SxA Storefront Security Settings

Hopefully you've all been having fun with XC9 since it was released back in January, well this post is going to cover something you'll need to look at if you're using the Storefront generated by SxA Storefront.

If you're using the out of the box account feature that shipped with XC9, then you'll want to follow the steps below to correctly configure the security settings for the secure account pages.

How it's configured out of the box, the secure account pages dont have any Sitecore security applied to them. This means that if you try to access a secure page as an unauthenticated user, say from a bookmark you'd made when previously logged in, then you'll have an issue.

What will end up happening is that as no security has been applied, then the code will fall back to the [Authorised] attribute on the account controller, as you're an unauthenticated user the application will redirect you to the URL specified on the system.web\authentication\forms node of the web.config.

However, with Sitecore this node is set to /sitecore/login which isn't what you want in this situation, you don't want your end users being redirected to the Sitecore login page, but to the login page for the site they accessing, so how do you do this?

Denying Anonymous Users

Well first of all you need to deny read access to the extranet/anonymous user, to tell Sitecore that unauthenticated users shouldn't be able to access these pages.

If you look above, here you can see red crosses being shown next to the extranet/anonymous account in the read column. This means that account will be denied access to those pages, which is great, but theres another step that we need to perform.

Configuring SxA Site Login Page

So we've denied access to the extranet/anonymous account, but now we need to tell Sitecore where we want to redirect these unauthenticated users to. We do this using the default SxA Site Grouping functionality.

If you naviate to the SiteGrouping item for your site, in my case this was located at /sitecore/content/Sitecore/SxaStorefront/Settings/Site Grouping/SxaStorefront, then you can configure the login page for that site by populating the Login Page field.

And that's it, I can publish these changes and then the authentication on my site will function correctly. Now when a user attempts to navigate directly to one of the Account pages, say from a bookmark like I mentioned at the start of this post, they will be correctly forwarded to Login Page for the context site, not the Sitecore administation login page!