Hi, I am trying to get navigation working on my site so that only certain user roles will be able to see certain sections of the navigation menu. I have looked at the documentation for the navigation, but I can't seem to make my navigation work correctly, in
that when you go in as a anonymous user, you can see every node in the sitemenu. I have enabled SecurityTrimmingEnabled property in my provider as listed here (in web.config): I have also modified my web.sitemap to show the following: Does anyone have any
idea why Company.aspx wouldn't be hidden from an anonymous user? Thanks
The reason this doesn't work is that the anonymous user is already allowed access to the page. Roles only work to expand access and not contract it. The first level of access control is through user authentication, since the anonymous user isn't denied access
from that check, there is no need to go onto roles authorization. In order to make this work you can add this to your web.config under --------------------------- outside of ------------------------------ The first part puts a blanket deny policy for all users
to access any page on your site. The second part overrides the default deny policy for the default.aspx page to allow anonymous users to access that page. You should find that navigating to default.aspx will show the first 3 nodes in your web.sitemap but not
the Company.aspx node. Note that roles set to "*" will allow anonymous users to see the node in the Menu but roles set to "" will not. -- Danny Chen
disclaimer: Information provided is 'as is' and conveys no warranties or guarantees.
I've been doing extensive testing today and there's more to this story. When security trimming is turned on and roles are defined in the site map file, what's shown in a menu depends on a number of factors: 1. The role of the user 2. Configured authorization
3. File permissions This means that if you are denied access as part of the authorization section you may not see the menu item. In fact in many cases this is what you need, as something like allow="*" means the menu shows up irrespective of the roles defined
on the siteMapNode. You therefore might need to deny/allow explicit menu items in configuration to ensure they appear correctly in the menu. You don't actually need to deny all users to start with. If you explicitly deny all users access to the pages that
only logged in users should see and explicitly allow selected roles, you can get this working,: Then for you node: All users are denied access to this page, but logged in users with the correct role will see it. You need to apply this technique to all pages
that require security. So if you have an admin directory, with several pages, accessible to people in different roles, you'll need a location for each to allow the selected roles. It's taken me a while, but finally I understand how the authoriation and site
map providers hang together. Dave
Well, Dave is correct but I he and I are talking about different ways of using this. I'm assuming forms-based authentication and he is assuming Windows based authentication. The difference in this case is that for Windows authentication, the roles are based
on groups established in the user/group manager (computer management). In forms authentication, the roles and users are established from the configuration tool. The effect of this difference is that the user authentication for Windows mode is file-permissions
and domain username in addition to tags. For forms authentication it's just username in a login control and tags. One other thing to mention is that if a role is specified in a tag, then it is not necessary to specify it again in the tag. The subtle difference
there is that in the location tag, access will be allowed to that file for the role while the siteMapNode tag will just allow visibility to the node in a navigation control. -- Danny Chen
disclaimer: Information provided is 'as is' and conveys no warranties or guarantees.
Danny, I'm talking about forms authentication too. I have a site I'm building with this now and have tested this. File permissions are used for forms auth too, as are the users role (using role manager configured through the web admin tool - not the windows
role). You also have to be careful about the inclusion of the roles attribute on the site map nodes, as it's not always possible to leave it off; it depends upon your configuration. For example, consider an Admin directory with a default deny="*" and then
allows for individual pages to individual roles. You have an Admin menu with sub items pointing to those files. Without specific role access on the main Admin menu item you wouldn't see any of the sub-items because we've denied access to the directory. Sometimes
you have to use a two-pronged approach. In fact web.config configuration (either at th etop level through local tags or individually in directories) is the first approach you should use. You need to deny access to stop direct navigation (ie typing in the url).
Then you can fine tune that with the navigation to ensure only the correct menu items are shown to the user. Dave
So for a large scale application, I will have to add location tags for each possible page (or directory) in the application? Is there any way to specify multiple paths in one location tag?
Let me start by answering: yes. It's designed as a security feature, if the links put in a web.sitemap should not be shown, then pages shouldn't be accessible either. They should be secured by location tags.
But, I can give a better answer if you give me more information about what you would like to do in this large scale application. Clearly you have a lot of pages on the site and in your sitemap, what will the roles represent?
--
Danny
disclaimer: Information provided is 'as is' and conveys no warranties or guarantees.
Hi Guys,
I have Beta 2 installed and I am trying to create menu based on roles access. I have been reading your posts and as helpfull as they are I still have problem getting the menu displayed at all with securityTrimmingEnabled = true.
I have a web site with following structure.
