• Introduction
• Writing Custom Extranet Providers
• Using Extranet Facade Methods
• About Extranet Security
• Extranet Functions

About Extranet Security

The Extranet add-on protects pages and media files from being requested by website visitors who are not authenticated or authorized.

When restricting access to a page, you are limiting the group of people who can see that page (and all its subpages) to the people who have a valid login and belong to at least one Extranet group has the access.

The same is the case for media files.

1. How it works

   C1 CMS has exactly two public endpoints that can serve pages and media files. These endpoints are responsible for converting an HTTP request into API calls that deliver the requested resource.

   Before these API calls are executed, the endpoints will validate requests with the Extranet add-on and abort the request if not properly validated. Aborted requests are redirected to the website login page. If properly validated, the request is allowed, but any public caching is explicitly denied.

   The technical mechanism used to enable this request validation is described here: “How can I validate users before a page or media file is being served?”

2. What is protected?

   The validation layer is inserted between the public endpoints and the API constructing the response. This means that the Extranet add-on is protecting the public endpoints and ensures that pages and media are only handed to the users who have been authorized by the extranet administrator.

3. When are pages or media not protected?

   The data stores of C1 CMS are not ‘encapsulated’ by this protection and any direct Data API calls will be allowed by C1 CMS. This means that developers who write their own public endpoints serving pages or media files must take the “RenderingResponseHandler” security feature into account to maintain the security level provided by the Extranet add-on.

4. What about administrative users?

Users with administrative access to the CMS Console can work with pages and media files according to their CMS Console security settings. These settings can be limited so that only specific users are allowed to browse and manipulate specific page sections and media folders. Browsing and previewing protected pages require a valid extranet login.

Secure communication

By default the Extranet add-on will use HTML form based login validation where users submit their username and password in plain text.

You can ensure that this communication along with page browsing and file downloads are encrypted by installing a SSL (Secure Socket Layer) certificate on the website. This will ensure that traffic can be transmitted in a secure way via HTTPS (Secure HTTP).

CMS Console users, which manage extranet user accounts, edit or upload extranet-protected content or files, can use HTTPS for these purposes. This will ensure that all password, data and file communication between the CMS Console user and the server is maintained in a secure and encrypted manner.

Some websites might require that sensitive data and files are stored in an encrypted state on the server. Neither the Extranet add-on nor C1 CMS provides storage encryption services by default. However, such features can be developed as add-ons to C1 CMS and should work with this extranet “as is”.