Kentico CMS 7.0 Developer's Guide

Secured website areas

Secured website areas

Previous topic Next topic Mail us feedback on this topic!  

Secured website areas

Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic!  

Kentico CMS allows you to easily create secured website areas that are accessible only by authenticated users. When an non-authenticated (public) user comes to the secured section, they are redirected to the logon page specified for the site at Site Manager -> Settings -> Security & Membership -> Website logon page URL.


You can mark any section of the website as a secured site area by setting Properties -> Security -> Requires authentication to:


Yes - page is secured, authentication is required to access it

No - authentication is not required to access the page

Inherits - value of the setting is required from the parent page




Configuration of a secured site area


This example explains how to secure the Products section of the sample Corporate Site.


1. Sign in as administrator to CMS Desk. Go to the Content section and click the Products document in the content tree.


2. Click Properties -> Security. Set the value of the Requires authentication attribute to Yes and click OK.


3. Go to Site Manager -> Settings -> Security & Membership and choose the Corporate Site site in the drop-down list. Make sure the Website logon page URL is set to ~/SpecialPages/Logon-page.aspx. This is the URL of the site's logon page. You can either use the system logon page ~/cmspages/logon.aspx or you can define your own as demonstrated on the sample Corporate Site.


4. Go to CMS Desk -> Content, click the Logon Page document under the Special Pages folder and select the Design tab. As you can see, the page is based on  the Corporate Site - Logon page page template that contains the Logon form web part and the Registration form web part.

5. Sign out and click Products in the main menu. You are redirected to the logon form:


6. Sign in as administrator and you will see the Products section.




Checking access to page content


Page content is not secured by default, even if the current user is has the Read permission denied for the given page. You need to configure this either by setting Check permissions to true in the Editable region web part properties (local configuration) or globally by setting the value in Site Manager -> Settings -> Security & Membership -> Check page permissions to one of the following values:


All pages - permissions will be checked for all documents on the website.

No page - permissions will not be checked for any documents.

Secured areas - permissions will be checked only for documents that are configured to require authentication.


If a user is not authorized to read a page, the Access denied page will be displayed to them. You can configure a custom access denied page by specifying its URL in the Site Manager -> Settings -> Security & Membership -> Access denied page URL field.