Last post Feb 01, 2011 10:52 AM by vj82reddy
Jul 27, 2006 11:33 AM|Bow99|LINK
I have been developing an application which uses form authentications followed by Role based access. I have Achived this by creating a custom Membership and Role Providers which I have now got running succesfully. So for example User "jo.bloggs" has the
following Roles (MenuRole1, MenuRole2, MenuRole3) etc. etc
What I'm wanting to achieve now is to have a menu which is restricted for the relevant roles. Using the menu control and SiteMap (Which I will use for breadcrumbs etc)
I expected to use the following:
Only I'm not having much luck. Been looking on the msdn at the SiteMapProvider class
http://msdn.microsoft.com/en-us/library/ms281246.aspx and noticed that there is a method called isAccessableToUser which Im guessing will work like my IsUserInRole or isInRole methods
in my role provider class which I have written.
What I thought I needed to do was create a custom SiteMapProvider but there are MustInherit methods(FindSiteMapNode,
The thing is I want the menu to work like normal but just reference my Role Provider. My Idea being is I would override the IsAccessibleToUser method and point to my custom RoleProvider but I dont really don't want rewrite the wheel and rewrite
the FindSiteMapNode, GetChildNodes, GetParentNode,GetRootNodeCore methods.
Or I'm I looking at this from the wrong direction [:)]
Jul 28, 2006 05:12 AM|Dave Sussman|LINK
Completely the wrong direction I'm afraid, although it's easy to understand why you went this route. You only need to think about IsAccessibleToUser when writing your own site map providers; the framework handles it all if you're using the standard xml site
First off, security trimming should be applied to the provider, not the site map nodes (you can remove it from there). So in web.config you should have:
You lock down pages by using authorisation, in web.config files. This can be in a the top level web.config, or separate web.config files in a folder. For example, to lock down individual pages, you would add something like this:
<allow roles="MenuRole1" />
<deny users="*" />
This allows only users with the MenuRole1 to access the page (* = all users, so we deny all users, but allow only those with the role - always put the allow first). The reason we use the authorization section is that it stops users fro typing in the url
into the address bar; the framework checks authorization for every URL.
Now that you've locked down your pages, you can remove the roles attributes from the site map nodes; this is an often misunderstood attribute, but roles on a siteMapNode doesn't restrict access to the node, it widens it. This does seem coutner intuitive,
but is actually sensible; the widening allows you to have nodes visible that wouldn't normally be visible because they might be unauthorised. A good example of this is a URL that is outside of your website (eg to amazon or google); ASP.NET has no way to check
that you are authorized to access these, so adding roles="*" means that everyone is allowed access to that node). When a site map node is exposed via the API (which in your case means via the SiteMapDataSource), the authorization for that URL is checked; if
the user is authorized, the node is made available; if not authorized, the node isn't supplied. So the SiteMapDataSource only supplies nodes (to the Menu for example) that the user has authorization for.
Jul 28, 2006 09:07 AM|Bow99|LINK
Thanks alot, you have made me a very happy man.
I realised my error for inheriting the wrong provider (I was trying to inherit SiteMapProvider). I have now managed to integrate the MembershipProvider along with the RoleProvider and now created my own xmlSiteMapProvider which all works along with the security
(from the webconfig).
Thanks for showing me the easy way.
For anyone else looking at this post I have created a sample project which incorporates the membership, Role and xmlSiteMap Providers. This demonstrates the menu control which using the web.sitemap, and also secure directories.
Contact me through this post if interested as I dont currently have rights to upload files
Apr 26, 2007 10:40 AM|girish1979|LINK
I am also facing te same issue as I am using SiteMapDataSource. I have follwed all other instructions as given in your post but still the menu is not trimming.
I think the provider I am using is wrong.
Can you please help me to get out of this issue.
Thanks for your valuable post.
Apr 26, 2007 10:41 AM|girish1979|LINK
I am also facing the same issue as I am also using SiteMapDataSource. I have follwed all other instructions as given in your post but still the menu is not trimming.
Apr 26, 2007 01:33 PM|Dave Sussman|LINK
As well as setting the security trimming you have to make sure that you have your authentication enabled (either forms based or windows based), that the role manager is enable and that the users are configured with the appropriate roles. The quickstarts
give good examples of this (http://www.asp.net/learn/default.aspx?tabid=63). Apart from that you should only need to redeclare the siteMapProvider and set authentication on the pages. As long as
the URL of the page matches the URL in the siteMapNode in web.sitemap, trimming should be applied automatically.
