<< ASP.NET 2.0 Menus, Roles and SecurityTrimming | Home | John Peel Dies >>

ASP.NET 2.0 Navigation and Security Trimming

Since I posteded a reference to a forum post I've done more investigating, and feel this is worth mentioning. The ASP.NET 2.0 site map framework uses, by default, and XML file to define the menu structure, as a set of XML nodes. Each of these can have a 'roles' attribute, allowing a command delimited list of roles, to which that menu item applies; that is, the menu item shouldn't be shown to people not in any of the roles.

I myself fell into the trap of thinking this doesn't work, and confusion comes from two areas. First you have to explicitly enable the provider to allow this to work, by setting the securityTrimmingEnabled attribute to true (this means either modifying machine.config, or adding a new provider to web.config; you can simply copy the provider from machine.config and rename it, adding the new attribute in the process). Secondly you need to understand that what defines whether the node is shown is a combination of the roles that the user is in and the authorization as configured in web.config. Actually there's a third part, which is file permissions, but for most people that's not relevant. The default site map provider examines the users' role, checks the <authorization> section of the configuration and checks the file permissions before deciding if the menu item should be shown.

So, enabling security trimming and settings the roles in the site map nodes isn't all you have to do. By default the authorization is allow all (allow users="*"), so irrespective of your role you'll see menu items. This means you need to explicitly deny access to resources, and then allow them per role. For example, consider a fairly standard situation, where files at the top level are allowed for all users, but files under the admin directory are not (an in fact are restricted by the role). You want a single menu, so items for administration should only be shown to authorised users. The site map file could be:

<siteMap>
  <siteMapNode title="Home" url="Default.aspx">
    <siteMapNode title="Some Page" url="SomePage.aspx" />
    <siteMapNode title="Admin" url="Admin/Admin.aspx" 
          roles="Administrator,PowerUser">
      <siteMapNode title="Site Admin" url="SiteAdmin.aspx"
            roles="Administrator" />
      <siteMapNode title="User Admin" url="Admin/UserAdmin.aspx" 
            roles="PowerUser" />
    </siteMapNode>
  </siteMapNode>
</siteMap>

Here the Admin menu only appears for users in the Administrator or PowerUser roles, and menu items are further restricted. Apart from setting the authentication mode and adding the securityTrimmingEnabled attribute to the provider, nothing needs adding to the root web.config. You do however, need a web.config in the Admin directory, which would contain:

<configuration>
  <system.web>
    <authorization>
      <deny users="*" />
    </authorization>
  </system.web>
  <location path="SiteAdmin.aspx">
    <system.web>
      <authorization>
       <allow roles="Administrator" />
    </authorization
    </system.web>
  </location>
  <location path="UserAdmin.aspx" >
    <system.web>
      <authorization>
        <allow roles="PowerUser" />
      </authorization>
    </system.web>
  </location>
<configuration>

Here all users are denied access to all files, but then individual files lift the restriction based upon the role. People in the Administrator role will only see the SiteAdmin item, while Power Users will only see UserAdmin. It's the combination of this config file and the site map nodes that ensure that the menu item gets shown; a combination which is extremely powerful and provides a simple way to restrict file and menu access.

Saturday, October 16, 2004 11:29 AM

Your Comments.

# re: ASP.NET 2.0 Navigation and Security Trimming
Now that's what I've been looking for!
Good job mister :)

Left by Iztok at 2/1/2005 11:37 AM
# re: ASP.NET 2.0 Navigation and Security Trimming
The roles attribute in "Site Admin" and "User Admin" sitemap nodes are redundant. SiteMap by default will only return nodes that are accessible to a given user based on its role defined in the web.config file.

Furthermore, given your <authorization> configuration, neither PowerUser nor Administrator will be given access to Admin/Admin.aspx page. Most likely when they click on the link in Menu, they would be redirected to the login page.

The recommended securityTrimming pattern is to leave all your security setting in <authorization> and let siteMap figures out the visibility of each node automatically for you. The roles attribute in <siteMapNode> is only helpful when you want to make a node less restricitve (ie, the redirecting to login page scenario).

Thanks,
Ting-hao

Left by Ting-hao Yang at 3/1/2005 5:24 PM
# re: ASP.NET 2.0 Navigation and Security Trimming
Thanks for that update - this was done on b1 and I hadn't delved into it in more detail.

Left by Dave at 3/1/2005 5:28 PM
# re: ASP.NET 2.0 Navigation and Security Trimming
Any body knows a good link that has an example of how to tie in AD roles in ASP.Net 2.0?

Left by Mo at 3/23/2005 12:37 AM
# re: ASP.NET 2.0 Navigation and Security Trimming
Hi there
Is it possible to have a siteMapNode, that is only visible to anonymous Users?

