Hi Christoph,

thanks for your suggestion.
Before I wrote this ext-plugin (some 4 years ago) I did also try the autologin approach but had some issues with re-authentication, right now can not remember details but this did somehow not really work reliable, at least not the way I implemented it. But another issue (why I did not try to solve the one just mentioned) was the session expiration which led to the annoying message that the session expires every 30 minutes (which we had to set up due to policies).
Control Panel and private/public pages is not shown/used for any users (except admins).

But thanks for letting me remember this, maybe this works better with Liferay 7 CE!

... and you can use the parent child hierarchy to cover cases where you have content that you want to be available on both sites.

Thanks David for your input!

Yeah, this is a tough one. Christophe's solution is one, but I wonder how hard it would be to re-authenticate as an actual user with the auto login guy getting in the way.

It is probably better handled by audience targeting, but that is not available in LR7CE.

I actually had some issues with re-authentication when I was trying to use this approach.
If DXP would solve this in an easy way this might be an option for us ...

I'm not a fan of the original EXT approach either, I can imagine cases where I'm on campus on the wifi on my phone seeing some content but, as soon as I walk off campus and fall back to cell, everything stops working? Or if I see something while I was on campus yesterday that I need to see but now that I'm off campus, I can't get to the details?

Yes, thats right but this also is intended. We do actually only show information in our Liferay site (we call it our "Self-Service Portal") which is relevant for our users who can login and then see all information, users-to-be who just want to look up some information how to start and will get an account soon or guests which do not find information valuable for them if they do not stay on campus and become "real" users. We never received any complaints about that.

And how does the assigning guest a role thing work? The changing of roles/permissions would result in a database change and a corresponding broadcast message to the cluster, so with the constant changing that generates unnecessary DB and network traffic.

I did create a role "campusGuest" which is assigned to the user (by extending AdvancedPermissionChecker) in addition to the guest role if he comes from a specific IP range (I add an attribute to the session indicating that the IP is in that range) so I there is no database change involved here.

If I had to solve this I would likely take a completely different path. Two different sites, one for off campus and one for on campus, each maintained separately. In apache httpd (or similar), directing traffic to one or the other site based on IP range. On top of this, I would have the on campus site inject a (semi-)permanent cookie that httpd would also use to pass user to on campus site. This gives you the ability to float from on campus outside of wifi but still see the on campus content and fix the bad UX issue.

A user with the role "guest" (not logged in) does only see the login and no further information.
A user with the role "campusGuest" (assigned by IP range) will see all our service descriptions (except some information dedicated only to our users) and can access our address book portlet.
A user that is logged in sees everthing, e.g. portlets which allows him to do more things like change his password.
Thus a different site for "campusGuest" users and "users" would mean to have an almost identical copy. That would mean I have a lot of web content on two sites with only some more on the "users" site.

To be honest: I never really liked my approach using an ext-plugin either (for obvious reasons) but in our case it seemed the best (easiest) solution. But I am really open for any (more) suggestions!