Sitecore.Services.Client security

Abstract

Describes security considerations when you use SSC

The EntityService and the ItemService use the Web API ActionFilters to determine whether they handle or reject a request.

Sitecore.Services.Client provides two layers of security:

A security policy that applies to all Sitecore.Services.Client requests.
Individual filters that can add additional requirements on requests that are to be executed.

The ItemService has some additional security settings:

Request security context – Requests to the ItemService run in the context of the current Sitecore user.
Two routes for authentication:
- auth/login
- auth/logout
You must make requests to auth/login over HTTPS.
When you make requests to this route from JavaScript, you must load the whole page over HTTPS to avoid the request failing because it is Cross-Origin.
Anonymous access
The default is that the extranet\Anonymous user does not have access to the ItemService. You change this behavior with the Sitecore.Services.AllowAnonymousUser setting in the Sitecore.Services.Client configuration file.
When you set Sitecore.Services.AllowAnonymousUser to true, the ItemService will execute anonymous requests in the security context of the user defined in the Sitecore.Services.AnonymousUser configuration setting. By default, such requests will be run as the sitecore\ServicesAPI user, using user impersonation.

Security policies

Sitecore.Services.Client ships with three security policies:

Sitecore.Services.Infrastructure.Web.Http.Security.ServicesOffPolicy
This policy denies access to all Entity and ItemServices.
Sitecore.Services.Infrastructure.Web.Http.Security.ServicesLocalOnlyPolicy
This policy denies access to all Entity and ItemServices from requests originating from remote clients.
Sitecore.Services.Infrastructure.Web.Http.Security.ServicesOnPolicy
This policy allows access to all Entity and ItemServices.

You configure a security policy with the Sitecore.Services.SecurityPolicy setting in the Sitecore.Services.Client.config file. The default value is ServicesLocalOnlyPolicy.

You can create custom security policies by implementing the Sitecore.Services.Infrastructure.Web.Http.Security.IAuthorizePolicy interface and specifying the custom class name in the Sitecore.Services.SecurityPolicy configuration setting.

Exclude controllers from security policies

You can exclude controllers from the security policy you use. To do this, add an allowedController element under api/services/configuration/allowedControllers in the Sitecore.Services.Client.config file.

Authorization filters

The sitecore/api/configuration/filters section in the Sitecore.Services.Client.config configuration file defines what action filters Sitecore.Services.Client installs.

It installs the following filters by default:

Sitecore.Services.Infrastructure.Web.Http.Filters.AnonymousUserFilter
This filter ensures that the requests to the ItemService respect the configuration settings for unauthenticated users.
Sitecore.Services.Infrastructure.Web.Http.Filters.SecurityPolicyAuthorisationFilter
This filter runs the security policy defined in the Sitecore.Services.SecurityPolicy configuration setting.
Sitecore.Services.Infrastructure.Web.Http.Filters.LoggingExceptionFilter
This filter ensures that uncaught exceptions do not leak out over the Web API requests. It writes details about uncaught exceptions in the Sitecore logs and it sets the response status for the request to Internal Server Error (500).
Sitecore.Services.Infrastructure.Web.Http.Filters.RequireHttpsFilter
This filter makes HTTPS mandatory for all Web API requests to the site. It is commented out by default.
Sitecore.Services.Infrastructure.Web.Http.Filters.ServicesRequireHttpsFilter
This filter makes HTTPS mandatory for all EntityService and ItemService requests. It is commented out by default.

Custom authorization filters

To create a custom authorization filter:

Derive a filter class from System.Web.Http.Filters.AuthorizationFilterAttribute and override the OnAuthorization(HttpActionContext actionContext) method.
Add the new filter class definition to the sitecore/api/configuration/filters section in the Sitecore.Services.Client.config configuration file.