I try something like this:

Web.Config:
<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
<providers>
<add name="XmlSiteMapProvider"
description="Default SiteMap provider."
type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
siteMapFile="Web.sitemap"
securityTrimmingEnabled="true" />
</providers>
</siteMap>

Web.Sitemap:
<?xml version="1.0" encoding="utf-8" ?>
<siteMap>
<siteMapNode url="" title="Startseite" description="" roles="*" >
<siteMapNode url="~/Default.aspx" title="Homepage" description="" roles="*" />
<siteMapNode url="/file2.aspx" title="Register" description="" roles="Anonymous User or Something" />
<siteMapNode url="/file3.aspx" title="Admin" description="" roles="Administrator" />
</siteMapNode>
</siteMap>

Left by Severin at 5/21/2005 9:48 AM
# re: ASP.NET 2.0 Navigation and Security Trimming
Having a node accessible to only anonymous users isn't possible by default. You could have a node configured with a separate provider and the provider only returns the node if you are anonymous, but you'd have to write a provider to do this.

The best solution is to code the databinding; use the MenuItemDataBound event and do something like this:

Protected Sub MyMenu_MenuItemDataBound(sender as Object, e as MenuEventArgs)

If e.Item.Text = "Node for Anonymous" AndAlso User.Identity.IsAuthenticated
e.Item.Parent.ChildItems.Remove(e.Item)
End If

End Sub

Left by Dave at 5/21/2005 10:52 AM
# re: ASP.NET 2.0 Navigation and Security Trimming
Thanks man, you helped me a lot!

Left by Marco Pankow at 12/13/2005 1:09 PM
# re: ASP.NET 2.0 Navigation and Security Trimming
Thanks Dave, you helped me a lot!

Left by Marco Pankow at 12/13/2005 1:10 PM
# re: ASP.NET 2.0 Navigation and Security Trimming
What is the point of having Roles in a site map, if you have to go to the work of setting it all up in web.config? I would much rather specify the allowed roles (including an anonymous/public role) in my site map, and not have to bother with entering any more stuff into my web.config than I have to.

-Joel

Left by Joel at 1/6/2006 11:51 PM
# re: ASP.NET 2.0 Navigation and Security Trimming
Joel

The problem you'd have if you configured only in siteMap is that users can navigate directly to pages by typing them in to the address bar. The site map is only for the layour of the navigational structure. The <auth> sections provide a central place to specify site access rules, which affect whether the URL is typed in directly, or accessed via a menu system.

The roles in the site map allows the node to be seen on a menu (or rather, exposed by the provider to any control using it) even if the current user isn't authorised to access the node. This makes it easier for people who use web sites in one role, but can also log into another role (a general user who also performs admin for example); they can navigate to the Admin node directly from the menu, and because they aren't authorised they will be redirected to the login page. This saves them having to log out first or manually navigate.

Left by Dave at 1/7/2006 12:17 AM
# re: ASP.NET 2.0 Navigation and Security Trimming
What if you have Roles and Permissions in your application. So that the system administrator can log into your system and give a role permissions to certain areas of the application. Can you make it check to see if the user belongs to role that has a particular privilege, or can you expose a page to the administrator to assign privileges?

Thanks
- Duncan

Left by Duncan at 1/25/2006 11:31 PM
# re: ASP.NET 2.0 Navigation and Security Trimming
Al of this stuff is backed up by an API so you can easily write a management interface. There are several useful features:

1. You can create users with the CreateUserWizard
2. You can create roles with Roles.CreateRole().
3. Adding a user to a role can be done with Roles.AddUserToRole().
4. You can check to see if a user is in a role with USer.Identity.IsInRole()
5. There is an API for editing the web.config file, so you can access the authorization and location sections to add new security for page or folder. Check out the classes in System.Configuration and System.Web.Configuration for this.

Dave

Left by Dave at 1/28/2006 10:49 AM
# re: ASP.NET 2.0 Navigation and Security Trimming
The advice above:

"The roles attribute in "Site Admin" and "User Admin" sitemap nodes are redundant. SiteMap by default will only return nodes that are accessible to a given user based on its role defined in the web.config file."

Is not entirely correct, there are performance considerations. From Microsoft's site:

"Performance Considerations
The security-trimming feature uses URL authorization on each request to determine whether a user has access to a URL that is associated with a siteMapNode element. This extra work reduces performance depending on the number of nodes that are being authorized. When security trimming is enabled, you can use the following methods to improve performance:

Limit the number of nodes in the site-map file Site-map files with more than 150 nodes can take substantially longer to perform security-trimming operations.

Set the roles attribute explicitly on siteMapNode elements Note that setting the roles attribute to a wildcard character, or asterisk (*), should be used only for nodes that can safely be displayed to any client. The presence of a roles attribute allows ASP.NET to bypass URL authorization for the URL that is associated with the siteMapNode when a user belongs to one of the roles that is listed in the attribute."

