tags:

views:

283

answers:

2
Q: 

Sitecore - Multiple websites and making "cross-site" requests illegal

I have two IIS sites pointing to diffent physical folders. This is to be able to differentiate the web.config and the files and assemblies used for the sites Database is set to point to the same instance for both sites In web.config are configured to start from different parts The stucture is like this:

  • /sitecore/content/home/default

  • /sitecore/content/home/intranet

So far so good.

Now, the problem is that i'm able to retrieve content not belonging to the actual site by entering its complete path. Ie.

http://www.default.com/sitecore/content/home/intranet.aspx <-- this shouldn't be allowed, since www.default.com is configured with /sitecore/content/home/default as root.

Is there any built-in mechanism to dissallow this or do i have to subclass the itemresolver to make "cross sites"-requests illegal.

A: 

Well if the intranet item (and below) is protected with Sitecore security it should not be problem nor possible to access :)

If you can't handle it with security then I would go with the ItemResolver.

Cheers

pbering  2009-09-28 18:53:44
A: 

This is something to do with how Sitecore resolves items, I have found 3 different URL's for each item. For example say I have the following structure:

-sitecore
  -content
    -home
      -page1

I can access page1 either through:

However knowing this won't help solve your problem. The best solution I can suggest is to use security. However if both site need anonymous access the question is how do you control this?

I imagine that since you have two separate web.config's you also have to separate Sitecore configuration sections. So what we can do is create a pipeline process that runs as part of the http request begin pipeline (in the web.config as /configuration/sitecore/pipelines/httpRequestBegin) creating one for each site and updating the relevant web.config. When this process is called it could create a virtual user who belongs to a group which restricts access to the site the user requested.

There is some code here that shows you how to create a virtual user:

http://sdn.sitecore.net/Scrapbook/How%20to%20properly%20login%20virtual%20user%20to%20the%20Sitecore%20client.aspx

And here on pipelines:

http://sdn.sitecore.net/Scrapbook/Custom%20HttpHandler%20problem.aspx

Hope this helps :-)

Michael Edwards  2009-09-30 15:15:52

related questions

Is there any way to get publishing queue in sitecore?
System.ArgumentNullException: Value cannot be null. Parameter name: ownerType
Any experience on Sitecore CMS using Windows Sharepoint Services?
Rebuild Sitecore Search index and link database in a background process
IIS7 Custom Error URL Redirects Not Working with non-physical files
Running SiteCore Production Site under a Virtual Directory
How to check SiteCore's serialisation tree into TFS
XSL to Group item
Accessing Sitecore from another web project
Filter XSLT results
Sitecore Polls module - Unable to access or delete polls
Programatically Creating Image under Media Library
404 Redirect to Sitecore page allows for Extensionless URL
Set sitecore user to disabled on creation
How to find related items by tags in Lucene.NET
Sitecore: How to access same field name in different sections
Using XSL to list all fields of an item in Sitecore CMS
Is SiteCore slow and buggy?
Create link to Sitecore Item
Delete child items recursively in Sitecore CMS.NET
Adding unversioned files to subversion
One large xslt over smaller more granular ones
Sitecore's "Latest" Item
Launch Content Editor from code
Maximum # of Results in a Sitecore Droplink field?