Blog about tips & tricks for CMS enhancement


Make Optimizely DXP integration and preproduction sites force login

When working with your client's different DXP environments you often would like to keep the different stages up to date with the latest content
from the production environment. Hence, Optimizely has developed the neat function to copy content between the different environments in the DXP
Management Portal 🎉

Keeping your integration and preproduction under lockdown from unintended visitios for various reasons, such as security or project approvements is a good common thing to strive for.

If you do not prefer the recommended IP whitelisting of addresses recommended by Optimizely here then setting these access rights programmatically to make the sites read only (force login) might be the solution you are after.

More automated tasks are good common practice, right? 🙋

This may be achieved while we initialize the sites in the Optimizely initialization modules for each deployment of code we make.

To start off with, we need to make sure we only initialize this codeset while we operate in the integration and preproduction sets of environments.
Luckily Optimizely keeps track of which environment belongs to which out of the box. In CMS 11 you can use this with the configuration setting of ConfigurationManager.AppSettings["episerver:EnvironmentName"].
In CMS 12 (.NET Core 5) this configuration setting may be retrieved with the Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT").

Pipeline the module dependency of EPiServer.Web.InitializationModule and make the following setup (CMS 11 example):

public class EnvironmentInitialization : IInitializableModule
    public void Initialize(InitializationEngine context)
        var contentLoader = context.Locate.Advanced.GetInstance<IContentLoader>();
        var contentSecurityRepository = context.Locate.Advanced.GetInstance<IContentSecurityRepository>();             
        if (!string.IsNullOrEmpty(ConfigurationManager.AppSettings["episerver:EnvironmentName"]) && ConfigurationManager.AppSettings["episerver:EnvironmentName"].Equals("Integration") || ConfigurationManager.AppSettings["episerver:EnvironmentName"].Equals("Preproduction")) 
           if (contentLoader.TryGet(SiteDefinition.Current.StartPage, out StartPage startPage))
               IContentSecurityDescriptor securityDescriptor = (IContentSecurityDescriptor)contentSecurityRepository.Get(startPage.ContentLink).CreateWritableClone();

               if (securityDescriptor.IsInherited) 
                   securityDescriptor.IsInherited = false;


               securityDescriptor.AddEntry(new AccessControlEntry("Administrators", AccessLevel.FullAccess, SecurityEntityType.Role));
               securityDescriptor.AddEntry(new AccessControlEntry("WebAdmins", AccessLevel.FullAccess, SecurityEntityType.Role));
               securityDescriptor.AddEntry(new AccessControlEntry("WebEditors", AccessLevel.Read | AccessLevel.Create | AccessLevel.Edit | AccessLevel.Delete | AccessLevel.Publish, SecurityEntityType.Role));

               contentSecurityRepository.Save(startPage.ContentLink, securityDescriptor, SecuritySaveType.Replace);
               contentSecurityRepository.Save(startPage.ContentLink, securityDescriptor, SecuritySaveType.ReplaceChildPermissions);

When we restart the site we get the start page and clear its securities in terms of ACL. Then we add our own defined virtual groups roles and set different
access control entries. Lastly we save and replace the start page's new security settings for both itself and its children to make sure the
site catalogs structure inherits this properly 👌

And now you should not have to worry to always adjust your newly content inherited environments.

This post described how to make your site read only and login only for your desired DXP environments in Optimizely DXP.