Kentico CMS 5: Fundamentals of Site Security

Exclusive offer: get 50% off this eBook here
Kentico CMS 5 Website Development: Beginner's Guide

Kentico CMS 5 Website Development: Beginner's Guide — Save 50%

Building professional and feature-rich websites with Kentico CMS 5

$26.99    $13.50
by Thom Robbins | October 2010 | Beginner's Guides Microsoft Content Management Web Development

In this article, by Thom Robbins, author of Kentico CMS 5 Website Development, we shall cover:

  • Understand the principles of site security
  • Develop security roles to manage our site
  • Develop secure web pages and areas for specific security roles

 

Kentico CMS 5 Website Development: Beginner's Guide

Kentico CMS 5 Website Development: Beginner's Guide

A clear, hands-on guide to build websites that get the most out of Kentico CMS 5's many powerful features

  • Create websites that meet real-life requirements using example sites built with easy-to-follow steps
  • Learn from easy-to-use examples to build a dynamic website
  • Learn best practices to make your site more discoverable
  • Practice your Kentico CMS skills from organizing your content to changing the site's look and feel
  • Get going with example starter sites such as a corporate site, an e-commerce site, and a community-driven website to jumpstart your web development
  • Written by Thom Robbins, the Web Evangelist for Kentico Software LLC

Read more about this book

(For more resources on CMS, see here.)

Fundamentals of site security

I don't think anyone can dispute that security management is an essential part of our daily routine. We need to make sure that we protect customer data and guard the site from any unwanted intruders. Security management is the process that we use to decide who has access to the site, what areas they are able to see, and what documents they can view and interact with. Kentico CMS security is managed using the:

  • Site Manager Administration tab to edit system-wide data
  • CMS Desk Administration tab to edit data related to a specific website

The security model that we use to maintain and administer the system is based on the following:

  • Users — This is an individual user who is assigned a system account.
  • Roles — Security groups that contain users. Because a user can belong to multiple roles, their permissions are calculated as a sum of all permissions granted to all roles they belong to.
  • Document permissions — Document permissions are granted to both users and roles. At runtime, document permissions are calculated as a sum of all permissions granted to the user and their assigned roles.
  • UI personalization — UI personalization is used to remove specific portions of the user interface.

Don't forget!
Security permissions are calculated at runtime. These are a combination of global settings and individual website settings. It's important to remember that if the user or any of their roles are denied access to a resource, they are always denied access to that resource, even if one of their roles is allowed access.

Time for action – creating a new role

Now, let's create a new role and assign it to a user using these steps:

  1. In CMS Site Manager, select the Administration tab, Roles, and New role, as shown in the following screenshot:

  2. What roles are there?
    Roles are one of the easiest ways to apply security to your users. The system contains a variety of pre-defined roles that are available in the Roles menu item, as shown in the previous screenshot.

  3. In the New role dialog, enter the following information and select OK.

  4. Select the Add users tab, as shown in the following screenshot:

  5. Select the user Joe Brown from the list and select OK, as shown in the following screenshot:

Have a go hero – mapping roles

As we just saw, the system contains a default set of pre-defined user roles that can be found in Site Manager, the Administration tab, and Roles. Spend some time studying the roles contained in the Site Manager Administration Roles and understand how they fit into your website security model. Once that is completed, put together a proposal that defines any additions or changes that may be needed.

What just happened?

When you clicked the New role button, you first identified the name of the role used across all system management areas. Once the role was created, you then added the user Joe Brown to the role.

Time for action – adding a user to another role

Users can belong to multiple roles within the system. Let's add our user Joe Brown to another role using the CMS Desk interface using these steps:

  1. Log in to CMS Desk as Global Administrator, select the Administration tab, click Users, and select the manage user roles icon ,as shown in the following screenshot:

  2. Select CMS Basic users, click the move right (>) button and select Close, as shown in the following screenshot:

  3. Select the edit user icon, as shown in the following screenshot:

  4. Select the General tab, uncheck the Is global administrator box, and select OK, as shown in the following screenshot:

  5. Why are we doing this?
    If Joe is a Global Administrator, he will automatically have access to all system resources.

