tags:

views:

684

answers:

2
+1  Q: 

Forms Authentication with Sitemap and asp:Menu control

I have a site with 2 sections - one for customers and one for admins, in essence. Each section is in its own directory with its own web.config and sitemap. Security and access works fine.

When I am logged in as admin, I want to see menu items that link to the other section, however. I added links to the sitemap, e.g.:

<siteMapNode url="~/Customer/Default.aspx?3" title="Customer Site"
description="Switch to customer site" roles="Administrator"/>

This seems to have no effect, since I still see the menu item when logged in as a customer. When I turn on security trimming, as in

<siteMap enabled="true">
  <providers>
    <add name="InternalSiteMap" type="System.Web.XmlSiteMapProvider" 
        siteMapFile="~/Internal/Internal.sitemap" />
    <add name="CustomerSiteMap" type="System.Web.XmlSiteMapProvider" 
     siteMapFile="~/Customer/Customer.sitemap" securityTrimmingEnabled="true" />
  </providers>
</siteMap>

all menu items are gone.

I actually have web.configs in both the Internal and the Customer folders, e.g. for the customer:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="Customer" />
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>

and the administrator:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
            <allow roles="Administrator" />
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>

Again, authorization works, and when I am logged in as a Customer and I click on the internal site link in the menu, I am being redirected to the login page. As an admin, I can click through to the admin site. As soon as I turn on security trimming for the sitemap provider, which is supposed to take the links that I am not authorized for off the menu, the entire menu disappears. What am I missing? Do I need to configure the asp.menu control to work together with this?

Update: I put a bounty on this question, because I still cannot get it to work. We are inclined to throwing out the menu control and writing our own, but if someone can provide a hint, that would be preferred of course. Again - the problem is not with security - the roles and access rules work as expected. It is with the menu control and security trimming. The menu disappears alltogether when security trimming is turned on for a sitemap.

Update: Thanks for finding this blog post, Pavel. What I learned from this is that if there are sitemap entries that do not have a path and URL (which is also true for some of my submenues), the control cannot infer permissions from the settings in the web.config, and you have to specify the roles in the sitemap. Otherwise, they will be hidden by default.

A: 

http://www.vbforums.com/showthread.php?p=3625975

Check the logged in user has the Administrator role.

Edit:

I'm also pretty sure your not ment to specify the role in the siteMapNode. I belive role based site maps work off existing roles, eg if a user has access to the path that the site note specifys then it will display it.

Also specify the path in the webs.config.

<location path="admin/">
    <system.web>
        <authorization>
            <allow roles="Admin"  />
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

And finally remove the '~' from your site map so that the comparison will match.

Once this is all done and if this is still not working, merge the web.configs to make sure permisions are not being lost.

Pino  2009-10-29 17:13:22
Yes, this is what I am trying to do and it is not working. The link was not helpful. The user does not have the Admin role.
cdonner  2009-10-29 21:13:22
I've Edited the post
Pino  2009-10-30 08:54:31
I did all this, but the problem remains. As soon as I enable security trimming in the sitemap, the menu disappears. With security trimming not enabled, security works as expected (i.e. redirect to login page when there is no access).
cdonner  2009-12-10 17:53:04
+2  A: 

From Horizontal Menu Disappears with securityTrimmingEnabled="true":

Make sure that every role has access to the (unused) dummy siteMapNode at the root by including roles="*" in web.sitemap shown below:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap  enableLocalization="true"
     xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
    <siteMapNode url="" title="" roles="*"  description="">
      <siteMapNode url="~/default.aspx" resourceKey="siteMapHome" 
       title="Home" roles="admin,account" description="" />
<!-----More nodes-->
Pavel Chuchuva  2009-12-14 02:39:41
Nice one, thanks!
cdonner  2009-12-14 15:35:15

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps