Virtual Happy Hour this month, Jun 28, we'll be getting a sneak preview at our soon to launch SaaS CMS!

Try our conversational search powered by Generative AI!

Restricted access to a part of the web


Hi ! I'm a novise to EPiServer, and I'm trying to restrict access to a part of our web to logged on users. It should work so that when you try to access a page or its siblings, you are directed to the login dialog.

I know the basics on how to enable a login dialog, but I believe I have not succeeded in specifying a path for this restricted area (from my web.config):

  <location path="No/Projects/Thenet/Thenet-closed">
        <allow users="netusr" />
        <allow roles="MyServer\WebEditors, MyServer\WebAdmins, Administrators" />
        <deny users="*" />

...its this path="No/Projects/Thenet/Thenet-closed" that I assume I can't get right. It's the page url, but you guessed that, I believe).

Any hints would be helpful !




Aug 28, 2009 20:13
I might be misinterpreting your question, but if you want to limit access to a part of the page tree in EPiServer you should do it by setting the access rights to these pages in edit/admin mode of EPiServer, not in a configuration location.
Aug 29, 2009 7:51

The point is not hiding the page tree, but ensure only logged in users (specified by <allow users="netusr" /> & <allow roles="MyServer\WebEditors, MyServer\WebAdmins, Administrators" /> in my example) gain access.

Also, that whenever you try to access a proteted page, the login dialog pops up.

Regards, Bjørge.

Aug 31, 2009 9:07
Ah, OK! Then you should still restrict the access to the pages in EPiServer, but make sure that they show up in menus etc. anyway. You do that by changing how you filter pages by access when building menus, for example by setting the RequiredAccess property of a PageList control to NoAccess.
Aug 31, 2009 9:17
Yeah, just remove Everyone (has read access default) from the access list of the node in question.
Aug 31, 2009 9:40

Thanks for your kind suggestions - but how it should work is:

- when someone tries to access a page on a protected branch, the login dialog pops up. For protecting edit/admin modes, this is done with entries in web.config. It's specified that EPiServer uses the ASP.NET model for access control, so I believe I should seek for a solution there rather than modifying the routine for building menus.

I used web.config to specify that users need to be logged on to access our intranet. I just can't figure out how to specify the actual path in web.config to achieve same kind of behaviour you get with episerver when accessing edit mode...

Any ideas on how to specify the path in this line, when the path is simply an EPiServer "page path" (the first "No" indicates "Norwegian"):

  <location path="No/Projects/Thenet/Thenet-closed">


Aug 31, 2009 9:53

I'm not sure the location method will work for episerver pages, because of the FURL, but I might be wrong. For the edit/admin mode it works because the URL is not rewritten by the FURL. Perhaps you can add a location for your templates, but this will not serve your purposes since a templates location isn't strictly tied to where it's used in the page hierarchy.

Still, I don't understand why you can't use the EPiServer access rights to restrict access (=require login) for a branch of the page tree. That is exactly what they are for. Just remove the access rights for the Everyone role on the "Thenet-closed" branch and the login will appear if a user tries to access these pages.

Aug 31, 2009 10:01
Well, in my site the pages simply disappear if you're not logged in (and noone is, as it's a web page without any visible login functionality). To use this method, you need to add a login control to the master page and require users to log in to see the pages in question. Or have I missed something ?
Aug 31, 2009 10:54
By disappear I suppose you mean they're not displayed in menus and listings when viewing the page. That is because the default filter of most EPiServer controls is to not display any pages which the user does not have access to. This behaviour can be altered (see my previous post) to display all pages, which will cause the login page to appear if a user with insufficient access rights follows a link to a page.
Aug 31, 2009 10:57

OK, now I get it. Thank you very much !

Er, well, not that simple(quoting): "Just remove the access rights for the Everyone role on the "Thenet-closed" branch and the login will appear if a user tries to access these pages." . . does the logon pop up if I get to display the page tree/menus also including restricted pages ? Also - I need a different loginbox for this part of the web (different than WebEditor login). How can I achieve that if not in web.config ?

The source of my problems was that I interpreted what was said - that EPiServer 5.x uses ASP.NET authentication instead of a native mechanism. Well, it does for some kinds of pages, only not for the regular ones. It would be nice if someone had written that, too. I'm trying to learn both EPiServer and ASP.NET at the same time, and I really have a hard time knowing what is going on where...Cry

Aug 31, 2009 11:07

I might be wrong - there might be a way to do this with locations.

The login appears when there is a call to get a page from the EPiServer page store (I don't know exactly at what level, so read this critically) causing a violation of access rights. It is possible to make calls ignoring access rights, which is what for example the PageList control will do if you tell it to. In the control templates you can then act on the PageData objects you get (display a property from the page for example) without causing violations. When a page is requested (link clicked etc) however, the access rights will be becked, and the login will appear if the current user does not have sufficient access rights.

You can change the login page, but AFAIK there is no way to have several different login pages out of the box. If you really need it, you should be able to build a login page which displays differently depending on the requested URL.

Aug 31, 2009 11:16

Okay, thank you very much !

I'll have to coose between two models, then: Either create an explicit login page acting as a starting point for what's protected, or modify the page selection routine.

Guess I'll be going for the first one, as this may also solve the login box appearance & text issue (either by supplying a custom css or by creating a new page template derived from login.aspx).

Thanks again !

Regards, Bjørge

Aug 31, 2009 14:18
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.