An Introduction to Force.com Sites
Force.com Sites enables developers to build and deploy public web sites and web applications using Force.com. These Web sites can be assigned custom domain names, letting you run your own web sites on the platform.
Force.com Sites are built with Visualforce, and they can leverage the data, content and logic that resides in your own environment.
This article introduces Force.com Sites. It shows how to create your first Force.com Site, and illustrates the major areas of functionality such as security, syndication feeds, site audit history, error pages, usage reports and caching.
There are three main use cases for Force.com Sites:
- Corporate and Intranet web sites: You can run your entire public corporate web site on Force.com Sites, or create intranet sites by IP restricting the sites.
- Microsites: You can run portions of your web site where you need dynamic interactions with end users. These dynamic pages can be used to capture information from end users. You can also provide these pages to push information to end users such as store locators, partner locators or product catalogs.
- Web Applications: Web applications are dynamic applications accessible through a browser. These applications can be anything from e-commerce vending to automating complex business flows. An example is the event management application we use for Dreamforce that includes a marketing web site with rich content, dynamic pages for session information, online registration, payment processing, and fine tuned interfaces for mobile, kiosk devices.
See the Sites Gallery for a look at sites that have already gone live using Force.com Sites.
Creating a Force.com Site
To create a basic Force.com Site, you need to follow the following four steps:
- Register a domain name
- Create a Force.com Site using the domain name
- Assign Visualforce pages to the Site
- Set up the security access permissions
Here's a short tutorial on creating a simple site. The tutorial assumes that you have a Developer Edition environment. Register for one (it's free) on Developer Force. More information on each of these topics can be found in this article after the tutorial.
Registering a domain name
In order to create your sites you must first register your Force.com domain name. This only has to be done once. You should choose a domain name that represents your organization rather than a specific site.
Navigate to Setup | Develop | Sites and enter a domain name to use. You'll see a setup screen much like the following:
On Developer Edition environments, your domain name will look something like
Creating a Site
You're now ready to create a site that can be referenced from the domain name. In Setup | Develop | Sites, hit the New button. Besides the label and name fields (which are used when listing and interacting with the site using the admin user interface and Force.com SOAP API), the important fields are:
- Active - you want to enable this to ensure that end users can access your site.
- Default Web Address - if you want your site to have a particular location, enter one here. For our demo, simply leave this blank.
- Active Site Home Page - this points to the default Visualforce page to display when your site is active
The following figure shows this in action.
By default the home page for your site will be set to
UnderConstruction, a Visualforce page that is automatically created for you. At this point you actually have a live (but boring) website!
Assigning a Visualforce Page
When you create a site, the platform creates a number of Visualforce pages for you to be displayed under different circumstances (for example, when the site is inactive). Simply hit the Edit button to add Visualforce pages that you want to expose on your Site.
You will then be able to simply choose from the Visualforce pages you have in your environment. See An Introduction to Visualforce to learn how to create Visualforce pages.
After assigning Visualforce pages to your site, you can then go back and edit the Site and change the Active Site Home Page to one of those Visualforce pages. For example, let's assume you added two Visualforce pages to your site, PageA and PageB, and that you made PageA the Active Site Home Page. Assuming your domain is
http:// MyDomainName-developer-edition.na6.force.com/ will show PageA
http://MyDomainName-developer-edition.na6.force.com/PageB will show PageB.
Setting up Security
Force.com Sites has a number of security mechanisms detailed below. For example, you can IP restrict the web site, ensuring that only your intranet has access. It also has data security features. In particular, if you have a database object, and your Visualforce displays data from that database object, the page may not render the data when on a Force.com Site unless you explicitly configure the site security to grant read access to that object. You do this on the "Public Access Settings" when on the Site detail page.
That should be enough to get you started! Check out the Workbook for a more detailed tutorial.
URLs, Default Pages, Favicons and Robots.txt
The rest of this article looks at the various components of Force.com Sites in a lot more detail. In this section we'll look at the domain name, URL structure, default pages and robots.txt files. The following sections examine security, caching and so on.
URL Paths and Sites
Once you register your Force.com domain name you can create up to 25 sites under this domain name (Enterprise Edition and Unlimited Edition). Developer Edition environments can create 1 site. Each of these sites will have a unique path in the site URL to differentiate one site from another. The location is optional, as you saw in the tutorial. The following figure shows the general URL path structure.
A site consists of 3 components:
- The Force.com domain name that uniquely identifies your specific organization (case insensitive)
- The path identifies the specific site (case sensitive)
- A Visualforce page that is associated with your site (case insensitive)
Note that there are no limitations on how many pages you can have per site; you only need to create a new site when you need a different security model, or a different custom domain name.
