Enable Channel Authentication within the Experience Manager
Configure the Experience manager to authenticate CMS user previewing protected channels or pages.
For CMS users previewing a channel in the Experience manager, authentication is bypassed by default so they can freely browse the entire channel. However, it is possible to configure the Experience manager to authenticate CMS users previewing a proteced channel or page.
The node /hst:hst/hst:hosts provides a boolean property hst:channelmanagersiteauthenticationskipped.
The default value for hst:channelmanagersiteauthenticationskipped is true, which means that CMS users authorized to preview a channel never have to authenticate within the preview channel.
To force authentication of CMS users previewing protected channels or pages in the Experience manager, set the hst:channelmanagersiteauthenticationskipped to false:
/hst:hst: /hst:hosts: hst:channelmanagersiteauthenticationskipped: false