I have been trying many things for a long time now and I was hoping someone had some ideas on how to help me solve this problem.

We have an EpiServer website (we will eventually have more than one) which we want users to be able to log into. We want to use EpiServer's out of the box SqlServerMembershipProvider for managing users/roles and access.

There are a couple of caveats, though. We are writing our own Management website for managing users, and roles. We need to do this because the system we are writing there is no direct correlation between a user and roles but instead a correlation between a user's account and the roles. We plan on adding additional tables to the Membership database to accomplish this. For managing users and roles we are simply going to call the default membership's provider's methods so it hooks into EpiServer.

As the code is written now we can login to the EpiServer endpoint with AD credentials and log into our website using the members we create programmatically. There are a few problems which I'll note below but the most pressing one is that EpiServer is not adhering to access rights we set up for a current user.

To start, we created our own Membership database and left the web.config the same. Here are the relevant parts of our web.config:

For troubleshooting, here is our Route.config class:

public class RouteConfig
	{
        public static void RegisterRoutes(RouteCollection routes)
        {
            routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
            routes.IgnoreRoute("favicon.ico");

            routes.MapRoute("ErrorRoute", "{controller}/{action}/{id}", new { controller = "Home", action = "Index", id = UrlParameter.Optional }, new { controller = "Error" });
            routes.MapRoute("DefaultRoute", "{controller}/{action}/{id}", new { controller = "Home", action = "Index", id = UrlParameter.Optional });
        }
    }

We are protecting our MVC controllers with an Attribute class defined as below:

using System;
using System.Web.Mvc;
using System.Web.Routing;

using EPiServer.Security;

namespace SWF.Web.EpiServer.PortalDirect.Attributes
{
    [AttributeUsageAttribute(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
    public class PortalDirectAuthorizationAttribute : AuthorizeAttribute
    {
        protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
        {
            if (!PrincipalInfo.CurrentPrincipal.Identity.IsAuthenticated)
            {
                filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { controller = "Login", action = "Index",
                    returnUrl = filterContext.HttpContext.Request.Url.GetComponents(UriComponents.PathAndQuery, UriFormat.SafeUnescaped) }));
            }
        }
    }
}

Our base controller, from which all of our other controllers derive from uses this attribute:

[PortalDirectAuthorization]
    public abstract class BaseController : PageController where T: PageData
    {
        
    }

Then, in our login controller we have the following actions:

public class LoginController : BaseController
    {
        [HttpGet]
        [AllowAnonymous]
        public ActionResult Index(string returnUrl)
        {
            try
            {
            }
            catch (Exception e)
            {
                ViewData["error_information"] = LogError(e);
            }

            return View(new LoginViewModel());
        }

        [AllowAnonymous]
        public ActionResult Register()
        {
            return View();
        }

        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public async Task Login(LoginViewModel model, string returnUrl)
        {
            try
            {
                if (!ModelState.IsValid) { return RedirectToAction("Index", "Login"); }
                
                if (Membership.ValidateUser(model.EmailAddress, model.Password))
                {
                    PrincipalInfo.CurrentPrincipal = EPiServer.Security.PrincipalInfo.CreatePrincipal(model.EmailAddress);
                    FormsAuthentication.SetAuthCookie(model.EmailAddress, false);
                    
                    return RedirectToAction("Index", "Home");
                }

                return View(model);
            }
            catch (Exception e)
            {
                TempData["error_information"] = LogError(e);
                return RedirectToAction("Index", "Login");
            }
        }
    }

The above code allows us to:

• Log into the EpiServer endpoint with an AD account
• Log into the EpiServer web site with users set up in EpiServer (SqlServerMembershipProvider)

Issues:

For some reason when we add the attribute to the base controller this breaks routing. For example, we have a page calle order-status but we can no longer get to it via /order-status. We can only browse to it via /orderstatus. Any ideas? We are somehow breaking Epi's out of the box routing but we are not quite sure how to fix it.

The second issue is that EpiServer is not honoring access rights. We have a user called test@domain in EpiServer and assigned it to a role called NoAccess.

For a page in our website, orderstatus, we stop inheriting permissions from the root and add the NoAccess role and then uncheck it. This should mean that the test user should not have access to the orderstatus page.

When we authenticate with the test user they can still access the page just fine.

This is all fairly new to us which is why I included the routing information. I am not sure if we are setting up any of this right. It would be great if someone could provide us guidance on how to accomplish this and have everything working as it should.

If there's anything else I can supply let me know.

Thanks,

Ken