Jeff Lynch [MVP]

Sponsors

The Lounge

Syndication

Recent Posts

Tags

View more

News

BizTalk Bloggers

Commerce Server Bloggers

Microsoft Heros

Team System Bloggers

Archives

Advertisement

Jeff Lynch [MVP] » ASP.NET 2.0 and Web Standards - SiteMap Security Trimming
Images in this post missing? We recently lost them in a site migration. We're working to restore these as you read this. Should you need an image in an emergency, please contact us at imagehelp@codebetter.com
ASP.NET 2.0 and Web Standards - SiteMap Security Trimming

One of the most interesting and truly useful features of the new XmlSiteMapProvider is it's ability to selectively generate HTML through it's "securityTrimmingEnabled" attribute. A common requirement for many web sites is to allow only certain users to access certain parts of the site. ASP.NET 2.0's new role management features provides an easy way to restrict access to web pages based on security roles. The SiteMapProvider model offers security trimming to provide a way to hide navigational links in a site map, also based on security roles. All that's required is to set the "securityTrimmingEnabled" attribute to "true" and the SiteMapProvider will do the rest of the work.

<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">

   <providers>

      <add  name="XMLSiteMapProvider

            description="Default SiteMap Provider

            siteMapFile="Web.sitemap

            securityTrimmingEnabled="true

            type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>

   </providers>

</siteMap>

In my application I've setup an "Admin" folder under the main web site, which contains Administrator only web pages to allow the Administrator to add users, shipping addresses, etc. Since I don't want normal users to access this section of the web site I created a Web.config in the Admin folder as shown below. This blocks all site users except those belonging to the "Admin" role from accessing any files in this folder.

<configuration>

  <appSettings/>

  <connectionStrings/>

  <system.web>

    <authorization>

      <allow roles="Admin" />

      <deny users="*" />

    </authorization>

  </system.web>

</configuration>

With the XmlSiteMapProvider's "securityTrimmingEnabled" set to true a user assigned to the "Admin role sees this menu.

While a normal user sees this menu.

What's very cool about this is that the SiteMapProvider doesn't just "hide" the trimmed parts of the menu. The HTML is not even generated by the control making it much more difficult for a "normal" user to even know that the "Admin" section of the site exists! You can set a breakpoint in your page code and run in "Debug" mode to see exactly how this works. It's a pretty cool little feature that saves countless hours of programming.

Posted 01-15-2006 5:30 PM by Jeff Lynch
Filed under:

[Advertisement]

Comments

Christopher Steen wrote Link Listing - January 15, 2006
on 01-15-2006 10:18 PM
ASP.NET 2.0 and Web Standards - SiteMap Security
Trimming [Via: jlynch ]
BizTalk Web Resources ...
Brian wrote re: ASP.NET 2.0 and Web Standards - SiteMap Security Trimming
on 02-19-2006 9:32 AM
That doesn't seem to work for me. My whole menu disappears even though out of the 6 items in my web.sitemap file, only 1 has roles being used - and even though I'm logged in, and a member of that role (all roles as a matter of fact) I see 0 items in the menu.
Jeff Lynch [MVP] wrote Commerce Server 2006: Development Tip #8 - UpmRoleProvider
on 05-12-2006 10:00 PM
CS2006 now offers a custom ASP.NET 2.0 compatible membership provider (UpmMembershipProvider) for authentication and authorization. What's still lacking however, is a custom role provider which is essential for most B2B scenarios.
Jeff Lynch [MVP] wrote Commerce Server 2007: Development Tip #8 - UpmRoleProvider
on 08-14-2006 5:09 PM
CS2007 now offers a custom ASP.NET 2.0 compatible membership provider (UpmMembershipProvider) for authentication and authorization. What's still lacking however, is a custom role provider which is essential for most B2B scenarios.
Scott Vickrey wrote re: ASP.NET 2.0 and Web Standards - SiteMap Security Trimming
on 04-30-2007 2:29 PM

Enabling securityTrimmingEnabled makes my whole menu go away no matter what role you are logged in as.

Jeff Lynch wrote re: ASP.NET 2.0 and Web Standards - SiteMap Security Trimming
on 04-30-2007 3:03 PM

Scott,

Set a break point in your menu code and run the site in debug mode. You should be able to see exactly what's happening.

Jeff

edu wrote re: ASP.NET 2.0 and Web Standards - SiteMap Security Trimming
on 09-12-2007 4:37 PM
Hi, I'm from Brazil... Sorry for my english, is not very well... If possible, i would like for template (CSS) of Gulf Coast Seal direct... for student this... Best Regard's mail: trocadordeideias@hotmail.com
Jeff Lynch wrote re: ASP.NET 2.0 and Web Standards - SiteMap Security Trimming
on 09-12-2007 6:08 PM

I'm sorry but I can't give away my company's intellectual property but I'd be happy to answer any questions you may have about this.

Ash wrote re: ASP.NET 2.0 and Web Standards - SiteMap Security Trimming
on 09-17-2007 6:36 AM

Hey, just gotta say thanks for this, it works perfect on my site - was just what I needed along with Scott Mitchells guide to setting the page title by the sitemap

Sajid wrote re: ASP.NET 2.0 and Web Standards - SiteMap Security Trimming
on 12-05-2007 11:33 AM

Hi,

I have a css based menu with <ul></ul> tags

there is an adminpage listed in the <ul> tage within a <li></li>

the admin page does seem to get hidden from otrher users?

Add a Comment

(required)  
(optional)
(required)  
Remember Me?