Sitemap trimming with Forms auth (Active Directory)

Discussion in 'ASP .Net Security' started by CJ, May 9, 2007.

  1. CJ

    CJ Guest

    Hi All,

    I am trying to get a site map working using the roles tag, but cannot
    get the items displaing/hiding depending on the roles. I am using
    forms authentication. I have tried multiple forms of autherization
    flags, adding locations etc. I've gone back to the basic configuration
    just to try get the sitemap working properly so I'm not worried about
    people accessing the urls directly. I will add that again. So at the
    current stage the things I added to my web.config look like this:

    <system.web>
    ..
    ..
    ..

    <authentication mode="Forms">
    <forms loginUrl="Logon.aspx" name="adAuthCookie" timeout="60"
    path="/">
    </forms>
    </authentication>
    <authorization>
    <deny users="?"/>
    <allow users="*"/>
    </authorization>
    <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
    <providers>
    <add name="XmlSiteMapProvider"
    description="Default SiteMap provider."
    type="System.Web.XmlSiteMapProvider "
    siteMapFile="Web.sitemap"
    securityTrimmingEnabled="true" />
    </providers>
    </siteMap>
    </system.web>



    My logon page seems to work fine using this method. I removed any
    location path="role names,,,"> tags just to try get the sitemap
    working. The particular role I am trying to work on is called
    "adviser". I have some users in active directory in this group and
    some that aren't so trying to get it working for the different users.
    My sitemap file looks like this:

    <?xml version="1.0" encoding="utf-8" ?>
    <siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0"
    >

    <siteMapNode url="Default.aspx" title="Main Menu">
    <siteMapNode url="home_content.aspx" title="Home"
    roles="adviser" />
    ..
    ..
    etc


    I tried adding the following to my global.asax to get the identity
    object set up. This seems to go through fine when debugging, but not
    sure if it's necessary:

    Protected Sub Application_AuthenticateRequest(ByVal sender As
    Object, ByVal e As System.EventArgs)
    If (HttpContext.Current.User IsNot Nothing) Then
    If (HttpContext.Current.User.Identity.IsAuthenticated)
    Then
    If (TypeName(HttpContext.Current.User.Identity) =
    "FormsIdentity") Then
    Dim id As FormsIdentity =
    CType(HttpContext.Current.User.Identity, FormsIdentity)
    Dim ticket As FormsAuthenticationTicket =
    id.Ticket

    ' Get the stored user-data, in this case, our
    roles
    Dim userData As String = ticket.UserData
    Dim roles() As String = userData.Split("|")
    HttpContext.Current.User = New
    System.Security.Principal.GenericPrincipal(id, roles)
    End If
    End If
    End If


    Any ideas on what I'm doing wrong is much appreciated!

    Conor.
    CJ, May 9, 2007
    #1
    1. Advertising

  2. CJ

    CJ Guest

    A quick note:

    I tried adding the following to the forms auth tag but it didn't fix
    it:

    protection="All"

    Conor.
    CJ, May 9, 2007
    #2
    1. Advertising

  3. CJ

    CJ Guest

    A quick note:

    I tried adding the following to the forms auth tag but it didn't fix
    it:

    protection="All"

    Conor.
    CJ, May 9, 2007
    #3
  4. you have to set up authorization elements for the pages/directories. Sitemap
    will pick up these settings.

    The roles attribute in web.sitemap is ONLY for overriding the settings made
    in <authorization>

    add <location path="xxx"> with authorization settings.

    btw - this is redundant:


    > <deny users="?"/>
    > <allow users="*"/>



    remove the allow at the end.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Hi All,
    >
    > I am trying to get a site map working using the roles tag, but cannot
    > get the items displaing/hiding depending on the roles. I am using
    > forms authentication. I have tried multiple forms of autherization
    > flags, adding locations etc. I've gone back to the basic configuration
    > just to try get the sitemap working properly so I'm not worried about
    > people accessing the urls directly. I will add that again. So at the
    > current stage the things I added to my web.config look like this:
    >
    > <system.web>
    > .
    > .
    > .
    > <authentication mode="Forms">
    > <forms loginUrl="Logon.aspx" name="adAuthCookie" timeout="60"
    > path="/">
    > </forms>
    > </authentication>
    > <authorization>
    > <deny users="?"/>
    > <allow users="*"/>
    > </authorization>
    > <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
    > <providers>
    > <add name="XmlSiteMapProvider"
    > description="Default SiteMap provider."
    > type="System.Web.XmlSiteMapProvider "
    > siteMapFile="Web.sitemap"
    > securityTrimmingEnabled="true" />
    > </providers>
    > </siteMap>
    > </system.web>
    > My logon page seems to work fine using this method. I removed any
    > location path="role names,,,"> tags just to try get the sitemap
    > working. The particular role I am trying to work on is called
    > "adviser". I have some users in active directory in this group and
    > some that aren't so trying to get it working for the different users.
    > My sitemap file looks like this:
    >
    > <?xml version="1.0" encoding="utf-8" ?>
    > <siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0"
    > <siteMapNode url="Default.aspx" title="Main Menu">
    > <siteMapNode url="home_content.aspx" title="Home"
    > roles="adviser" />
    > .
    > .
    > etc
    > I tried adding the following to my global.asax to get the identity
    > object set up. This seems to go through fine when debugging, but not
    > sure if it's necessary:
    >
    > Protected Sub Application_AuthenticateRequest(ByVal sender As
    > Object, ByVal e As System.EventArgs)
    > If (HttpContext.Current.User IsNot Nothing) Then
    > If (HttpContext.Current.User.Identity.IsAuthenticated)
    > Then
    > If (TypeName(HttpContext.Current.User.Identity) =
    > "FormsIdentity") Then
    > Dim id As FormsIdentity =
    > CType(HttpContext.Current.User.Identity, FormsIdentity)
    > Dim ticket As FormsAuthenticationTicket =
    > id.Ticket
    > ' Get the stored user-data, in this case, our
    > roles
    > Dim userData As String = ticket.UserData
    > Dim roles() As String = userData.Split("|")
    > HttpContext.Current.User = New
    > System.Security.Principal.GenericPrincipal(id, roles)
    > End If
    > End If
    > End If
    > Any ideas on what I'm doing wrong is much appreciated!
    >
    > Conor.
    >
    Dominick Baier, May 9, 2007
    #4
  5. CJ

    CJ Guest

    That works perfect thanks! I think I mis-interpreted what that section
    was for and just removed it :S.

    Thanks very much for you guidance!

    Conor.
    CJ, May 9, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QW5kZXJzQmo=?=

    Forms Auth. using Active Directory - time out

    =?Utf-8?B?QW5kZXJzQmo=?=, Nov 5, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    492
    =?Utf-8?B?QW5kZXJzQmo=?=
    Nov 8, 2004
  2. =?Utf-8?B?TSBIYW1tZXR0?=

    Security Trimming and SiteMap

    =?Utf-8?B?TSBIYW1tZXR0?=, May 15, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    338
    =?Utf-8?B?TSBIYW1tZXR0?=
    May 15, 2006
  3. Replies:
    0
    Views:
    334
  4. bogdan
    Replies:
    0
    Views:
    511
    bogdan
    May 8, 2008
  5. Patrick Olurotimi Ige

    Role Based Forms Auth with Active Directory

    Patrick Olurotimi Ige, Dec 29, 2004, in forum: ASP .Net Security
    Replies:
    7
    Views:
    172
    Patrick Olurotimi Ige
    Mar 20, 2005
Loading...

Share This Page