Implementing Sitecore Extranet login on a website

by aboo bolaky 30. July 2009 08:02

Here's the situation. You are about to implement a password protected area on your website. Let's assume that the general site structure looks like this

Pages below General and Products are accessible to everyone, whereas pages under Members should only be visible to authenticated/logged in members. I will first briefly outline the steps required to get this problem implemented using ASP.NET. Later on, I'll move onto it's equivalent Sitecore Solution.

Using ASP.NET

  • Implement Forms Authentication and set login url in the web.config.
  • Implement Login control and decide where to retrieve and store login credentials (in web.config or database)
  • In the web.config, add a Location Path pointing to the Members folder (Deny anonymous , allow authenticated users )
  • This is all about it really...(as far as I remember..) ...

In Sitecore, it's a different ball game.

In addition to adding the loginURL to the form authentication section (important if you use the loginview control to show the login page), you will need to  add the  "loginPage" attribute to the site which is defined by your extranet domain (normally, it's called "website" )

	
<sites>
 .....
	<site name="website" virtualFolder="/" physicalFolder="/" 
		loginPage="/General/Login.aspx"
  ....
</sites>

 

The LoginPage attribute is not something new here..It has always been there..(e.g. the shell website has already a loginPage set), but i did not know what was its purpose . Thanks to Chris Wojciech, I've discovered how to use this existing functionality in the web application.

The addition of Location path in the asp.net-only model is analogous to denying read access to the Members folder (+descendants) in Sitecore.

 

Once you perform a site publish, you can see the effects straight away.

If you've already signed in, you will be able to view /Members/View My Account.aspx.

If you're an anonymous user and access  /Members/View My Account.aspx, you will be presented with a default page that Sitecore serves in case access is denied due to security privileges.

http://mywebapp/sitecore/service/noaccess.aspx?item=%2fmembers%2fview+my+account&user=extranet%5cAnonymous&site=website

 

Quick Fix :

The page served in this case is called noaccess.aspx. The good thing is that this can be altered by changing the value of the "NoAccessUrl" attribute in the web.config.

If we set  "NoAccessUrl" to "/General/Login.aspx", we end up in this situation

http://mywebapp/general/login.aspx?item=%2fmembers%2fview+my+account&user=extranet%5cAnonymous&site=website

 

Recommended Solution

The nag in the above quick fix is that sitecore internally adds 3 QueryStrings to the url ( item, user and site). If we compare this to the normal ASP.NET solution, we would have ended up with only 1 querystring, which is the ReturnUrl.  Our goal is to follow the asp.net solution as close as possible. This is where Chris comes in..

Rolling out your own Security Resolver

Chris extended the HttpRequestProcessor class in order to intercept the request ,check if the user requesting the sitecore item has appropriate rights. If that is not the case, the user is redirected to the login page, with the appropriate ReturnUrl QueryString. Please go check the code out on his blog at http://blog.wojciech.org/?p=64 

The processor should then be plugged in the web.config, before the definition of the ExecuteRequest processor.

 

<processor type="Sitecore.Pipelines.HttpRequest.ItemResolver, Sitecore.Kernel"/>
<processor type="Sitecore.Pipelines.HttpRequest.LayoutResolver, Sitecore.Kernel"/>
<processor type="MyWebApp.Pipelines.MyOwnSecurityResolver, MyWebApp"/>
<processor type="Sitecore.Pipelines.HttpRequest.ExecuteRequest, Sitecore.Kernel"/>

 

If you now try to access a protected page as an anonymous user, you'll end up on the login page (but this time, the ReturnUrl parameter has replaced the 3 built-in sitecore url parameters)

http://mywebapp/general/login.aspx?returnUrl=/members/view%20my%20account.aspx

Result :)

Tags: ,

.Net | Applications | Sitecore

Comments

5/8/2010 1:25:02 AM #

psychics

This blog has some interesting info. I am really impressed with your efforts and really pleased to visit this post. Keep up the Good work going!! Thanks

psychics United States |

5/8/2010 9:51:19 PM #

love spell

What a fantastic post. One of the best blog posts.  This blog give me some new source of information. Thanks for sharing it. Such posts are really a pleasure to read.

love spell United States |

5/9/2010 2:31:45 AM #

online psychic

Very interesting to read this article. I would like to thank you for the efforts you had made for writing this awesome article. Its really an interesting visit. I shall recommend my friends to visit this site.

online psychic United States |

5/17/2010 5:07:48 PM #

replica breitling watches

Thanks for sharing this information! It's very useful for a lot people try to understand how we should do.

replica breitling watches People's Republic of China |

5/17/2010 9:57:33 PM #

java ftp

This blog is very interesting. I really like this kind of information so i will definitely come to this site again.

java ftp United States |

5/17/2010 10:46:02 PM #

ftp server

I am really stunned by the facts provided by the author. I will recommend my friends to visit this site.

ftp server United States |

5/17/2010 11:35:35 PM #

ftp hosting

The art of writing is appreciable and i will give high score and also go with the thoughts of author.

ftp hosting United States |

5/18/2010 5:50:22 PM #

Multimeter

This is what I look for this, because I have long get into trouble and you handle it, thank you very much

Multimeter United States |

5/22/2010 9:40:18 PM #

Voluntary Insurance

I really aprreciate your work.You had done a lot of hard work on the blog.good work

Voluntary Insurance United States |

5/23/2010 4:42:40 AM #

Long Term Care Insurance

The information provided by the author is really helpfull .i will recomend my collegues to vist the blog.

Long Term Care Insurance United States |

11/5/2010 7:30:54 AM #

pingback

Pingback from jozza.net

Setting up an extranet login page in Sitecore «  Jozza.net

jozza.net |

11/7/2011 3:57:16 PM #

Marrakech guide

As readily as I noticed this website I went on reddit to moiety any of the enthusiasm beside them. “A order or shower is an posh anonymous devised to economize a male from the pique of thinking.” by Ralph Waldo Emerson.

Marrakech guide France |

11/13/2011 3:19:54 PM #

Marrakech

Wohh precisely what I was looking for, estimations for putting up. “The barely manner of sensible a creature is to tenderness them minus anticipation.” by Walter Benjamin.

Marrakech France |

Tag cloud

Flash Player 9 required.

About Me

I wish I could write something here..
//TODO: ElaborateMe