Web site:
default.aspx
login.aspx
web.config
web.sitemap
Folder "Content"
AddDevice.aspx
TestDevice.aspx
DeviceMaintenance.aspx
BillingReports.aspx
Units.aspx
web.config
I have 4 roles: Installer,Customer,Billing and Admin and I use Custom Membership with Custom Role Provider which work fine since I'm able to use LoginViewControl properly with roles.
Hi Again. Sorry for being a pest but this is driving me nuts. I've tried every possible setup with authorization in my web.config and multiple web.configs in separate directories but I still get all the menu items instead of just ones that the role
should be able to see. Please look at my settings and let me know what am I missing.
The structure of my web site has changed a little to allow easy adding of pages so I don't clutter main web.config with location sections.The main web config is just used to restrict the anonymous access to my default page. My default page inherits from default.master
and here is where my menu is located. I don't know does this make a difference since both master and default page are in the same directory that allows all authenticated users.
Please try one test for me and let me know the results.
Log in to your website with a user you EXPECT to be blocked from seeing a particular item in your tree. With that user try and navigate to the restricted item. (Examle: a user NOT in the Admin or Installed role and navigate to TestDevice.aspx) If you are
able to browse to that page then you need to fix that problem first. If you are not able to browse to that page (access denied) but you can still see it in your menu then more investigation is needed.
--
Danny
disclaimer: Information provided is 'as is' and conveys no warranties or guarantees.
Hi,
I have logged in as a role that is only suppose to see the certain items on the menu, but I still get all of the items displayed. If I try to navigate to any of my roles items I am able to do so but if I navigate to any of the items for other roles I get kicked
out to the login screen .
For example if I log in as an billing I am suppose to see only the billing portion, but I also get the unit maintenance part of the menu (TestDevice.aspx among others) . I am able to navigate freely to the items assigned to billing role (BillingReports.aspx)
but if I click on TestDevice.aspx I am prompted to log in.
So I think that my authorization works...
Not sure if this is the solution to your problem, but Visual Express has a bug in the Intellisense - it should be capitalizing the S in SecurityTrimmingEnabled (not securityTrimmingEnabled) as it comes out.
I capitalized it and it started working for me.
Im having the same problem after securityTrimmingEnabled="true". All my nodes are gone. And i checked the
access rights by typing the URL in. Everything is working fine, the right roles are can access and denied to the respective forms.
I had the same problem before. All node disappeared after I turn the feature on. Then I try to add roles="*" in a parent <siteMapNode> and finally realized that I don't have permission to the root node.
For the sitemap that you used. Maybe try to add roles="*" in the login.aspx node and see if it help.
Member
2 Points
70 Posts
SecurityTrimmingEnabled not working?
Oct 08, 2004 04:29 PM|miriv365|LINK
Member
170 Points
838 Posts
Re: SecurityTrimmingEnabled not working?
Oct 14, 2004 02:00 PM|dannychen|LINK
All-Star
26702 Points
4989 Posts
ASPInsiders
MVP
Re: SecurityTrimmingEnabled not working?
Oct 15, 2004 12:26 PM|Dave Sussman|LINK
Member
170 Points
838 Posts
Re: SecurityTrimmingEnabled not working?
Oct 19, 2004 01:47 PM|dannychen|LINK
All-Star
26702 Points
4989 Posts
ASPInsiders
MVP
Re: SecurityTrimmingEnabled not working?
Oct 20, 2004 04:48 AM|Dave Sussman|LINK
None
0 Points
84 Posts
Re: SecurityTrimmingEnabled not working?
Apr 28, 2005 10:15 AM|sjd0103|LINK
So for a large scale application, I will have to add location tags for each possible page (or directory) in the application? Is there any way to specify multiple paths in one location tag?
Member
170 Points
838 Posts
Re: SecurityTrimmingEnabled not working?
Apr 28, 2005 03:09 PM|dannychen|LINK
Let me start by answering: yes. It's designed as a security feature, if the links put in a web.sitemap should not be shown, then pages shouldn't be accessible either. They should be secured by location tags.
But, I can give a better answer if you give me more information about what you would like to do in this large scale application. Clearly you have a lot of pages on the site and in your sitemap, what will the roles represent?
--
Danny
None
0 Points
3 Posts
Re: SecurityTrimmingEnabled not working?
Sep 23, 2005 01:40 PM|Rajvosa071|LINK
I have Beta 2 installed and I am trying to create menu based on roles access. I have been reading your posts and as helpfull as they are I still have problem getting the menu displayed at all with securityTrimmingEnabled = true.
