Page History: Security Overview - Sitecore

Compare Page Revisions

26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 Current 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

« Older Revision - Back to Page History - Newer Revision »

Page Revision: Fri, Jul 27, 2012, 8:54 AM

Overview¶

By default the Everyone user is granted Read access at /sitecore root. This article outlines the fundamentals of securing your website's pages to authorized users.

User Domain Setup¶

Assign a domain to each site within your Sitecore installation by way of its site node within your web.config file.

Login Page¶

public partial class Login : System.Web.UI.UserControl
{
    protected void Page_Load(object sender, EventArgs e)
    {
        /*--- Set the navigation url for the Register hyperlink ---*/
        var registerHyperLink = (HyperLink)uxLogin.FindControl("RegisterHyperLink");
        registerHyperLink.NavigateUrl = "~/Register.aspx?ReturnUrl=" + HttpUtility.UrlEncode(Request.QueryString["ReturnUrl"]);

        uxLogin.RememberMeSet = false;

        if (!IsPostBack)
        {
            /*--- Restore remembered username(?) ---*/
            var c = Request.Cookies["username"];

            if (c == null)
            {
                uxUsernameTextBox.Text = "";
            }
            else
            {
                uxUsernameTextBox.Text = c.Value;
                uxLogin.RememberMeSet = true;
            }
        }
    }

    protected TextBox uxUsernameTextBox { get { return uxLogin.FindControl("UserName") as TextBox; } }

    protected void uxLogin_LoggedIn(object sender, EventArgs e)
    {
        /*--- Inits ---*/
        var url = Request.QueryString["url"];

        /*--- Remember/Forget Username ---*/
        if (uxLogin.RememberMeSet)
            Response.SetCookie("username", uxUsernameTextBox.Text, 365);
        else
            Response.DeleteCookie("username", Request);

        /*--- Redirect (?) ---*/
        if (url == null)
        {
            Response.Redirect("~/"); // Main page for authenticated users
        }
        else
        {
            var url2 = Server.UrlDecode(url);
            Response.Redirect(url2);
        }
    }

    /*  This field and the LoggingIn and LoginError event procedures place the user
        in the correct domain for the current site.  This way the user doesn't have
        to specify the domain, logging in (for example) as "johndoe" instead of
        "domain\johndoe". */

    private string _usernameEntered = string.Empty;

    protected void uxLogin_LoggingIn(object sender, LoginCancelEventArgs e)
    {
        var domainUser = Sitecore.Context.Domain.GetFullName(uxLogin.UserName);

        if (System.Web.Security.Membership.GetUser(domainUser) != null)
        {
            _usernameEntered = uxLogin.UserName;
            uxLogin.UserName = domainUser;
        }
    }
    protected void uxLogin_LoginError(object sender, EventArgs e)
    {
        uxLogin.UserName = _usernameEntered;
    }
}

Registration Page¶

private string _usernameEntered = string.Empty;

protected void uxCreateUserWizard_CreatingUser(object sender, EventArgs e)
{
    /*  Prefix what the user typed for a username with the domain for the current site. 
        Retain what the user typed in case the registration fails. */
    var domainUser = Sitecore.Context.Domain.GetFullName(uxCreateUserWizard.UserName);
    _usernameEntered = uxCreateUserWizard.UserName;
    uxCreateUserWizard.UserName = domainUser;
}

protected void uxCreateUserWizard_CreateUserError(object sender, CreateUserErrorEventArgs e)
{
    /* Restore what the user typed */
    uxCreateUserWizard.UserName = _usernameEntered;

    /* Other error-handling */
    Literal ErrorLabel = (Literal)uxCreateUserWizard.CreateUserStep
        .ContentTemplateContainer.FindControl("ErrorMessage");

    if (e.CreateUserError != MembershipCreateStatus.Success)
    {
        MembershipCreateUserException ex = new MembershipCreateUserException(e.CreateUserError);

        if (e.CreateUserError.ToString() == "InvalidPassword")
        {
            ErrorLabel.Text = "The password supplied is invalid. Passwords must conform to the password strength requirements.";
        }
        else
        {
            ErrorLabel.Text = ex.Message;
        }

    }
}

Anonymous User Setup Procedure¶

• Deny read access to extranet\Anonymous to the root content item for your site. This will deny an anonymous user permission to view any site content except what is explicitly allowed.
  

• Grant read access to extranet\Anonymous to the public content pages, such as the following.
  • Password Recovery page
  • Help
  • Home
  • Privacy Statement
  • User Registration
  • Terms of Use
    

• Grant read access to extranet\Anonymous to whatever content items are required by the above public pages.
  

External User Setup Procedure¶

Sitecore Security Editor¶

• Deny read access to Everyone either at /sitecore/Content or at the root folder of your site.
  

• Grant read access to Everyone to public pages such as the home page, login page (if different), user registration, password recovery, and anything else a user needs access to before logging in.
  

Web.Config¶

• Within the /configuration/sitecore/sites/site for your site, set the loginPage attribute to the page to be redirected to, and set the requireLogin attribute to true only if EVERY page on the site (excluding the login page) will require the user to login. Set it to false otherwise.
  

• Within /configuration/sitecore/settings/setting set Authentication.SaveRawUrl to true.
  

Login Page Code-Behind¶

Add code to your login page to read the url query string parameter, decode it, and redirect to that URL.

Administrative User Setup Procedure¶

Role Manager¶

• Create new role called "sitecore\My Site Administrator"
  

• Make this new role a member of the following built-in roles
  • sitecore\Sitecore Client Users — this gives members permission to use the Sitecore admin site
  • sitecore\Sitecore Client Publishing — this gives members permission to publish content
    

Core Database Security Editor¶

• Within the Core database grant the new administrative role Read permission to the following items.
  • Core:/sitecore/content/Documents and Settings/All users/Start menu/Left/Content Editor — this causes the Content Editor to appear on the members menu
  • Core:/sitecore/content/Applications/Content Editor — this grants the user the right to execute the Content Editor application
    

Master Database Security Editor¶

• Grant the new administrative role Write permission to static content pages, like Terms of Use, Privacy Statement, Help, etc. This will give members the permission to make changes to these "documents".
  

• Grant the new administrative role Create Item and Create Descendants permission to content folders that hold a document repository. This will give members permission to create new documents on the site.