CodeBetter.Com
Sign in | Join | Help
in Search
CodeBetter.Com
RSS 2.0 via Feedburner
           Do you Twitter? Follow us @CodeBetter

Jeff Lynch [MVP]

Everything E-Commerce!

ASP.NET 2.0 and Web Standards - SiteMap Security Trimming

One of the most interesting and truly useful features of the new XmlSiteMapProvider is it's ability to selectively generate HTML through it's "securityTrimmingEnabled" attribute. A common requirement for many web sites is to allow only certain users to access certain parts of the site. ASP.NET 2.0's new role management features provides an easy way to restrict access to web pages based on security roles. The SiteMapProvider model offers security trimming to provide a way to hide navigational links in a site map, also based on security roles. All that's required is to set the "securityTrimmingEnabled" attribute to "true" and the SiteMapProvider will do the rest of the work.

<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">

   <providers>

      <add  name="XMLSiteMapProvider

            description="Default SiteMap Provider

            siteMapFile="Web.sitemap

            securityTrimmingEnabled="true

            type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>

   </providers>

</siteMap>

In my application I've setup an "Admin" folder under the main web site, which contains Administrator only web pages to allow the Administrator to add users, shipping addresses, etc. Since I don't want normal users to access this section of the web site I created a Web.config in the Admin folder as shown below. This blocks all site users except those belonging to the "Admin" role from accessing any files in this folder.

<configuration>

  <appSettings/>

  <connectionStrings/>

  <system.web>

    <authorization>

      <allow roles="Admin" />

      <deny users="*" />

    </authorization>

  </system.web>

</configuration>

With the XmlSiteMapProvider's "securityTrimmingEnabled" set to true a user assigned to the "Admin role sees this menu.

While a normal user sees this menu.

What's very cool about this is that the SiteMapProvider doesn't just "hide" the trimmed parts of the menu. The HTML is not even generated by the control making it much more difficult for a "normal" user to even know that the "Admin" section of the site exists! You can set a breakpoint in your page code and run in "Debug" mode to see exactly how this works. It's a pretty cool little feature that saves countless hours of programming.


Published Jan 15 2006, 05:30 PM by jlynch
Filed under:

Comments

Christopher Steen said:

ASP.NET 2.0 and Web Standards - SiteMap Security
Trimming [Via: jlynch ]
BizTalk Web Resources ...
# January 15, 2006 10:18 PM

Brian said:

That doesn't seem to work for me. My whole menu disappears even though out of the 6 items in my web.sitemap file, only 1 has roles being used - and even though I'm logged in, and a member of that role (all roles as a matter of fact) I see 0 items in the menu.
# February 19, 2006 9:32 AM

Jeff Lynch [MVP] said:

CS2006 now offers a custom ASP.NET 2.0 compatible membership provider (UpmMembershipProvider) for authentication and authorization. What's still lacking however, is a custom role provider which is essential for most B2B scenarios.
# May 12, 2006 10:00 PM

Jeff Lynch [MVP] said:

CS2007 now offers a custom ASP.NET 2.0 compatible membership provider (UpmMembershipProvider) for authentication and authorization. What's still lacking however, is a custom role provider which is essential for most B2B scenarios.
# August 14, 2006 5:09 PM

Scott Vickrey said:

Enabling securityTrimmingEnabled makes my whole menu go away no matter what role you are logged in as.

# April 30, 2007 2:29 PM

jlynch said:

Scott,

Set a break point in your menu code and run the site in debug mode. You should be able to see exactly what's happening.

Jeff

# April 30, 2007 3:03 PM

edu said:

Hi, I'm from Brazil... Sorry for my english, is not very well... If possible, i would like for template (CSS) of Gulf Coast Seal direct... for student this... Best Regard's mail: trocadordeideias@hotmail.com
# September 12, 2007 4:37 PM

jlynch said:

I'm sorry but I can't give away my company's intellectual property but I'd be happy to answer any questions you may have about this.

# September 12, 2007 6:08 PM

Ash said:

Hey, just gotta say thanks for this, it works perfect on my site - was just what I needed along with Scott Mitchells guide to setting the page title by the sitemap

# September 17, 2007 6:36 AM

Sajid said:

Hi,

I have a css based menu with <ul></ul> tags

there is an adminpage listed in the <ul> tage within a <li></li>

the admin page does seem to get hidden from otrher users?

# December 5, 2007 11:33 AM

Leave a Comment

(required)  
(optional)
(required)  

Enter the numbers above:
Add
Check out Devlicio.us!

Our Sponsors

Free Tech Publications

This Blog

Syndication

Tags

BizTalk Bloggers

Commerce Server Bloggers

Microsoft Heros

Team System Bloggers

About CodeBetter.Com

CodeBetter.Com FAQ
Our Manifesto
Advertisers should contact Brendan

Subscribe

Google Reader or Homepage
del.icio.us CodeBetter.com Latest Items
Add to My Yahoo!
Subscribe with Bloglines
Subscribe in NewsGator Online
Subscribe with myFeedster
Add to My AOL
Furl CodeBetter.com Latest Items
Subscribe in Rojo

Member Projects

WSMQ - Brendan Tompkins
Sarasota Web Design - David Hayden
Patterns & Practices - David Hayden
dotMath - Steve Hebert
EZWeb - Jeffrey Palermo
Structure Map - Jeremy D. Miller
StoryTeller - Jeremy D. Miller
The Code Wiki - Karl Seguin

 

Friends of CodeBetter.Com

Red-Gate Tools For SQL and .NET
 BlogJet
CodeSmith 3.0
 SourceGear Vault
Telerik
 ComponentArt
VistaDB
JetBrains - ReSharper
 Beyond Compare
 .NET Memory Profiler
NDepend
AliCommerce
Ruby In Steel
SlickEdit
SmartInspect .NET Logging
NGEDIT: ViEmu and Codekana
LiteAccounting.Com
DevExpress <-- NEW Friend!


Site Copyright © 2007 CodeBetter.Com
Content Copyright Individual Bloggers

Community Server (Commercial Edition)