I have a web site with following structure.
Web site:
- default.aspx
- login.aspx
- web.config
- web.sitemap
- Folder "Content"
- AddDevice.aspx
- TestDevice.aspx
- DeviceMaintenance.aspx
- BillingReports.aspx
- Units.aspx
- web.config
I have 4 roles: Installer,Customer,Billing and Admin and I use Custom Membership with Custom Role Provider which work fine since I'm able to use LoginViewControl properly with roles.My web sitemap looks like this:
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode>
<siteMapNode title="Units" roles="Installer,Admin,Customer">
<siteMapNode title="Add Device" url="Contents/AddDevice.aspx" roles="Installer,Admin" />
<siteMapNode title="Device Maintenance" url="Content/DeviceMaintenance.aspx" roles="Admin" />
<siteMapNode title="Test Device" url="Content/TestDevice.aspx" roles="Installer,Admin" />
<siteMapNode title="Track Units" url="Content/Units.aspx" roles="Customer,Admin" />
</siteMapNode>
<siteMapNode title="Billing" roles="Billing,Admin">
<siteMapNode title="Reports" url="Contents/BillingReports.aspx" />
</siteMapNode>
</siteMapNode>
</siteMap>
My main web.config is here
<system.web>
<siteMap defaultProvider="AspXmlSiteMapProvider" enabled="true">
</siteMap>
<authentication mode="Forms">
</authentication>
<membership defaultProvider="MyCustomProvider" userIsOnlineTimeWindow="15">
</membership>
<roleManager enabled="true" defaultProvider="MyCustomRoleProvider">
</roleManager>
</system.web>
<location path="Default.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
and my Contents folder web.config looks like this
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
<location path="AddDevice.aspx">
<system.web>
<authorization>
<allow roles="Installer,Admin" />
</authorization>
</system.web>
</location>
<location path="TestDevice.aspx" >
<system.web>
<authorization>
<allow roles="Installer,Admin" />
</authorization>
</system.web>
</location>
<location path="DeviceMaintenance.aspx" >
<system.web>
<authorization>
<allow roles="Installer,Admin" />
</authorization>
</system.web>
</location>
<location path="Units.aspx" >
<system.web>
<authorization>
<allow roles="Customer,Admin" />
</authorization>
</system.web>
</location>
<location path="BillingReports.aspx" >
<system.web>
<authorization>
<allow roles="Billing,Admin" />
</authorization>
</system.web>
</location>
</configuration>
If I remove the securityTrimmingEnabled="true" attribute Myymenu shows up but othervise I can not see it.
Please let me know what I'm doing wrong?
None
0 Points
3 Posts
Re: SecurityTrimmingEnabled not working?
Sep 23, 2005 04:25 PM|Rajvosa071|LINK
The structure of my web site has changed a little to allow easy adding of pages so I don't clutter main web.config with location sections.The main web config is just used to restrict the anonymous access to my default page. My default page inherits from default.master and here is where my menu is located. I don't know does this make a difference since both master and default page are in the same directory that allows all authenticated users.
Here is my web.sitemap<siteMapNode>
<siteMapNode title="Unit Management" roles="Installer,Admin,Customer">
<siteMapNode title="Add Device" url="UnitManagement/AddDevice.aspx" />
<siteMapNode title="Device Maintenance" url="UnitManagement/DeviceMaintenance.aspx" roles="Installer,Admin" />
<siteMapNode title="Test Device" url="UnitManagement/TestDevice.aspx" roles="Installer,Admin" />
<siteMapNode title="My Units" url="UnitManagement/Units.aspx" roles="Customer,Admin" />
</siteMapNode>
<siteMapNode title="Billing" roles="Billing,Admin">
<siteMapNode title="Reports" url="Billing/BillingReports.aspx" roles="Billing,Admin" />
</siteMapNode>
</siteMapNode>
</siteMap>
Here is main web.config
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
And finaly here are Billing/web.config
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
<location path="BillingReports.aspx">
<system.web>
<authorization>
<allow roles="Billing,Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
and UnitManagement/web.config
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
<location path="AddDevice.aspx">
<system.web>
<authorization>
<allow roles="Installer,Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="DeviceMaintenance.aspx">
<system.web>
<authorization>
<allow roles="Installer,Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="TestDevice.aspx">
<system.web>
<authorization>
<allow roles="Installer,Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Units.aspx">
<system.web>
<authorization>
<allow roles="Customer,Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Member
170 Points
838 Posts
Re: SecurityTrimmingEnabled not working?
Sep 26, 2005 02:08 PM|dannychen|LINK
Log in to your website with a user you EXPECT to be blocked from seeing a particular item in your tree. With that user try and navigate to the restricted item. (Examle: a user NOT in the Admin or Installed role and navigate to TestDevice.aspx) If you are able to browse to that page then you need to fix that problem first. If you are not able to browse to that page (access denied) but you can still see it in your menu then more investigation is needed.
--
Danny
None
0 Points
3 Posts
Re: SecurityTrimmingEnabled not working?
Sep 26, 2005 04:14 PM|Rajvosa071|LINK
I have logged in as a role that is only suppose to see the certain items on the menu, but I still get all of the items displayed. If I try to navigate to any of my roles items I am able to do so but if I navigate to any of the items for other roles I get kicked out to the login screen .
For example if I log in as an billing I am suppose to see only the billing portion, but I also get the unit maintenance part of the menu (TestDevice.aspx among others) . I am able to navigate freely to the items assigned to billing role (BillingReports.aspx) but if I click on TestDevice.aspx I am prompted to log in.
So I think that my authorization works...
Let me know if that helps you.
None
0 Points
1 Post
Re: SecurityTrimmingEnabled not working?
May 21, 2006 07:31 PM|coffngrl|LINK
I capitalized it and it started working for me.
HTH
Laura
None
0 Points
84 Posts
Re: SecurityTrimmingEnabled not working?
May 25, 2006 09:33 AM|sjd0103|LINK
None
0 Points
6 Posts
Re: SecurityTrimmingEnabled not working?
Jun 01, 2006 02:35 AM|dxdiag|LINK
Im having the same problem after securityTrimmingEnabled="true". All my nodes are gone. And i checked the access rights by typing the URL in. Everything is working fine, the right roles are can access and denied to the respective forms.
web config
<
siteMap defaultProvider="XmlSiteMapProvider" enabled="true"><
providers><
add name="XmlSiteMapProvider" description="Default SiteMap provider." type="System.Web.XmlSiteMapProvider " siteMapFile="Web.sitemap" securityTrimmingEnabled="true" /></
providers></
siteMap>Site map codings
<
siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" ><
siteMapNode url="Login.aspx" title="Home" description=""><
siteMapNode title="Products"><
siteMapNode url="sercure_admin/Product_Add.aspx" title="Add Product" description="" /><
siteMapNode url="sercure_admin/Product_View_Edit.aspx" title="Edit Product" description="" /><
siteMapNode url="sercure_admin/Product_search.aspx" title="Delete Product" description="" /></
siteMapNode><
siteMapNode title="Staffs"><
siteMapNode url="sercure_admin/Add Staff.aspx" title="Add Staff" description="" /><!--
<siteMapNode url="sercure_admin/staff_edit.aspx" title="Edit Staff" description="" /><siteMapNode url="sercure_admin/staff_delete.aspx" title="Delete Staff" description="" />
--></
siteMapNode><
siteMapNode title="Loans" description=""><
siteMapNode url="sercure_staff/Loan_status.aspx" title="View Loan Status" description="" /><
siteMapNode url="sercure_staff/Loan_Add.aspx" title="Add Loans" description="" /><
siteMapNode url="sercure_sic/Loan_View_edit.aspx" title="Edit Loans" description="" /><
siteMapNode url="sercure_sic/Loan_searching.aspx" title="Delete Loans" description="" /></
siteMapNode><
siteMapNode title="Reports"><
siteMapNode url="reports/Product_report.aspx" title="Equipment Report" description="" /><
siteMapNode url="reports/Loan_report.aspx" title="Loan Report" description="" /></
siteMapNode></
siteMapNode></
siteMap>Can anyone kindly help?
None
0 Points
11 Posts
Re: SecurityTrimmingEnabled not working?
Jul 13, 2006 04:23 PM|RayChan|LINK
I had the same problem before. All node disappeared after I turn the feature on. Then I try to add roles="*" in a parent <siteMapNode> and finally realized that I don't have permission to the root node.
For the sitemap that you used. Maybe try to add roles="*" in the login.aspx node and see if it help.
None
0 Points
5 Posts
Re: SecurityTrimmingEnabled not working?
Nov 29, 2007 06:46 AM|Thelma|LINK
Just to let u know, was having the same problem, tried everything, nothing worked until I put roles=* in the first siteMapNode
<siteMapNode roles="*">
also changed the first letter of securityTrimmingEnabled="true" to a capital S but that gave me an error, so no need to change it.