SiteMapProvider Security Trimming


Here's a nice little feature worth mentioning. If you are using the site map provider, you can now turn on a new feature called security trimming. This adds an extra step when constructing the site map: it checks to see whether the user has permission to visit the page in question, and if not, trims that page from the site map. There's no point listing a Web page in a site map that will only fail when the user clicks it.

There is a new public method on the base SiteMapProvider called IsAccessibleToUser, that takes an HttpContext and a SiteMapNode. This checks to see if the user has permission to access the page by checking with both the FileAuthorizationModule and the UrlAuthorizationModule. The former checks to make sure the user has permission based on the access control list (ACL) on the file, while the latter checks the <authorization> section in web.config to verify that the user is allowed permission to the file.

To enable this new feature, modify your configuration as shown in Listing 5-11.

Listing 5-11. Enabling security trimming

<siteMap defaultProvider="AspNetXmlSiteMapProvider">   <providers>     <remove name="AspNetXmlSiteMapProvider" />     <add name="AspNetXmlSiteMapProvider"          type="System.Web.XmlSiteMapProvider, System.Web, ..."          siteMapFile="Web.sitemap"          securityTrimmingEnabled="true" />   </providers> </siteMap> 

In your site map, you can also further restrict visibility of nodes in the map based on roles. The example in Listing 5-12 requires you to be in the "admin" role in order to access the CreateUser.aspx page.

Listing 5-12. Restricting node visibility with security roles

<siteMapNode url="~/CreateUser.aspx"              title="Create user"              description="" roles="admin" /> 

Remember that just hiding a site map node from a user isn't enough to guarantee she'll never be able to see that page. You should start by restricting access to resources using ACLs or the <authorization> section in web.config.




Essential ASP. NET 2.0
Essential ASP.NET 2.0
ISBN: 0321237706
EAN: 2147483647
Year: 2006
Pages: 104

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net