  6. Select the Log in as this user link, as shown in the following screenshot:

  7. Select OK to change the user prompt, as shown in the following screenshot:

  8. Verify that you are logged in as the User: Joe Brown, as shown in the following screenshot:

Kentico CMS 5 Website Development: Beginner's Guide Building professional and feature-rich websites with Kentico CMS 5
Published: September 2010
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:

Read more about this book

(For more resources on CMS, see here.)

What just happened?

Within CMS Desk, when you edit a user, they can also be added to roles. Many times, you will want to see what the experience of that user will be within the system. You did this when you selected Log in as this user. It allowed you to assume the identity of the user and log in to the system.

Time for action – creating role-based content

Roles are important not only for system maintenance, but they can also be used to present specific information. Every web part has the ability to restrict display to a selected role.

Now, let's restrict a tree menu web part for everyone but the CMS Basic user role on the Services page using the following steps:

  1. Log in to the live site as Joe Brown and select the Services menu item, as shown in the following screenshot:
  2. Log in to CMS Desk as the Global Administrator, select the Content tab, Services page, Design tab, and within the LeftTreeMenu web part, select the configure icon, as shown in the following screenshot:

  3. In the Web part properties (Tree menu) dialog, select Display to Roles and click the Add roles button.
  4. Select the CMS Basic users role and select OK, as shown in the following screenshot:

  5. Select OK, as shown in the following screenshot:
  6. Open a new browser, go to the live site, select the Services page, and validate that the tree menu web part is not available, as shown in the following screenshot:

  7. Open a new browser, log in to the live site as Joe, select the Services page, and validate that the tree menu is shown as seen in the following screenshot:

Time for action – display a customized product list

Customizing the display of content to a user is a combination of web part and document settings. When the user is not authenticated, the system automatically uses a special user called Public Anonymous User (public).

In this example, we will make a product document available to the CMS Basic user role, and at the same time, make it unavailable to anonymous users using these steps:

  1. Open up the live site and select Products and Cell phones, as shown in the following screenshot:

  2. As Global Administrator, log in to CMS Desk, select the Content tab, Corporate Site page, Properties tab, select Security, and Add users, as shown in the following screenshot:
  3. Select the Public Anonymous User (public) and select OK, as shown in the following screenshot:

  4. Select the Allow Read access checkbox, click OK, and select Add roles, as shown in the following screenshot.

  5. Select the CMS Basic users and click OK.
  6. Select CMS Basic users, check the Allow Read access checkbox, and click OK, as shown in the following screenshot:

  7. On the Content tree, select the Products page | Cell Phones | Nokia N73, and then select the Public Anonymous User (public). In the Read Access rights, select Deny, and then select OK, as shown in the following screenshot:

  8. On the Content tab, select Cell Phones, Design tab, and in the ProductDataList web part, select Configure.
  9. In the Web part properties (Datalist), select the System Settings tab, select Check permissions, and OK.
  10. Open a new browser window to the live site, select Products, Cell Phones, as shown in the following screenshot. Notice that we no longer see the Nokia N73 phone, as shown in the following screenshot:

  11. Who are we now?
    We are currently logged in as the Public Anonymous User (public).

  12. Log in to the site as Joe Brown, select the Products menu item, Cell phones menu item, and notice that we see both cell phones.

Kentico CMS 5 Website Development: Beginner's Guide Building professional and feature-rich websites with Kentico CMS 5
Published: September 2010
eBook Price: $26.99
Book Price: $44.99
See more
Select your format and quantity:

Read more about this book

(For more resources on CMS, see here.)

What just happened?

