Kentico CMS 6.0 Developer's Guide

Security

Security

 Previous topic Next topic Mail us feedback on this topic!  

Security

 Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic!  

Security debugging can be turned on and configured either by adjusting certain settings in Site Manager -> Settings -> System -> Debug, or by adding certain keys into the AppSettings section of your web.config file. The following table lists and explains these settings and keys:

 

Setting

Web.config key

Description

Enable security debug

CMSDebugSecurity

Enables security operation debugging and the Security tab in Site Manager -> Administration -> System -> Debug.

Display security debug on live site

CMSDebugSecurityLive

If enabled, security operation debug information is also displayed at the bottom of each live site page. This option requires security debugging to be enabled.

Debug security operations of UI pages

CMSDebugAllSecurity

If enabled, security checks performed by pages of the administration interface (CMS Desk and Site Manager) will also be included in the security debug. This option requires security debugging to be enabled.

Log security operations to file

CMSLogSecurity

If enabled, security debug log is saved into the logSecurity.log file in the ~\App_Data folder. This option does not require security debugging to be enabled.

Security debug log length

CMSDebugSecurityLogLength

Sets the maximum length of the security debug log on the Debug -> Security tab, i.e. the number of requests for which debug information is preserved and displayed on the tab. If empty, value of the Default log length setting (or the CMSDebugEverythingLogLength key) is used.

Display stack information

CMSDebugSecurityStack

If enabled, stack is tracked when debugging security and is displayed in the Context column. This information is only available in the debugging UI and on the live site, not in the debug log written into the logSecurity.log file.

 

devguide_clip1745

 

It may happen that you specify different configuration in the settings and in the web.config file. In such cases, boolean settings (true/false) need to be enabled at least in one place (in web.config or in settings) in order to be enabled, while log lengths specified in Site Manager -> Settings have higher priority than log lengths specified in the web.config.

 

Here is a list of the keys for easy copy&paste into your web.config:

 

<add key="CMSDebugSecurity" value="true" />
<add key="CMSDebugSecurityLive" value="true" />
<add key="CMSDebugAllSecurity" value="true" />
<add key="CMSLogSecurity" value="true" />

<add key="CMSDebugSecurityLogLength" value="10" />

<add key="CMSDebugSecurityStack" value="true" />

 

Security debugging can also be enabled using the general settings and keys.

 

User interface

 

On the Debug -> Security tab, you can see which security checks were recently performed on the site. This is particularly useful if you want to quickly find out why some user is not able to access some section of the UI or gets the Access denied page displayed.

 

Enabling the Show complete context check-box displays complete context (not only the topmost item) in the Context column. The log can be cleared using the Clear security log button.

 

devguide_clip0904