Sitecore Query and Fields

Came across a site which details nicely about sitecore query and fields that support and do not support them. http://sitecorener.com/en/Developers/ContentDisplay/SitecoreQueries/UsingSitecoreQuery.aspx

Securing content and media without authentication

I will explain the situation/setup first, the potential security breach and then the solution to resolve this.

The following is the setup that is required

Sitecore

*** Content

****** Internet (Site root for public site)

********* Page One

****** Intranet (Site root for intranet site)

********* Secured Page One

*** Media Library

****** Internet (Media folder for public site)

********* Media One

****** Intranet (Media folder for intranet site)

********* Secured Media One

Let's say we have the following domains for their respective sites

1. Internet site domain - http://internetWebsite.com which is public

2. Intranet site domain - http://intranetPortal.com. The client do not want to use Authentication because everyone in their network will need to have access to intranet without logging in. Hence the only IP restriction was put in place as security measure.

If you are familiar with the way url is constructed to access the page within Sitecore you will know the following scenario.

1. http://internetWebsite.com/Page One.aspx - this is used to access Internet content when site definition for internet has been setup.

2. http://internetWebsite.com/sitecore/content/internet/page one.aspx - this is also a valid url where full path is appended after the domain.

3. http://internetWebsite.com/~/media/internet/media one.ashx

From the above scenario if you have Sitecore knowledge coupled with familiarity with the Site content structure. You can access restricted content which is secured by other means than Sitecore security. In this case by IP restriction. There are two potential security breach here

First - accessing secured page,

So without tweaking Sitecore, the following URL can be used to access intranet contents

http://internetWebsite.com/sitecore/content/intranet/secured page one.aspx

There are two steps to fix the first issue:

1. Add a custom pipelines at the end of <httpRequestBegin>

2. Second is to create a class for the custom pipelines. The following is the code I have

public class DisableAbsolutePath : HttpRequestProcessor

{

public override void Process(HttpRequestArgs args)

{

var rawUrl = args.Context.Request.RawUrl;

var isAuthenticated = Context.User.IsAuthenticated;

if (rawUrl.Contains("/sitecore/content/") && !isAuthenticated)

args.Context.Response.StatusCode = 404;

}

}

Logic is pretty simple, first I check if the url contains "/sitecore/content" and check if the user is authenticated. If both condition is not met, I throw 404 status code. The reason why I also check authentication is because I want to preserve as much as possible the default Sitecore behavior.

Second - accessing media library

The following URL can be used to access restricted media

http://internetWebsite.com/~/media/intranet/secured media one.ashx

There is a few way to solve this issue,

1. Create custom pipelines. *Note: The location of custom pipelines is not the same as page.

2. Through Sitecore security and custom domain.

We took the second approach as it is more configurable within the CMS and we can extend this in the future if the client decide to implement authentication.

1. Create a new domain called "Intranet". The setup is done via a domain.config found in app_config/include/security/domain.config.

2. Create a role called "Intranet\Frontend User" and a user called "Intranet\Intranet User"

3. Applied restriction on /sitecore/media library/intranet with the following setup

4. At the layout.aspx.cs file, I automatically login the "Intranet User" like so.

if (!Sitecore.Context.User.IsAuthenticated)

AuthenticationManager.Login("@intranet\\Intranet User");

Of course this problem will not occur if there is Authentication put in place