When you applied security at the site root, it was also applied across the entire site using inheritance. This gave specific access rights to the roles Public Anonymous User (public) and CMS Basic users. However, in order to restrict the permission needed at the page level, we had to change the Nokia N73 document security to Deny Read access for the Public Anonymous User (public). Then you enabled the ProductDataList web part to recognize security. Once these steps were completed, the personalization was available to Joe, who is a member of the CMS Basic user.

When setting document level permissions, you have the following choices:

  • Full Control—Perform all operations with the document
  • Read—Read document content
  • Modify—Modify document content
  • Create—Create new child documents
  • Delete—Remove the document from the content tree
  • Destroy—Destroy this document and all history
  • Browse tree—See any documents that exist below the parent document
  • Modify permissions—Change this document and any inherited permissions

Permissions setting tip
It's important to make sure that you continually review the permission set for your users. Improperly setting permissions can allow the wrong users to update or even delete entire sections of site content.

Time for action – creating secure pages

Many times, we need to create special or secured areas for authenticated users. When a non-authenticated user comes to the secured section, they are redirected to the logon page specified for the site.

Now let's secure the Products section of our site using the following steps:

  1. In CMS Desk, select the Content tab, select the Products page, select the Properties tab, and then select the Security tab, as shown in the following screenshot:
  2. Select Yes in the Requires authentication radio buttons and select OK, as shown in the following screenshot:

  3. Don't forget!
    Any pages in the content tree that inherit the settings of this page will also require authentication.

  4. Log in to CMS Site Manager, select the Settings tab, then Security. From the Site drop-down list, select Corporate Site, and validate that the Website logon page URL contains ~/SpecialPages/logon.aspx, as shown in the following screenshot:
  5. Open a new browser, go to the live site, and then select Products from the menu.

What just happened?

When you selected the Requires authentication checkbox, any page requests were redirected to your authentication page. The authentication process can be done either using the built-in form or a custom form. In this example, we are using the built-in form, which requires the user to provide their defined set of user credentials for the site.

What's the difference between authentication and authorization?
Authentication verifies who the user is. Authorization verifies what resources the user is allowed or authorized to access. While the words sound similar, it's important to understand the difference. Users must be both authenticated and authorized within the system.

Summary

In the above article we covered:

  • Understand the principles of site security
  • Develop security roles to manage our site
  • Develop secure web pages and areas for specific security roles

Further resources on this subject:


About the Author :


Thom Robbins

Thom Robbins is the Web Evangelist for Kentico Software LLC. He is responsible for evangelizing Kentico CMS for ASP.NET with web developers, web designers and interactive agencies.

Prior to Kentico, Mr. Robbins joined Microsoft Corporation in 2000 and served in a number of executive positions. Most recently, Mr. Robbins led the Developer Audience Marketing group that was responsible for increasing developer satisfaction with the Microsoft platform. Mr. Robbins also led the .NET Platform Product Management group responsible for customer adoption and implementation of the .NET Framework and Visual Studio. Mr. Robbins was also a Principal Developer Evangelist working with developers across the world on implementing .NET-based solutions.

Thom currently lives in Seattle where he enjoys the great weather and spending time with his family. Thom can be reached at Thomasr@kentico.com.

Books From Packt


Choosing an Open Source CMS: Beginner's Guide
Choosing an Open Source CMS: Beginner's Guide

Drupal 7
Drupal 7

PHP 5 CMS Framewoak Development - 2nd Edition
PHP 5 CMS Framewoak Development - 2nd Edition

Alfresco 3 Web Content Management
Alfresco 3 Web Content Management

CMS Made Simple 1.6: Beginner's Guide
CMS Made Simple 1.6: Beginner's Guide

ASP.NET 3.5 CMS Development
ASP.NET 3.5 CMS Development

OpenCms 7 Development
OpenCms 7 Development

Joomla! 1.5: Beginner's Guide
Joomla! 1.5: Beginner's Guide


No votes yet

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
8
a
P
C
e
B
Enter the code without spaces and pay attention to upper/lower case.
Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software