Forms Authentication with Sitemap and asp:Menu control
I have a site with 2 sections - one for customers and one for admins, in essence. Each section is in its own directory with its own web.config and sitemap. Security and access works fine.
When I am logged in as admin, I want to see menu items that link to the other section, however. I added links to the sitemap, e.g.:
<siteMapNode url="~/Customer/Default.aspx?3" title="Customer Site"
description="Switch to customer site" roles="Administrator"/>
This seems to have no effect, since I still see the menu item when logged in as a customer. When I turn on security trimming, as in
<siteMap enabled="true">
<providers>
<add name="InternalSiteMap" type="System.Web.XmlSiteMapProvider"
siteMapFile="~/Internal/Internal.sitemap" />
<add name="CustomerSiteMap" type="System.Web.XmlSiteMapProvider"
siteMapFile="~/Customer/Customer.sitemap" securityTrimmingEnabled="true" />
</providers>
</siteMap>
all menu items are gone.
I actually have web.configs in both the Internal and the Customer folders, e.g. for the customer:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Customer" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
and the administrator:
<?xml version开发者_Python百科="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Again, authorization works, and when I am logged in as a Customer and I click on the internal site link in the menu, I am being redirected to the login page. As an admin, I can click through to the admin site. As soon as I turn on security trimming for the sitemap provider, which is supposed to take the links that I am not authorized for off the menu, the entire menu disappears. What am I missing? Do I need to configure the asp.menu control to work together with this?
Update: I put a bounty on this question, because I still cannot get it to work. We are inclined to throwing out the menu control and writing our own, but if someone can provide a hint, that would be preferred of course. Again - the problem is not with security - the roles and access rules work as expected. It is with the menu control and security trimming. The menu disappears alltogether when security trimming is turned on for a sitemap.
Update: Thanks for finding this blog post, Pavel. What I learned from this is that if there are sitemap entries that do not have a path and URL (which is also true for some of my submenues), the control cannot infer permissions from the settings in the web.config, and you have to specify the roles in the sitemap. Otherwise, they will be hidden by default.
From Horizontal Menu Disappears with securityTrimmingEnabled="true":
Make sure that every role has access to the (unused) dummy siteMapNode at the root by including roles="*" in web.sitemap shown below:
<?xml version="1.0" encoding="utf-8" ?>
<siteMap enableLocalization="true"
xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode url="" title="" roles="*" description="">
<siteMapNode url="~/default.aspx" resourceKey="siteMapHome"
title="Home" roles="admin,account" description="" />
<!-----More nodes-->
http://www.vbforums.com/showthread.php?p=3625975
Check the logged in user has the Administrator role.
Edit:
I'm also pretty sure your not ment to specify the role in the siteMapNode. I belive role based site maps work off existing roles, eg if a user has access to the path that the site note specifys then it will display it.
Also specify the path in the webs.config.
<location path="admin/">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*"/>
</authorization>
</system.web>
</location>
And finally remove the '~' from your site map so that the comparison will match.
Once this is all done and if this is still not working, merge the web.configs to make sure permisions are not being lost.
加载中,请稍侯......
精彩评论