Authentication and authorization
The Episerver CMS authentication and authorization system uses the default membership and role system as introduced in ASP.NET. For details about the provider model, see the Introduction to Membership section at Microsoft MSDN.
Authentication and authorization is used by the system to identify users and user groups, and determining what they are allowed to do.
- Authentication. The process of identifying a user, usually with a username and a password.
- Authorization. The process of determining the specific actions a user is allowed to perform.
- Provider. A module that is called by ASP.NET to provide an underlying service.
- Membership provider. The module that handles authentication in the security model in ASP.NET.
- Role provider. The module that gives the base data for authorization in the new security model in ASP.NET.
- Personalization. The process of adapting a web page to a specific user, such as showing targeted ads or displaying the name of the user.
- Profile provider. The module that stores and retrieves personalized data in ASP.NET.
Membership and role provider model
The ASP.NET membership and role provider model used for authentication and authorization in Episerver CMS has the following advantages:
- Conforming to a standard API. The provider model for membership and roles lets you plug in a provider for any type of user database, even using third-party providers.
- Separation of authentication and authorization. Authentication and authorization occur in two separate operations, thereby increasing flexibility.
- Increased scalability. Because you call out to a provider, you can delegate security operations to a separate machine, so that if you have to support millions of users, you can use any type of system suitable for that volume and call out to that system from Episerver CMS.
- Support standard ASP.NET controls. By using the built-in provider model, you can use the built-in controls such as System.Web.UI.WebControls.Login and LoginView.
- Leverage existing knowledge and documentation. If you already know how to work with ASP.NET you do not need to No need to learn a new security system.
Configuring membership and role providers
Configure membership and role providers in web.config. If you change providers, you might revise the security settings (ACLs) for your entire site, because it is likely that user names and role names change when you switch providers. When you install Episerver CMS, the Windows Role and Membership provider is the default.
The following example shows the role and membership configuration section in web.config:
<roleManager enabled="true" defaultProvider="WindowsRoleProvider"> <providers> <clear /> <add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="SqlServerRoleProvider" provider2="WindowsRoleProvider" providerMap1="SqlServermembershipProvider" providerMap2="WindowsMembershipProvider" /> <add name="WindowsRoleProvider" applicationName="EPiServerSample" type="EPiServer.Security.WindowsRoleProvider, EPiServer" /> <add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="EPiServerSample" type="System.Web.Security.SqlRoleProvider, System.Web, Version=126.96.36.199, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> <membership defaultProvider="WindowsMembershipProvider" userIsOnlineTimeWindow="10"> <providers> <clear /> <add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer" provider1="SqlServerMembershipProvider" provider2="WindowsMembershipProvider" /> <add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer" deletePrefix="BUILTIN\" /> <add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=188.8.131.52, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="EPiServerSample" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" /> </providers> </membership>
The <membership> section controls the membership provider to use. Although there are three providers listed in the <providers> section, only the WindowsMembershipProvider is active, (controlled by the defaultProvider attribute of the <membership> tag). For example, you can remove the <add ...> lines for MultiplexingMembershipProvider and SqlServerMembershipProvider without affecting the functionality, unless you have selected the MultiplexingMembershipProvider as the default provider, which makes use of additional providers as defined by the provider<n> attributes.
The <roleManager> section controls the role provider to use. The same basic principles of defaultProvider / Multiplexing provider as for membership also applies.
When you select the provider to use, you decide which user database that Episerver authenticates its users against. You can change the provider at any time but this may force you to revise the security settings in Episerver CMS.
Note: The membership and role providers are configured separately, but a specific membership provider may require a certain role provider and vice versa. For the current set of providers you must have matching role and membership providers. For example, if you decide to use WindowsMembershipProvider you must use the WindowsRoleProvider.
Administering security and access rights
When you administer access rights to pages in Episerver, you will use some distinct components that are loosely connected which causes the UI to show information that may appear confusing. The components are as follows:
- Users (delivered by the current membership provider).
- Roles (delivered by the current role provider and the virtual roles).
- Access control lists (ACLs).
An ACL is simply a list of SecurityEntities and an access level. The security entity is a name and information stating if the name represents a role or a user. When you have a security entity in an ACL, it is not affected by changes in the membership or role provider. One aspect of this is that when you delete a role and then look at an ACL that had an access entry for this role, the role is still displayed in the ACL.
Membership providers have APIs for creating, editing and deleting users, but not all providers support updates of the user database. The SQL membership provider lets you modify the user database, but the Windows membership provider does not. This is reflected in the UI when you browse users.
If you are using the Multiplexing membership provider and want to create users, then the first provider in the multiplexing list (provider1) must support it. The same applies for role providers.
Recommended access rights settings
See Episerver User Guide for information about recommended access rights settings.
Enterprise configuration issues
If you are running in an Enterprise configuration with multiple-site definitions, the membership and role provider definitions cannot be configured on a per-site basis. If you must have separate provider definitions for each site, you cannot share the web.config file. This is a restriction in the Microsoft implementation of ASP.NET and not in EPiServer CMS.
- Introduction to the Provider Model at Microsoft MSDN
- System.Web.UI.WebControls.Login UI web control at Microsoft MSDN
- System.Web.UI.WebControls.LoginView UI web control at Microsoft MSDN
- System.Web.HttpContext.Use at Microsoft MSDN
- Security Overview at Microsoft MSDN
- Forms authentication