Work with Sitecore Service Client Security in Development Environment

Sitecore.Services.Client (SSC) was introduced from Sitecore 7.5. It provides framework and scaffolding to help us create Web API based rest services in Sitecore no difference to regular ASP.NET Web API. It is very useful when directly calling from server side or client-side JavaScript.

With SSC, we can create custom Web API by inheriting ServicesApiController and get all the security benefits and filters.

Here are tips on security I found during working with Sitecore Service Client, especially in development environment.

1, The request has to be made to auth/login over HTTPS either from JavaScript or code behind because of Cross-Origin. In dev/test environment, how can we get SSL? The answer is creating a Self-Signed Certificate in IIS and bind to the Sitecore site.

  • Click the server node in IIS and open the “Server Certificates”.

ssc1

  • Create Self-Signed Certificate.ssc2
  • Bind the created certificate to the Sitecore site.ssc

2, Because the certificate is not a real one, when calling the https url, we may get error indicating the certificate not valid. Here are piece of code to bypass it, but DO NOT USE IT IN PRODUCTION.

ssc3

 

private static void BypassCertificateError()
{
            ServicePointManager.ServerCertificateValidationCallback += delegate (
                                   Object sender1,
                                   X509Certificate certificate,
                                   X509Chain chain,
                                   SslPolicyErrors sslPolicyErrors)
                                  {
                                            return true;
                                  };
}

3, Modify the configuration file “Sitecore.Services.Client.config” to set security service policy on as below. The default was “ServiceLocalOnlyPolicy”.

ssc5

 

This entry was posted in Information Technology, Sitecore and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s