The Episerver CMS authentication and authorization system uses the default membership and role system as introduced in ASP.NET. For details about the provider model, see the Introduction to Membership section at Microsoft MSDN.
Authentication and authorization is used by the system to identify users and user groups, and determining what they are allowed to do.
The ASP.NET membership and role provider model used for authentication and authorization in Episerver CMS has the following advantages:
Configure membership and role providers in web.config. If you change providers, you might revise the security settings (ACLs) for your entire site, because it is likely that user names and role names change when you switch providers. When you install Episerver CMS, the Windows Role and Membership provider is the default.
The following example shows the role and membership configuration section in web.config:
<roleManager enabled="true" defaultProvider="WindowsRoleProvider"> <providers> <clear /> <add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer.Framework.AspNet" provider1="SqlServerRoleProvider" provider2="WindowsRoleProvider" providerMap1="SqlServermembershipProvider" providerMap2="WindowsMembershipProvider" /> <add name="WindowsRoleProvider" applicationName="EPiServerSample" type="EPiServer.Security.WindowsRoleProvider, EPiServer.Cms.AspNet" /> <add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="EPiServerSample" type="System.Web.Security.SqlRoleProvider, System.Web, Version=18.104.22.168, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /> </providers> </roleManager> <membership defaultProvider="WindowsMembershipProvider" userIsOnlineTimeWindow="10"> <providers> <clear /> <add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer.Framework.AspNet" provider1="SqlServerMembershipProvider" provider2="WindowsMembershipProvider" /> <add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer.Cms.AspNet" deletePrefix="BUILTIN\" /> <add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=22.214.171.124, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="EPiServerSample" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" /> </providers> </membership>
The <membership> section controls the membership provider to use. Although there are three providers listed in the <providers> section, only the WindowsMembershipProvider is active, (controlled by the defaultProvider attribute of the <membership> tag). For example, you can remove the <add ...> lines for MultiplexingMembershipProvider and SqlServerMembershipProvider without affecting the functionality, unless you have selected the MultiplexingMembershipProvider as the default provider, which makes use of additional providers as defined by the provider<n> attributes.
The <roleManager> section controls the role provider to use. The same basic principles of defaultProvider / Multiplexing provider as for membership also applies.
When you select the provider to use, you decide which user database that Episerver authenticates its users against. You can change the provider at any time but this may force you to revise the security settings in Episerver CMS.
Note: The membership and role providers are configured separately, but a specific membership provider may require a certain role provider and vice versa. For the current set of providers you must have matching role and membership providers. For example, if you decide to use WindowsMembershipProvider you must use the WindowsRoleProvider.
When you administer access rights to pages in Episerver, you will use some distinct components that are loosely connected which causes the UI to show information that may appear confusing. The components are as follows:
An ACL is simply a list of SecurityEntities and an access level. The security entity is a name and information stating if the name represents a role or a user. When you have a security entity in an ACL, it is not affected by changes in the membership or role provider. One aspect of this is that when you delete a role and then look at an ACL that had an access entry for this role, the role is still displayed in the ACL.
Membership providers have APIs for creating, editing and deleting users, but not all providers support updates of the user database. The SQL membership provider lets you modify the user database, but the Windows membership provider does not. This is reflected in the UI when you browse users.
If you are using the Multiplexing membership provider and want to create users, then the first provider in the multiplexing list (provider1) must support it. The same applies for role providers.
See Episerver User Guide for information about recommended access rights settings.
If you are running in an Enterprise configuration with multiple-site definitions, the membership and role provider definitions cannot be configured on a per-site basis. If you must have separate provider definitions for each site, you cannot share the web.config file. This is a restriction in the Microsoft implementation of ASP.NET and not in EPiServer CMS.
Last updated: Oct 27, 2016