Can you add the users to a specific Visitor Group which has "Make this visitor group available when setting access rights for pages and files" enabled
You can than restrict pages to this Visitor Group
Here is the code for a Cookie Criteron
/// <summary>
/// Cookie criteria
/// </summary>
[VisitorGroupCriterion(Category = "Custom Criteria", Description = "Matches the request to see if it contains a cookie the specified value", DisplayName = "Specific Cookie Value")]
public class CookieCriterion : CriterionBase<CookieModel>
{
/// <summary>
/// Invoke by runtime to execute criteria match
/// </summary>
/// <param name="principal"></param>
/// <param name="httpContext"></param>
/// <returns></returns>
public override bool IsMatch(IPrincipal principal, HttpContext httpContext)
{
if (!httpContext.Request.Cookies.ContainsKey(Model.Name))
{
return false;
}
if (httpContext.Request.Cookies.TryGetValue(Model.Name, out var value))
{
return value == Model.Value;
}
return false;
}
}
/// <summary>
/// Cookie criteria model
/// </summary>
public class CookieModel : CriterionModelBase
{
/// <summary>
/// Cookie name
/// </summary>
public string Name { get; set; }
/// <summary>
/// Cookie Value
/// </summary>
public string Value { get; set; }
/// <summary>
/// Create shallow copy
/// </summary>
/// <returns></returns>
public override ICriterionModel Copy()
{
return ShallowCopy();
}
}
Thanks Minesh for your input.
This is also a good suggestion by using VG in Optimizely.
The issue is the pages (behind login) already have "Authenticated" virtual role assigned to all the pages/subpages which are restricted to logged in user ->
I could check in cookie authentication claims/identity if user is logged in and then add it to a current principal, below example is from old solution (asp.net 4.6)
//Code from Global.asax
if (profile.isValid)
{
var identity = new GenericIdentity(profile.Id);
var roles = new[] { "Everyone", "Authenticated" };
var principal = new GenericPrincipal(identity, roles);
httpContext.User = principal;
PrincipalInfo.CurrentPrincipal = principal;
}
How can I do same as above in .NET 6 (may be custom middelware)
The other idea could be to use [Authorize] attibute on the controllers which require login., but then I have to add it to all the controllers (app. 20) and by doing this I will also be removing flexibility from CMS editors of restircting pages by using "Authenticated" virtual group.
To programmatically add a user to a role on successful login in Episerver, you can use the Membership.AddUserToRoles
method from the System.Web.Security
namespace. This method takes two arguments: the username of the user you want to add to the role, and an array of role names to which the user should be added.
Thanks for your input Anawilliam.
The users I am mentioning here are external users and they are authenticated by using our internal API. In our Optimizely solution we would have dedicated selfservice area/ webpages for them
e.g. https://localhost:5001/my/xxx
"my" and all subpages to "my" page would have a "Authenticated" virutal group assigned to them. Everyone virtual group wouldn't give access to these pages.
Now if I add user to a group by using AddUserToRoles() it would be saved in DB while we want to check for every http request that the user has a valid token and assigned role on fly. Is that possible?
I saw someone posted to use Application_AuthenticateRequest method of global.asax but we are moving to .NET6 and global.asax is no more there
Hi,
As we are migrating to Optimizely .NET 6, there is a requirement of restricting members access (not Episerver admin or Editor) to some of the pages/ subpages. The member will use username & password for login and our internal API will validate the user and return JWT. We can save some of the claims in cookie authentication and on future HTTP requests cookie can be used for validating user.
Is there a good article on how to do it in Optimizely.
I am thinking to use virutal role "Authenticated"
https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/virtual-roles
But how can I programtically add user to that role on sucessful login ?
Should I then add "Authenticated" virtual role via EpiServer admin UI to everypage which we want to restrict access to
Any guideline would be appreciated