roles based menu does not work, what am I doing wrong?

Here is the overview

1. Create Memberships
2. Create Roles
3. Create Sitemap (modify to use roles="admin")
4. Create Menu and bind web.sitemap to the menu, using new datasource from the menu smart tag
5. Modify web.config to enable securityTrimmingEnabled

It works like this. If I assign a role to the root node in sitemap, the menu is correcty hidden for all other roles except the roles it is assinged to.

If I use role in one of the submenu, it does not work. Does anyone has a clue why?

web.sitemap

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode roles="*"> <--------------- Roles Works here
  <siteMapNode title="Home" url="~/Default.aspx" roles="admin"></siteMapNode> <-------- But not here
<siteMapNode title="Videos" url="~/Tags.aspx" />
<siteMapNode title="Student" url="~/MemberList.aspx" roles="student"/>
<siteMapNode title="My Page" url="~/MyPage.aspx" />
<siteMapNode title="My Recent Views" url="~/RecentVie开发者_高级运维ws.aspx" />
<siteMapNode title="Upload a Video" url="~/Upload.aspx" />
  <siteMapNode title="Administer Users" url="~/AdministerUsers.aspx" roles="admin">
      <siteMapNode title="Creat user" url="createUser.aspx"></siteMapNode>
  </siteMapNode>
</siteMapNode>
</siteMap>

web.config file (modification)

<siteMap enabled="true">
    <providers>
        <clear/>
        <add siteMapFile="Web.sitemap" name="AspNetXmlSiteMapProvider" type="System.Web.XmlSiteMapProvider" securityTrimmingEnabled="true"/>
    </providers>
</siteMap>

You might want to check this link out: http://blogs.msdn.com/b/dannychen/archive/2006/03/16/553005.aspx. The security trimmings feature of ASP.Net is one of the most often misunderstood features.

The basic idea is that security trimmings are applied through the <authorization> tag in web.config, not through the roles in the siteMap. The roles property in the sitemap can only widen security, not narrow it. So for example, here is how you would really apply the Student roles rule for ~/MemberList.aspx:

<location path="~/MemberList.aspx">
  <system.web>
    <authorization>
      <allow roles="Student" />
      <deny users="*" />
    </authorization>
  </system.web>
</location>

This will not only make the link disappear from your menu, it will actually make the page impossible to visit by somebody not in the Student role, even if they type the url directly into the browser. Without the <authorization> tag, it will always be possible to type in the url directly and still see the page.