password reset form.
On IMAGE CAPTCHA tab, we tune the Distortion and Noise for the image generated as below:
3. Email Registration
Register account with email address.
Add fields to user register form:
Make sure the fields as required:
5. Security Questions
Enable challenge questions for use during the log in and password reset processes.
We use 2 questions for user to answer:
To enable send mail from Drupal, we need SMTP module:
Tune on this module and make sure all the settings are correct, you can send a test mail to some email address:
a) Send Invite Mail
b) Register Account with Invite link, input account information and answer 2 security questions, then a mail will send to you for password initiative link:
Account register confirm and password initiative mail:
Link will expire in 1 day:
Deploy in Security
The policy for us to publish content to outside is really strict. So we have made following deployment architecture for review. On the Drupal side, we will deploy one application without admin features in DMZ, another admin web application internal for BU and administrator work.
Actually, this is just design, but I believe Drupal will suit for this solution very well. If you have any experience, please share something with me.
With Drupal, we have made one exciting journey for our quick POC and the result was really great: this POC be approved by our internal audit team which always denied solutions. Also, the architecture and design be putted into our roadmap to extend our business value.
Please let me know if you have any questions