Page History: Security Overview - Sitecore

Compare Page Revisions

26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 Current 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

« Older Revision - Back to Page History - Newer Revision »

Page Revision: Fri, Jul 27, 2012, 9:31 AM

Overview¶

By default the Everyone user is granted Read access at /sitecore root. This article outlines the fundamentals of securing your website's pages to authorized users.

User Domain Setup¶

Assign a domain to each site within your Sitecore installation by way of its site node within your web.config file.

Login Page¶

public partial class Login : System.Web.UI.UserControl
{
    protected void Page_Load(object sender, EventArgs e)
    {
        /*--- Set the navigation url for the Register hyperlink ---*/
        var registerHyperLink = (HyperLink)uxLogin.FindControl("RegisterHyperLink");
        registerHyperLink.NavigateUrl = "~/Register.aspx?ReturnUrl=" + HttpUtility.UrlEncode(Request.QueryString["ReturnUrl"]);

        uxLogin.RememberMeSet = false;

        if (!IsPostBack)
        {
            /*--- Restore remembered username(?) ---*/
            var c = Request.Cookies["username"];

            if (c == null)
            {
                uxUsernameTextBox.Text = "";
            }
            else
            {
                uxUsernameTextBox.Text = c.Value;
                uxLogin.RememberMeSet = true;
            }
        }
    }

    protected TextBox uxUsernameTextBox { get { return uxLogin.FindControl("UserName") as TextBox; } }

    protected void uxLogin_LoggedIn(object sender, EventArgs e)
    {
        /*--- Inits ---*/
        var url = Request.QueryString["url"];

        /*--- Remember/Forget Username ---*/
        if (uxLogin.RememberMeSet)
            Response.SetCookie("username", uxUsernameTextBox.Text, 365);
        else
            Response.DeleteCookie("username", Request);

        /*--- Redirect (?) ---*/
        if (url == null)
        {
            Response.Redirect("~/"); // Main page for authenticated users
        }
        else
        {
            var url2 = Server.UrlDecode(url);
            Response.Redirect(url2);
        }
    }

    /*  This field and the LoggingIn and LoginError event procedures place the user
        in the correct domain for the current site.  This way the user doesn't have
        to specify the domain, logging in (for example) as "johndoe" instead of
        "domain\johndoe". */

    private string _usernameEntered = string.Empty;

    protected void uxLogin_LoggingIn(object sender, LoginCancelEventArgs e)
    {
        var domainUser = Sitecore.Context.Domain.GetFullName(uxLogin.UserName);

        if (System.Web.Security.Membership.GetUser(domainUser) != null)
        {
            _usernameEntered = uxLogin.UserName;
            uxLogin.UserName = domainUser;
        }
    }
    protected void uxLogin_LoginError(object sender, EventArgs e)
    {
        uxLogin.UserName = _usernameEntered;
    }
}

Registration Page¶

private string _usernameEntered = string.Empty;

protected void uxCreateUserWizard_CreatingUser(object sender, EventArgs e)
{
    /*  Prefix what the user typed for a username with the domain for the current site. 
        Retain what the user typed in case the registration fails. */
    var domainUser = Sitecore.Context.Domain.GetFullName(uxCreateUserWizard.UserName);
    _usernameEntered = uxCreateUserWizard.UserName;
    uxCreateUserWizard.UserName = domainUser;
}

protected void uxCreateUserWizard_CreateUserError(object sender, CreateUserErrorEventArgs e)
{
    /* Restore what the user typed */
    uxCreateUserWizard.UserName = _usernameEntered;

    /* Other error-handling */
    Literal ErrorLabel = (Literal)uxCreateUserWizard.CreateUserStep
        .ContentTemplateContainer.FindControl("ErrorMessage");

    if (e.CreateUserError != MembershipCreateStatus.Success)
    {
        MembershipCreateUserException ex = new MembershipCreateUserException(e.CreateUserError);

        if (e.CreateUserError.ToString() == "InvalidPassword")
        {
            ErrorLabel.Text = "The password supplied is invalid. Passwords must conform to the password strength requirements.";
        }
        else
        {
            ErrorLabel.Text = ex.Message;
        }

    }
}

General User Access Setup Procedure¶

Web.Config¶

• Within the /configuration/sitecore/sites/site for your site, set the loginPage attribute to the page to be redirected to, and set the requireLogin attribute to true only if EVERY page on the site (excluding the login page) will require the user to login. Set it to false otherwise. (It is more common to be set to false.)
  

• Within /configuration/sitecore/settings/setting set Authentication.SaveRawUrl to true.
  

Sitecore Security Editor¶

• Deny read access to domain\Anonymous to the root content item for your site. This will deny an anonymous user permission to view any site content except what is explicitly allowed.
  

• Grant read access to domain\Anonymous to the public content pages, such as the following.
  • Password Recovery page
  • Help
  • Home
  • Privacy Statement
  • User Registration
  • Terms of Use
    

• Grant read access to domain\Anonymous to whatever content items are required by the above public pages.
  

Administrative User Access Setup Procedure¶

Company Administrator Role¶

• Create a new role called "sitecore\Company Administrator"
  

• Make the sitecore\Company Administrator role a member of the following built-in roles
  • sitecore\Sitecore Client Publishing — this gives members permission to publish content; it is a member of sitecore\Sitecore Client Users
  • sitecore\Sitecore Client Users (indirectly) — this gives members permission to use the Sitecore admin site.
    

• Within the Core database grant the sitecore\Company Administrator role Read permission to the following items
  • /sitecore/content/Documents and Settings/All users/Start menu/Left/Content Editor — this causes the Content Editor to appear on the members' menu
  • /sitecore/content/Documents and Settings/All users/Start menu/Left/Media Library — this causes the Media Library to appear in the members' menu
  • /sitecore/content/Documents and Settings/All users/Start menu/Left/Publish Site — this causes the Publish Site item to appear in the members' menu
  • /sitecore/content/Applications/Content Editor — this grants members the right to execute the Content Editor application
  • /sitecore/content/Applications/Content Editor/Ribbons/Chunks/Write — this causes the Write ribbon group (which contains the Save button) to appear in the members' ribbon
  • /sitecore/content/Applications/Content Editor/Ribbons/Chunks/Workflow Edit — this causes the Edit ribbon group (which contains the Edit/Check In button) to appear in the members' ribbon
    

Site Administrator Roles¶

• For each site in your Sitecore installation, create new role called "sitecore\My Site Administrator".
  

• Make the sitecore\My Site Administrator role a member of the sitecore\Company Administrator role.
  

• Within the Master database, grant the sitecore\My Site Administrator role the following permissions
  • Write permission to static content pages, like Terms of Use, Privacy Statement, Help, etc. This will give members the permission to make changes to these "documents".
  • Create Item and Create Descendants permission to content folders that hold a document repository. This will give members permission to create new documents on the site.