You can mask your default site URL with your custom domain name. Simply create a CNAME alias via your 3rd party domain name registrar and point your custom domain name to your Force.com domain name and populate the Custom Web Address field with your custom domain name. You cannot do this for Developer Edition environments or Developer Sandboxes.
Sites Visualforce Pages and Error Pages
A number of default pages are automatically created for you. The Active Site Home Page and Inactive Site Home Page are the two home pages that are displayed based on whether you have activated the site or not.
Before a page can be surfaced on a Site, it has to be added to the set of Site Visualforce Pages as indicated in the tutorial. Even then, it may only render as expected given the correct security conditions.
Force.com Sites also provides sample HTTP error pages, as shown in the following figure.
You can customize or replace these pages with your own pages.
The platform uses the Site Contact to send email notifications related to site errors and site usage alerts. The system will display generic error messages to the end users, however site contacts get specific emails about the errors occurring on their sites.
Robots.txt and Favicons
Sites includes support for robots.txt and favorite icon settings. The robots.txt file informs web spiders and robots as to which pages of your site should be indexed. Here is a sample Visualforce page for allowing all robots to index all pages , as well as referencing a sitemap.xml on your site:
<apex:page contentType="text/pain"> User-agent: * Disallow: Sitemap: http://<site_URL>/<sitemap_visualforce_page_name> </apex:page>
The favorites icon (favicon) is the icon that appears in the browser's address field that visitors see when browsing your site. Use the Sites Favorite Icon field to set the favorites icon for your entire site. Upload and store your favorites icon as a Static Resource.
There are a number of security features in Force.com Sites, ranging from determining which Visualforce pages are visible, Public Access Settings such as IP restriction and data object restriction, and user registration and authentication.
Visualforce Pages Visibility
As illustrated in the tutorial, Visualforce pages have to be explicilty added to a Site before they can be accessed via the Site URL. Sites also allows you to expose Home Page, Ideas, Search, and Lookup standard pages from your org.
Public Access Settings
Force.com Sites uses the same security mechanism that is used for the platform and product users. Behind the scenes each site has a unique guest user and each guest user has a unique profile that can be accessed via the site public access settings. Profiles tell the system about what can be accessed by the users. The profile for the guest user determines what anonymous visitors to the site have access to.
With the public access settings you're allowed to set full create/read/update/delete (CRUD) permissions for all custom objects, and read and create on most standard objects. There are three standard objects – Products, Pricebooks, and Ideas – that are exposed as read only.
And, in the same way that you can restrict IP ranges on a user profile, you can restrict access to your site based on IP ranges. This allows you to create a site that is only accessible to your own internal employees. With this capability you could use Sites to build a corporate intranet.
To use IP restrictions, HTTPS is required. You must use the secure URL associated with your Force.com domain to access your site.
We recommend setting the sharing to private for the objects on which you grant "Read" access for your Force.com site. This ensures that users accessing your site can view and edit only the data related to your site.
It's also a good practice to secure the visibility of all list views. Set the visibility of your list views to Visible to certain groups of users, and specify the groups to share to. List views whose visibility is set to Visible to all users may be visible to public users of your Force.com site. To share a list view with public users, create a new public group for those users and give them visibility. If the object's sharing is set to private, public users will not be able to see those records, regardless of list view visibility.
User Registration and Authentication
Force.com Sites provides seamless integration with Customer Portal and Partner Portal products in order to allow registration and authentication for your web sites. For more details, see Authenticating Users on Force.com Sites.
Simply click the Login Settings button and associate your site with one the active portals in your organization.
Default pages are provided to support registration, login, forgot password, and change password functions. You can use these default pages and controllers right out of the box, or you can modify them, or even replace them with pages of your own.
This is the only ways in which you can authorize and log users into your application built on Force.com Sites. See Authenticating Users on Force.com Sites to learn how to do this.
Force.com Sites has a number of additional features, including a Site configuration auditing history, syndication feeds and a global content delivery network. This section looks at these in more detail.
Site History allows you to easily determine who changed what part of the Force.com Sites configuration, and when they did it. See the following figure for an example.
The Site History records changes to:
- Site creation,
- Site detail changes,
- Error page mapping updates,
- Login setting updates, and
- Enablement of standard pages.
Syndication feeds gives site visitors the ability to subscribe to changes within Force.com Sites and receive updates in external feed readers. First, enable the feed for your site by checking the "Enable Feeds" check box on site definition
Create a feed entry by simply defining a SOQL query to retrieve the data that you want to appear in the feed, and by creating a mapping definition to map the data to the feed output. Here's an example SOQL query to retrieve three fields from the database object "account":
select id, name, description from account
Here is an accompanying mapping definition:
ft: "My Feed", fa: "Jon Mountjoy", et: Name, ec: Description , el: "/" + Id, ect: "html"
This maps the data to an Atom syndication feed format, and is described on the help page. In particular,
ft stands for "feed title",
fa for "feed author",
et for "entry title",
ec for "entry description",
el for "entry link" and so on. As you can see, the system automatically iterates over the result to generate the feed.
