Sitecore.Services.Client security
The EntityService
and the ItemService
use the Web API ActionFilters to determine whether they handle or reject a request.
Sitecore.Services.Client provides two layers of security:
-
A security policy that applies to all Sitecore.Services.Client requests.
-
Individual filters that can add additional requirements on requests that are to be executed.
The ItemService
has some additional security settings:
-
Request security context – Requests to the
ItemService
run in the context of the current Sitecore user. -
Two routes for authentication:
-
auth/login
-
auth/logout
You must make requests to auth/login over HTTPS.
When you make requests to this route from JavaScript, you must load the whole page over HTTPS to avoid the request failing because it is Cross-Origin.
NoteAlthough we strongly recommend you use the HTTPS protocol, you can use the HTTP protocol by overriding the default value of the
Sitecore.Services.AllowToLoginWithHttp
setting in theServices.Client/Sitecore.Services.Client.config
file. The default value isfalse
. If this value istrue
, it is possible to login by the auth/login endpoint using HTTP protocol. If you enable this setting, it can cause security vulnerabilities. The purpose of this setting is to support containers and SSL load balancers. -
-
Anonymous access
The default is that the
extranet\Anonymous
user does not have access to theItemService
. You change this behavior with theSitecore.Services.AllowItemServiceAnonymousUser
setting in theSitecore.Services.Client
configuration file.When you set
Sitecore.Services.AllowItemServiceAnonymousUser
to true, theItemService
executes anonymous requests in the security context of the user defined in theSitecore.Services.AnonymousUser
configuration setting. By default, such requests run as thesitecore\ServicesAPI
user, using user impersonation.
When using the Federated Experience Manager (FXM), ensure the Security database on the CD instance is enabled.
Security policies
Sitecore.Services.Client ships with three security policies:
-
Sitecore.Services.Infrastructure.Web.Http.Security.ServicesOffPolicy: This policy denies access to all
Entity
andItemServices
. -
Sitecore.Services.Infrastructure.Web.Http.Security.ServicesLocalOnlyPolicy: This policy denies access to all
Entity
andItemServices
from requests originating from remote clients. -
Sitecore.Services.Infrastructure.Web.Http.Security.ServicesOnPolicy: This policy allows access to all
Entity
andItemServices
.
You configure a security policy with the Sitecore.Services.SecurityPolicy
setting in the Sitecore.Services.Client.config
file. The default value is ServicesLocalOnlyPolicy
.
You can create custom security policies by implementing the Sitecore.Services.Infrastructure.Web.Http.Security.IAuthorizePolicy interface and specifying the custom class name in the Sitecore.Services.SecurityPolicy
configuration setting.
Exclude controllers from security policies
You can exclude controllers from the security policy you use. To do this, add an allowedController element under api/services/configuration/allowedControllers in the Sitecore.Services.Client.config
file.
Authorization filters
The sitecore/api/configuration/filters section in the Sitecore.Services.Client.config
configuration file defines what action filters Sitecore.Services.Client installs.
It installs the following filters by default:
-
Sitecore.Services.Infrastructure.Web.Http.Filters.AnonymousUserFilter
This filter ensures that the requests to the
ItemService
respect the configuration settings for unauthenticated users. -
Sitecore.Services.Infrastructure.Web.Http.Filters.SecurityPolicyAuthorisationFilter
This filter runs the security policy defined in the Sitecore.Services.SecurityPolicy configuration setting.
-
Sitecore.Services.Infrastructure.Web.Http.Filters.RequireHttpsFilter
This filter makes HTTPS mandatory for all Web API requests to the site. It is commented out by default.
-
Sitecore.Services.Infrastructure.Web.Http.Filters.ServicesRequireHttpsFilter
This filter makes HTTPS mandatory for all
EntityService
andItemService
requests. It is commented out by default.
Custom authorization filters
To create a custom authorization filter:
-
Derive a filter class from System.Web.Http.Filters.AuthorizationFilterAttribute and override the
OnAuthorization(HttpActionContext actionContext)
method. -
Add the new filter class definition to the sitecore/api/configuration/filters section in the
Sitecore.Services.Client.config
configuration file.