Restricting Sitecore JSS CM preview to logged in users

Reading Time: 3 minutes

In Sitecore, you are used to publish content from master to web database in order to see content on published website.

If you are developer or content editor that wants to see preview of how content could look like live, you have couple of options – open preview from Content Editor or open Experience Editor and preview page there. This is pretty convenient but still you don’t have visitor like experience. You still see toolbars and such…

For this reason there is so called “Live Mode” available in Sitecore. In this mode, content from master and not the one from web database is used and you preview / see sites like you are visitor.

With SXA and JSS, the setup is pretty easy just by creating another site definition and pointing website to master database and probably setting some virtual folder so you can live preview the master content from CM URL just by adding virtual folder to it’s URL.

What we usually do, we create two site definitions – one for CD and one for CM. The one for CD is also publishable. The one for CM is not:

To set something to be unpublishable, go to Publish tab on that item, click Change Restrictions and uncheck “Publishable” checkbox on Item tab:

Then you set virtual folder to desired one and database to master:

This is really neat but there is security aspect of this. You are opening preview of a still work in progress content to any visitor who potentially know the URL without any restrictions. Of course these visitors don’t have access to change anything but still they can preview the so far not published content.


Solution was pretty simple.

In your Site definition, add these two properties to Other Properties field:

  • loginPage – /identity/login/$nameOfSite$/SitecoreIdentityServer
  • requireLogin – true

and prepare below config that you need to deploy on your CM app service in \App_Config\Include\Foundation folder:

<configuration xmlns:patch="" xmlns:role="" xmlns:security="">
    <sitecore role:require="Standalone or ContentManagement">
        <federatedAuthentication type="Sitecore.Owin.Authentication.Configuration.FederatedAuthenticationConfiguration, Sitecore.Owin.Authentication">
            <identityProvidersPerSites hint="list:AddIdentityProvidersPerSites">
                <mapEntry name="CM Sites" type="Sitecore.Owin.Authentication.Collections.IdentityProvidersPerSitesMapEntry, Sitecore.Owin.Authentication" resolve="true" patch:before = "mapEntry[@name='all sites']">
                    <sites hint="list">
                    <identityProviders hint="list:AddIdentityProvider">
                        <identityProvider ref="federatedAuthentication/identityProviders/identityProvider[@id='SitecoreIdentityServer']" id="SitecoreIdentityServer" />
                    <externalUserBuilder type="Sitecore.Owin.Authentication.Services.DefaultExternalUserBuilder, Sitecore.Owin.Authentication" resolve="true">

$nameOfSite$ is just token in both highlighted configurations above. Replace it with name of your site like DemoSite, EuropeTrainingSite, …

Happy Sitecoring…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.