You can create one or more syndication feeds for your organization's public sites or any Visualforce page.
Force.com Sites imposes two daily limits, i.e., 24 hour rolling limits. These limits depend on the organization type as follows:
The limits govern
- Volume: Total number of bytes of data in and out of your site, and
- Request time: Total amount of time spent to generate pages on the server side.
When a site reaches one of these limits the site will display the Limit Exceeded error page. Even though these limits are set very high for active orgs, high traffic or pages requiring heavy bandwidth or long processing time may cause a site to reach one of these limits within a given 24 hour period. You can track how your site is doing against these limits via the 24-Hour site usage history related list on the site details page.
You can virtually increase these limits by leveraging the caching functionalities provided for you. Force.com Sites seamlessly integrates with one of the leading Content Delivery Network (CDN) vendors to allow you to cache your pages all around the world for a duration that you can set. CDN integration not only improves your global reach (more than 40,000 servers all around the world) but it also provides your site visitors satisfaction by serving content to the closest location to them.
You can simply decide which pages will be cached and for how long. When a page in cache expires, the CDN system will retrieve the latest version of the page from your application via the fastest route by leveraging its special traffic optimization logic. To enable a Visualforce page for caching, use the following page declaration:
<apex:page cache="true" expires="600">
The "expires" attribute is an Integer value that specifies the period of cache in seconds.
By default, caching is set to 10 minutes so each request won't count against request time limit and bandwidth limit. Note that the CDN integration is only valid for active, production orgs. Sandbox orgs, Prerelease orgs, and Developer Edition orgs do not have CDN integration. To protect the integrity of sensitive information, SSL (secure) sessions and pages requested after authentication (login) are not cached via CDN. In order to use static resource on public sites you need to set the Static Resource "Cache Control" attribute to "Public". See the article Delivering Static Resources with Visualforce. We recommend that you store large audio and video files you want to access on your public sites on a 3rd-party system to avoid daily bandwidth limit restrictions.
To keep track of your site activity and usage, take advantage of the Site Usage Reporting managed package, which provides out-of-the-box reports and a dashboard for monitoring site usage. Analyze your monthly page views, daily bandwidth, and daily service request time so you can avoid reaching monthly and daily limits for individual sites, as well as for your organization.
The Site Usage managed package, available here on Force.com AppExchange, contains out-of-box reports and a dashboard for monitoring Force.com Sites usage.
The Site Usage Reporting managed package also contains a number of reports to help you perform analytics on usage for your sites. You can find them on the Reports tab: Under All Reports, expand the Site Usage Reports folder. You can also select Site Usage Reports in the Folder drop-down list, then click Go. Here's a list of reports:
Multi Language Support
In order to translate labels that appear in your Visualforce pages, the translation workbench must be enabled for your organization. You will need to use the translation workbench to translate the standard and custom object labels. And you can use the custom labels feature to create translated labels for any type of text you want to use in your Visualforce pages. The following example shows a copyright label that is translated into the Spanish.
You can use these labels in Visualforce pages using the following syntax:
The label will be rendered based on the user's language or the page language. You can set the Site level language via Site Details | Public Access Settings | Show Users | Edit user details.
You can also set the page language by passing a parameter to the page via the URL as follows:
- Define the language parameter for your page
- Pass the parameter via the URL
The figure above shows how the language was changed to Spanish by appending the parameter "lang=es" to the URL.
A great website is sometimes the best way to engage your audience. Force.com Sites provides an easy and powerful way to build such websites - hosted entire on Force.com. This article introduces Force.com Sites. It shows how to create a simple site, and illustrates the major areas of functionality such as security, syndication feeds, site audit history, error pages, usage reports and caching.
- The Force.com Sites page on Developer Force points to many resources to help you get started with Force.com Sites.
- Adding CAPTCHA to Force.com Sites shows how to add CAPTCHA to your forms to validate humanity.
- See Authenticating Users on Force.com Sites for a detailed tutorial on adding authentication to your site.
About the Authors
- Bulent Cinarkaya is the Product Management Director responsible of Force.com Sites. You'll find him on the developer blog as well as the discussion boards under the screen name Bulent.
- Jon Mountjoy is the community manager and editor-in-chief at Developer Force. He gets kicks out of learning new things and communicating these to the community. You can find Jon on the Developer Force blog, Twitter, FriendFeed and more.