Using the Blog Feed in Feed Manager

Using the Blog Feed in Feed Manager

Often people would like a way to show the most recent blog posts on their home page while the blog is on a different page. This can be done easily by consuming the RSS (Really Simple Syndication) feed from the Blog in the Feed Manager. Once you have at least one post in the blog you can right click the RSS icon on the blog page, and choose copy link location, then in Feed Manager paste that in as the RSS feed. This is done very commonly to show a small "latest news" on the home page with links that go to the details in the blog post.

The RSS icon looks like this:

RSS icon

or you might see some variation since the icon can be changed.

A Note About Security

In mojoPortal content management system, access to content is determined by roles that are allowed to view a page. So you could put a blog on a page protected by a role so that anonymous visitors cannot see the blog content and only users signed into the site and who are role members can view it.

However, once you do protect a blog then you can't really use RSS because RSS is for things published publicly, the RSS specification doesn't provide a way to control access, so if you expose an RSS feed you are basically making the content public. In mojoPortal we do protect the feed with the same page roles so that no data is accidentally leaked by having an RSS feed. The problem is that the RSS feed will be basically useless since it cannot be consumed easily in feed readers (like Google Reader) or aggregated by other feeds, or used with FeedBurner because those consumers of RSS are not authenticated and are not role members. So in general the use of RSS feeds is antithetical to securing the content, you can publish content publicly or you can publish it securely but you cannot do both and RSS by design is intended to be for publicly accessible content. 

Occasionally users of mojoPortal CMS have asked for a way to bypass the security so that they can show the protected blog on a feed manager on their public home page. So we made it possible to do this by configuration.

You can generate a random guid and add it to user.config like this:

<add key="InternalFeedSecurityBypassKey" value="3B05C70F-8399-421B-8FDE-CAABB7811779" />

ie in sql server you could generate a guid with SELECT newid()

if a guid is present in this setting then the feed manager will pass the guid in the request for the feed and the blog rss page will allow it to be served if  it sees the correct guid.

However, it is a hack and NOT ENTIRELY SECURE, so use this hack at your own discretion. If someone can find out the guid then they can bypass the security also and get the feed data. It would not be easy to find out the guid but also not impossible.

Once you add this setting to user.config, you will need to either touch Web.config or recycle the application pool since the ASP.NET runtime won't automatically detect changes in user.config. Then finally you will need to clear the feed cache in Feed Manager.

Note that even though this allows the Feed Manager to consume the feed and show it on your home page, if a user clicks a link in the feed manager that link will try to go to the blog post and if the blog page is protected users will not be able to access the content. If the user is not authenticated they will be redirected to the login page, or if the user is authenticated but not in an allowed role they will see an access denied message. So, anyway you slice it, if you want to expose a feed from the blog you really cannot effectively secure the blog page, they are mutually exclusive options.

Created 2011-09-25 by Joe Audette