Login Protected Pages

Last Updated: Feb 16, 2022
documentation for the dotCMS Content Management System

Removed in favor of using dotCMS Roles. See an example at https://demo.dotcms.com/members/

All HTML pages, by default, need the CMS Anonymous role to be “public-facing” rather than intranet pages. When a user visits a page that is not assigned the CMS Anonymous role, the browser will redirect to the dotCMS login page. The default dotCMS login page can be found in /application/login/login.dot from the Site Browser tab.

When a user is redirected to the login page, the original page reference is included in the URL so the user can be returned to the original page after login verification. After the user has logged in, the code checks the user's backend permissions. Depending on the user's permissions, dotCMS either denies access to the page and returns the user to the login page, or reveals ONLY the content on the page that the user has permissions to see.

Secure Login Page

Multiple Secure Login Pages

Multiple secure login pages can be created with different look and feel. You can check for a successful login on a piece of content, a container, a template, etc. by adding a conditional statement to the page, such as the one below:

      ##User has logged in successfully, add page code here, parse a vtl, etc.


This code checks if user has been set, and if so, it displays the page. If no user has been set it sends the visitor to your custom login page with the referring page in the URL.

Changing the Virtual URL to the Login Page

You can create a “virtual” link to your login page via the REDIRECT_TO_LOGIN parameter in the dotmarketing-config.properties file. This setting can be reconfigured to whatever path you wish to display. The path you configure in this parameter will display in the URL instead of the normal (full) path to the /application/login/login.dot page.

Note: It is strongly recommended that all changes to the dotmarketing-config.properties file be made through a configuration plugin.


Changing the Hard-coded Secure Login Path

The path to the secure login page can also be changed through the struts-cms.xml plugin file. The following action maps the path to the login page:

<action path="/login"  type="com.dotmarketing.cms.login.action.LoginAction" name="loginForm" scope="request" validate="false"  parameter="dispatch" input="/application/login/login.dot" >
      <forward name="loginPage" path="/application/login/login.dot" />
      <forward name="forgotPasswordPage" path="/application/login/forgot_password.dot" />
      <forward name="challengeQuestionPage" path="/application/login/challenge_question.dot" />
      <forward name="successPage" path="/application/login/login_successful.dot" />
      <forward name="resendActivationPage" path="/application/myaccount/resend_activation_email.dot" />    


dotCMS uses the Struts 1 Forever package, which fixes all known security issues with Apache Struts, and which is continually maintained and patched.

On this page


We Dig Feedback

Selected excerpt: