I might be misinterpreting your question, but if you want to limit access to a part of the page tree in EPiServer you should do it by setting the access rights to these pages in edit/admin mode of EPiServer, not in a configuration location.

The point is not hiding the page tree, but ensure only logged in users (specified by <allow users="netusr" /> & <allow roles="MyServer\WebEditors, MyServer\WebAdmins, Administrators" /> in my example) gain access.

Also, that whenever you try to access a proteted page, the login dialog pops up.

Regards, Bjørge.

Ah, OK! Then you should still restrict the access to the pages in EPiServer, but make sure that they show up in menus etc. anyway. You do that by changing how you filter pages by access when building menus, for example by setting the RequiredAccess property of a PageList control to NoAccess.

Yeah, just remove Everyone (has read access default) from the access list of the node in question.

Thanks for your kind suggestions - but how it should work is:

- when someone tries to access a page on a protected branch, the login dialog pops up. For protecting edit/admin modes, this is done with entries in web.config. It's specified that EPiServer uses the ASP.NET model for access control, so I believe I should seek for a solution there rather than modifying the routine for building menus.

I used web.config to specify that users need to be logged on to access our intranet. I just can't figure out how to specify the actual path in web.config to achieve same kind of behaviour you get with episerver when accessing edit mode...

Any ideas on how to specify the path in this line, when the path is simply an EPiServer "page path" (the first "No" indicates "Norwegian"):

  <location path="No/Projects/Thenet/Thenet-closed">

?

I'm not sure the location method will work for episerver pages, because of the FURL, but I might be wrong. For the edit/admin mode it works because the URL is not rewritten by the FURL. Perhaps you can add a location for your templates, but this will not serve your purposes since a templates location isn't strictly tied to where it's used in the page hierarchy.

Still, I don't understand why you can't use the EPiServer access rights to restrict access (=require login) for a branch of the page tree. That is exactly what they are for. Just remove the access rights for the Everyone role on the "Thenet-closed" branch and the login will appear if a user tries to access these pages.

Well, in my site the pages simply disappear if you're not logged in (and noone is, as it's a web page without any visible login functionality). To use this method, you need to add a login control to the master page and require users to log in to see the pages in question. Or have I missed something ?

By disappear I suppose you mean they're not displayed in menus and listings when viewing the page. That is because the default filter of most EPiServer controls is to not display any pages which the user does not have access to. This behaviour can be altered (see my previous post) to display all pages, which will cause the login page to appear if a user with insufficient access rights follows a link to a page.

OK, now I get it. Thank you very much !

Er, well, not that simple(quoting): "Just remove the access rights for the Everyone role on the "Thenet-closed" branch and the login will appear if a user tries to access these pages." . . does the logon pop up if I get to display the page tree/menus also including restricted pages ? Also - I need a different loginbox for this part of the web (different than WebEditor login). How can I achieve that if not in web.config ?

The source of my problems was that I interpreted what was said - that EPiServer 5.x uses ASP.NET authentication instead of a native mechanism. Well, it does for some kinds of pages, only not for the regular ones. It would be nice if someone had written that, too. I'm trying to learn both EPiServer and ASP.NET at the same time, and I really have a hard time knowing what is going on where...

I might be wrong - there might be a way to do this with locations.

The login appears when there is a call to get a page from the EPiServer page store (I don't know exactly at what level, so read this critically) causing a violation of access rights. It is possible to make calls ignoring access rights, which is what for example the PageList control will do if you tell it to. In the control templates you can then act on the PageData objects you get (display a property from the page for example) without causing violations. When a page is requested (link clicked etc) however, the access rights will be becked, and the login will appear if the current user does not have sufficient access rights.

You can change the login page, but AFAIK there is no way to have several different login pages out of the box. If you really need it, you should be able to build a login page which displays differently depending on the requested URL.

Okay, thank you very much !

I'll have to coose between two models, then: Either create an explicit login page acting as a starting point for what's protected, or modify the page selection routine.

Guess I'll be going for the first one, as this may also solve the login box appearance & text issue (either by supplying a custom css or by creating a new page template derived from login.aspx).

Thanks again !

Regards, Bjørge