Apr 27, 2007 01:09 AM|girish1979|LINK
I am going thru the tutorials.
I have done all the settings in web.config.
I am putting my web.config. I am using forms authentification. My web site map has only urls and i have not defined roles in those as in ur reply to remove roles . I have used folder wise web.config instead to restrict users from getting into that page.
I will try to change it and put authentification on the pages. Thanks for the reply
Apr 27, 2007 02:30 AM|girish1979|LINK
I needed the sample project which incorporates role and xmlSitemap Providers and using menu control. I am using a web.site map and a
SiteMapDataSource. The menu control uses SiteMapDataSource as its data source.
I am struggling to get the menu trimmed. Security is now working fine as users who are not authorized are been taken to login page but I want the users who are not authorized for a url the menu should be trimmed so as they do not see that url.
Any help would be great.
Apr 27, 2007 02:40 AM|girish1979|LINK
I am facing one more issue. When i am enabling
securityTrimmingEnabled="true" my whole menu control is being trimmed even when i am logging in with a user who has all the permissions
for his role.
Please advice on this issue.
Apr 27, 2007 03:04 AM|Dave Sussman|LINK
Does your toor node have a URL? If it doesn't, then the security trimming has no way to check the authorization. In this case, you DO need to adda roles attribute to the siteMapNode:
This will ensure that this node is visible to all users, even though there is no page to check against.
There's a presentation and sample project on this at
http://ipona.com/samples - pick the Navigation one nearest the top.
Apr 27, 2007 10:41 AM|girish1979|LINK
I tried your sample and used the DbSiteMapProvider class and customised to my requirements. But I am still not getting my menu. all web.config settings are one as per explained.
I am pasting here the class as i did and as well as the site provider config from web.config.
I dont have custom attributes in my menu table when i read thru reader so i have commented that code.
Also I am using an oracle database so sql dependency i have commented.Please advice.
cmd.Connection = conn;
rdr = cmd.ExecuteReader();
, currentID.ToString(), rdr[
, roleList, attributeCollection,
currentSiteMapData.ID = currentID;
currentSiteMapData.ParentID = parentID.Value;
currentSiteMapData.Node = node;
_rootNode = node;
My menu control on master page has Sitemaprovider = DbSiteMapProvider
Thanks for the help
May 07, 2007 02:05 PM|RamG|LINK
I am using a custom role and membership provider and the default sitemap provider. I want the menu to be displayed based on the user's role and I am using forms authentication.When I login as an admin , close the window and then open a new window, I get
the menu for an admin in Firefox but not in IE. Does Firefox behaves in this way or am I doing something wrong? Did anyone come across a similar problem? Any ideas will be helpful.
May 09, 2007 01:13 AM|girish1979|LINK
I am also facing the same issue with IE. So i dont have any idea why it is not getting displayed.
May 09, 2007 04:01 AM|Dave Sussman|LINK
When you sign in a cookie is stored in the browser with your credentials; closing and opening the browser won't get rid of that cookie, although it does expire after a set time. If you login using IE the cookie will be in IE, not FF, so you'll have to login
Also make sure you aren't output caching the page, which would show you the same page no matter who you logged in as.
May 09, 2007 11:39 AM|RamG|LINK
I closed all firefox instances and retested my application. It works fine now. Thanks for your reply D.
May 11, 2007 06:57 AM|Dave Sussman|LINK
Sorry for the delay in getting to this, I've been away. I can't see anything immediately wrong with the code - you'll need to debug into it to really find out what's wrong. Step through BuildSiteMap to ensure that the collection is created correctly.
May 26, 2008 11:15 PM|sundhark|LINK
Can you please send me the code sample for the custom sitemap provider?
May 27, 2008 08:07 AM|Dave Sussman|LINK
First off, head to the Providers area at
http://msdn.microsoft.com/en-us/asp.net/aa336558.aspx. The site map stuff is
http://msdn.microsoft.com/en-us/library/aa479320.aspx. You can download the Provider Toolkit, which contains the site map provider, from
Feb 01, 2011 10:52 AM|vj82reddy|LINK
hi friend im strugling a lot to provide page level role based security plz can u send me the url of ur blog if u, or send the file to my mail id email@example.com