Left by turban at 3/15/2006 11:08 PM
# re: ASP.NET 2.0 Navigation and Security Trimming
Hey guys,

I am new to ASP.NET, but have implemented a (file system) web site. I have set up a web.sitemap and the various login screens - this all works perfectly.

When I restrict certain users in the ASP web configuration site, unauthorised user do not have access to particular nodes on the site map (which is the desired result - when a user clicks on a node that they shouldnt see, the site redirects them to the log in page)

Now when I enter the standard code into the web.congfig file (to remove site nodes from the sitemap if a user doesnt have permission) the *whole* menu system/tree map vanishes! What am i doing wrong????

Here is the site map
===============

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode title="Site Map" >
<siteMapNode title="SLA Alerts" url="~/Alerts.aspx" >
</siteMapNode>
<siteMapNode title="SLA Reports" url="~/Reports.aspx">
</siteMapNode>
<siteMapNode title="Configurations">
<siteMapNode title="General" url="~/General.aspx"/>
<siteMapNode title="View, Amend, Add Profile" url="~/admin/Profiles.aspx"/>
<siteMapNode title="View Profile" url="~/Profiles.aspx"/>
</siteMapNode>
<siteMapNode title="Users">
<siteMapNode title="Create New User" url="~/CreateAccount.aspx"/>
<siteMapNode title="Change Password" url="~/ChangePassword.aspx"/>
<siteMapNode title="Login As Another User" url="~/Login.aspx"/>
<siteMapNode title="Create User As Administrator" url="~/admin/CreateAdminAccount.aspx"/>
</siteMapNode>
<siteMapNode title="About" url="~/About.aspx" >
</siteMapNode>
</siteMapNode>
</siteMap>

===========================

...and here is the code that I have entered into the web.config file:

</connectionStrings>
<system.web>
<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
<providers>
<add name="XmlSiteMapProvider"
description="Default SiteMap provider."
type="System.Web.XmlSiteMapProvider"
siteMapFile="Web.sitemap"
securityTrimmingEnabled="true" />
</providers>
</siteMap>

======================================

Please help!!!!!

Rav4

Left by Help at 3/16/2006 10:45 AM
# re: ASP.NET 2.0 Navigation and Security Trimming
....oh, the "Admin" folder is where I have placed all my protected pages. At the moment,I only have 2 roles: "Adminisitrators" and "users".

Thanks

Rav4

Left by Help at 3/16/2006 10:47 AM
# re: ASP.NET 2.0 Navigation and Security Trimming
its ok, i figured it out!!

Basically, it seems that for security to work, each node in the sitemap needs to have a url to be displayed (eg. the "Site Map" node in the above code is only a label for the parent node - it isnt supposed to be clicked, therefore I didnt provide a url). However if I supply a dummy url, the whole thing works!

(The only strange things now is that it allows users to click on certain sitemap nodes that arent supposed to be clicked, there are simply provided as a label and are used for neatly organising the menu)

Thanks though peeps..

Rav4

Left by Help at 3/16/2006 12:52 PM
# re: ASP.NET 2.0 Navigation and Security Trimming
Hi,
I am using AspNetWindowsTokenRoleProvider as role provider:

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>

I am using XmlSiteMap Provider as shown below

<add siteMapFile="web.sitemap" name="AspNetXmlSiteMapProvider"
type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" securityTrimmingEnabled="true"/>

web.sitemap looks like

<siteMapNode title="Create New Project" url="~/TimeTracker/Project_Details.aspx" description="Create a new projects" roles="cn=Customer1_Admins" />

And web.config has following location authorizations sections like:

<location path="Project_Details.aspx">
<system.web>
<authorization>
<allow roles="cn=Customer1_Managers,cn=Customer1_Admins" />
<deny users="?" />
</authorization>
</system.web>
</location>

but, Sitemap is not showing the nodes appropriately, according to the user.

I changed role name with "cn=rolename", "rolename", "cn\\domain\\rolename" but itz not working.

Am I deviating? plz let me know.

Left by venkateshwar rao gundlapally at 3/21/2006 8:02 PM
# re: ASP.NET 2.0 Navigation and Security Trimming
@Help

I was just trying to figure out a way around that problem myself (menu items with no URLS still rendering). You could (like you did) add a page, but make sure the page exists unless you like serving 404s.

- or -

Use the roles attribute only on siteMapNodes that have no URL. That will suppress the menu that _shouldn't_ appear because you don't have access to any items within it. Using the roles attribute on siteMapNodes that do have URLs that are restricted by the web.config is pointless, and will most likely lead to headaches.

Left by Simon Cunningham at 7/20/2006 1:46 AM
# Site Navigation and Authorization - Sitemap, treeview, and controlling access

Left by BenJonesOnline.com at 7/20/2006 3:07 PM