This document describes the authentication and authorization model in EPiServer CMS. The authentication and authorization system uses the default membership and role system as introduced in ASP.NET. For more details on the provider model, see the “Introduction to Membership” section at Microsoft MSDN.
Authentication and authorization is used by the system to identify users and user groups, and determining what they are allowed to do. These are some common terms used in this context:
- Authentication. The process of identifying a user. The usual way of doing this is with a username and a password.
- Authorization. The process of determining the specific actions a user is allowed to perform.
- Provider. A module that is called by ASP.NET to provide an underlying service.
- Membership provider. The module that handles authentication in the security model in ASP.NET.
- Role provider. The module that gives the base data for authorization in the new security model in ASP.NET.
- Personalization. The process of adapting a web page to a specific user. For example showing targeted ads or simply displaying the name of the user.
- Profile provider. The module that stores and retrieves personalized data in ASP.NET.
Membership and role provider model
The ASP.NET membership and role provider model used for authentication and authorization in EPiServer CMS has the following advantages:
- Conforming to a standard API. The provider model for membership and roles makes it possible to plug in a provider for any type of user database, even using third-party providers.
- Separation of authentication and authorization. Authentication and authorization are done in two separate operations, thereby increasing flexibility.
- Increased scalability. Since we call out to a provider it is possible to delegate security operations to a separate machine, which means that if you have to support millions of users, you can use any type of system suitable for that volume and call out to that system from EPiServer CMS.
- Support standard ASP.NET controls. By using the built-in provider model it is possible to use the built-in controls such as System.Web.UI.WebControls.Login and LoginView.
- Leverage existing knowledge and documentation. No need to relearn a new security system if you already know how to work with ASP.NET.
Configuring membership and role providers
Configuration of membership and role providers is done in web.config. If you change providers, you may have to revise the security settings (ACLs) for your entire site, since it is highly likely that user names and role names changes when you switch providers. When installing EPiServer CMS, the Windows Role and Membership provider will be default.
This is an example of the role and membership configuration section in web.config:
<roleManager enabled="true" defaultProvider="WindowsRoleProvider"> <providers> <clear /> <add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="SqlServerRoleProvider" provider2="WindowsRoleProvider" providerMap1="SqlServermembershipProvider" providerMap2="WindowsMembershipProvider" /> <add name="WindowsRoleProvider" applicationName="EPiServerSample" type="EPiServer.Security.WindowsRoleProvider, EPiServer" /> <add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="EPiServerSample" type="System.Web.Security.SqlRoleProvider, System.Web, Version=126.96.36.199, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> <membership defaultProvider="WindowsMembershipProvider" userIsOnlineTimeWindow="10"> <providers> <clear /> <add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer" provider1="SqlServerMembershipProvider" provider2="WindowsMembershipProvider" /> <add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer" deletePrefix="BUILTIN\" /> <add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=188.8.131.52, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="EPiServerSample" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" /> </providers> </membership>
The <membership> section controls the membership provider to use. Note that even though there are three providers listed in the <providers> section, only one is active at this time, the WindowsMembershipProvider (controlled by the defaultProvider attribute of the <membership> tag). For example, the <add ...> lines for MultiplexingMembershipProvider and SqlServerMembershipProvider could be removed without affecting the functionality. There is one exception to this statement - if you have selected the MultiplexingMembershipProvider as the default provider, it will make use of additional providers as defined by the provider<n> attributes.
Similarily the <roleManager> section controls the role provider to use. The same basic principles of defaultProvider / Multiplexing provider as for membership applies here as well.
When you select the provider to use you are deciding which user database that EPiServer authenticates its users against. As previously stated it is possible to change the provider at any time but this may cause problems, forcing you to revise the security settings in EPiServer CMS.
Also note that the membership and role providers are configured separately, but a specific membership provider may require a certain role provider and vice versa. For the current set of providers you must have matching role and membership providers, for example, if you decide to use WindowsMembershipProvider you must use the WindowsRoleProvider.
Administering security and access rights
When you administer access rights to pages in EPiServer you will use some distinct components that are tied very loosely together. This will cause the UI to show information that may appear confusing. The components are as follows:
- Users (delivered by the current membership provider).
- Roles (delivered by the current role provider and the virtual roles).
- Access control lists (ACLs).
An ACL is simply a list of SecurityEntities and an access level. The security entity is a name and information stating if the name represents a role or a user. Once you have a security entity in an ACL, it will not be affected by changes in the membership or role provider. One aspect of this is that when you delete a role and then look at an ACL that had an access entry for this role, the role will still be displayed in the ACL.
Membership providers have APIs for creating, editing and deleting users, but not all providers support updates of the user database. The SQL membership provider allows you to modify the user database, but the Windows membership provider does not. This will be reflected in the UI when you browse users.
Note that if you are using the Multiplexing membership provider and want to create users, then the first provider in the multiplexing list (provider1) must support it. The same applies for role providers.
Recommended access rights settings
Refer to EPiServer CMS Administrator User Guide for information about recommended access rights settings.
Enterprise configuration issues
If you are running in an Enterprise configuration with multiple-site definitions, there are some security-related issues you should be aware of.
The membership and role provider definitions cannot be configured on a per-site basis. If you must have separate provider definitions for each site, you cannot share the web.config file. This is a restriction in the Microsoft implementation of ASP.NET and not in EPiServer CMS.
- Introduction to the Provider Model at Microsoft MSDN
- System.Web.UI.WebControls.Login UI web control at Microsoft MSDN
- System.Web.UI.WebControls.LoginView UI web control at Microsoft MSDN
- System.Web.HttpContext.Use at Microsoft MSDN
- Security Overview at Microsoft MSDN