AI OnAI Off

CMS12: Disallow access to CMS UI and Util on front servers (prem) for real.

Jonas Boman
Jonas Boman
Vote:
 

Hi.

Having followed the instructions on https://docs.developers.optimizely.com/content-management-system/docs/decoupled-setup I still have some issues.

  1. Util (login UI) is still accessable. And I am getting some routing errors at initialization when I set an absolute url to different host.
  2. Logging in is possible;
  3. If you somehow could figure out the RootPath (I used a guid for this), CMS UI is not reachable (due to the access restrictions set as per the article mentioned earlier) but addons and Find still accessable.
    1. Could I just remove the _Protected folder under modules or do I have to cherry-pick removal of certain folders; such as Find, Visitorgroups and other Add-ons I might have added

Could I remove the login all together?

#331104
Oct 08, 2024 8:54
Binh Nguyen Thi
Binh Nguyen Thi
Vote:
 

Hi Jonas,

If you want to prevent to access login, edit mode, admin mode completely then I suggest you other simple solution as following:

var publicFront = configuration.GetValue<bool?>("PublicFront");
if (publicFront.GetValueOrDefault(true))
{
    app.Use(async (context, requestDelegate) =>
    {
        if (context.Request.Path.StartsWithSegments("/util", StringComparison.OrdinalIgnoreCase)
        || context.Request.Path.StartsWithSegments("/episerver", StringComparison.OrdinalIgnoreCase))
        {
            context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
            await context.Response.WriteAsync("Forbidden: Access Denied");
            return;
        }
        await requestDelegate(context);
    });
}
#331173
Oct 09, 2024 10:59
Jonas Boman - Oct 09, 2024 11:08
Good suggestion, thanks.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.