Old Forums
Search:
Portal Engine Questions on portal engine and web parts.
Version 5.x > Portal Engine > Security Context on Kentico View modes: 
User avatar
Member
Member
amarwadi-gmail - 12/22/2010 8:11:28 PM
   
Security Context on Kentico
Hello,
I am facing a situation that I am hoping can be answered here. Here is the scenario:

1. Our site uses Kentico Cms but only for the content pages.
2. We have custom ASP.NET MVC site that is used for custom development
3. The users of the site can logon to the Site from a login form that is provided both as an inline Control from Kentico and a user control on MVC. This is because the user may login to the site either from Kentico end or the custom site.
4. The login processing is completely custom and when the user is authenticated, we set an authorization cookie and allow the user to pass through.

Here is where the troubles begin:
1. If a user is registered as a Kentico Cms Content Manager or Administrator (or any Kentico account), when that person logs in to the Kentico Cms site, he/she is assumed as logged in on the Custom Site. I believe this could be because we're just checking whether the User.Identity.IsAuthenticated. It may be easier to rectify this situation by some additional checks.
2. The other scenario is pretty interesting, if a user is logged on using custom account credentials, the Kentico Site assumes that the user is logged in when the user invokes the Cms Desk. This isn't a viable option because we now have all users of the site accessing the Cms Desk. The Cms Desk doesn't let the user view any pages because any effort to do so results in errors on the Cms desk end, but the very fact that the user can access the Cms Desk itself is a big deal.

Is there a way to differentiate between these two logins? Can you provide me with any assistance on this?

Thanks,
Anup

User avatar
Kentico Developer
Kentico Developer
kentico_ivanat - 12/28/2010 7:08:49 AM
   
RE:Security Context on Kentico
Hi,

if you would like to use custom credentials to authenticate user in Kentico you could use custom security handler. This way user will not have to access CMS Desk to be authenticated. If you are already using custom security handler, could you please paste here the code you are using?

Best regards,
Ivana Tomanickova
User avatar
Member
Member
amarwadi-gmail - 1/4/2011 2:16:10 AM
   
RE:Security Context on Kentico
Hello,
Per the guidelines in the Custom Security Handler and the Event Handling Overview, we have implemented a custom security handler. For my tests I am just checking whether username/password are not empty and then assigning the properties. I still can't get to the Kentico Cms Desk after validation. Is there anything else that needs to be done? Something tells me the documentation is incomplete.


public override object OnAuthentication(object userInfo, string username, string password)
        {
            // Return the user info
            if (userInfo != null)
            {
                return userInfo;
            }

            UserInfo usr = null;

            if (!String.IsNullOrEmpty(username) && !String.IsNullOrEmpty(password))
            {
                usr = new UserInfo();
                usr.IsExternal = true;
                usr.UserName = "johndoe";
                usr.FullName = "John Doe";
                usr.Enabled = true;

                Hashtable rolesTable = new Hashtable();
                string siteName = CMSContext.CurrentSite.SiteName;
                // Assign user to the current site
                usr.SitesRoles[siteName.ToLower()] = rolesTable;
                // Add new role "external role" and assign it to the user
                rolesTable["external role"] = 1;
            }


            return usr;
        }
User avatar
Kentico Developer
Kentico Developer
kentico_ivanat - 1/4/2011 3:05:30 AM
   
RE:Security Context on Kentico
Hi,

could you please add following two lines into your code?

usr.IsEditor = true;
rolesTable["CMSEditor"] = 1;

To enable user to access CMSDesk, this user has to be editor. But this in not sufficient condition, because he needs to have appropriate UI permissions (for Content, Tools, ...). These permissions are granted for example by role CMS Editor, but you could create another role that will grant appropriate permissions.

Best regards,
Ivana Tomanickova

User avatar
Member
Member
amarwadi-gmail - 1/4/2011 4:24:34 AM
   
RE:Security Context on Kentico
Hello,
I have tried your suggestions and I still cannot access the CmsDesk.
Can you please elaborate the exact procedure required to successfully implement this? All forum replies and documentation point to the same incomplete documentation.

Per my logic, the following needs to be done:
1. Write a Custom Security Handler that validates the user
2. Once user is validated, corresponding roles have to be set in the UserInfo object
--- I've done everything till here.
The site should redirect to the default page under the Cms Desk, but it pushes me back to the login page of Cms Desk again. There could be multiple reasons:

1. We may also need to persist this user in the Kentico DB with the given roles so that the DB knows that it is a global admin or a Content Editor etc the next time the user logs in. (This is just a wild guess, but given that the Role logic you mentioned isn't working, my only guess is that we'll probably store this user as an External user into the kentico db)

2. I don't see a Forms authentication cookie being created on successful sign in. Is this taken care of by Kentico? If not, maybe this is the reason.

Awaiting your response.

User avatar
Member
Member
amarwadi-gmail - 1/4/2011 4:27:46 AM
   
RE:Security Context on Kentico
OK, I think setting the value for the roles to 0 solved the problem. Interesting.

Thank You for your guidance. I will post further questions if needed.

Top