Sitemap trimming with Forms auth (Active Directory)

Discussion in 'ASP .Net Security' started by CJ, May 9, 2007.

  1. CJ

    CJ Guest

    Hi All,

    I am trying to get a site map working using the roles tag, but cannot
    get the items displaing/hiding depending on the roles. I am using
    forms authentication. I have tried multiple forms of autherization
    flags, adding locations etc. I've gone back to the basic configuration
    just to try get the sitemap working properly so I'm not worried about
    people accessing the urls directly. I will add that again. So at the
    current stage the things I added to my web.config look like this:

    <system.web>
    ..
    ..
    ..

    <authentication mode="Forms">
    <forms loginUrl="Logon.aspx" name="adAuthCookie" timeout="60"
    path="/">
    </forms>
    </authentication>
    <authorization>
    <deny users="?"/>
    <allow users="*"/>
    </authorization>
    <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
    <providers>
    <add name="XmlSiteMapProvider"
    description="Default SiteMap provider."
    type="System.Web.XmlSiteMapProvider "
    siteMapFile="Web.sitemap"
    securityTrimmingEnabled="true" />
    </providers>
    </siteMap>
    </system.web>



    My logon page seems to work fine using this method. I removed any
    location path="role names,,,"> tags just to try get the sitemap
    working. The particular role I am trying to work on is called
    "adviser". I have some users in active directory in this group and
    some that aren't so trying to get it working for the different users.
    My sitemap file looks like this:

    <?xml version="1.0" encoding="utf-8" ?>
    <siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0"
    >

    <siteMapNode url="Default.aspx" title="Main Menu">
    <siteMapNode url="home_content.aspx" title="Home"
    roles="adviser" />
    ..
    ..
    etc


    I tried adding the following to my global.asax to get the identity
    object set up. This seems to go through fine when debugging, but not
    sure if it's necessary:

    Protected Sub Application_AuthenticateRequest(ByVal sender As
    Object, ByVal e As System.EventArgs)
    If (HttpContext.Current.User IsNot Nothing) Then
    If (HttpContext.Current.User.Identity.IsAuthenticated)
    Then
    If (TypeName(HttpContext.Current.User.Identity) =
    "FormsIdentity") Then
    Dim id As FormsIdentity =
    CType(HttpContext.Current.User.Identity, FormsIdentity)
    Dim ticket As FormsAuthenticationTicket =
    id.Ticket

    ' Get the stored user-data, in this case, our
    roles
    Dim userData As String = ticket.UserData
    Dim roles() As String = userData.Split("|")
    HttpContext.Current.User = New
    System.Security.Principal.GenericPrincipal(id, roles)
    End If
    End If
    End If


    Any ideas on what I'm doing wrong is much appreciated!

    Conor.
     
    CJ, May 9, 2007
    #1
    1. Advertisements

  2. CJ

    CJ Guest

    A quick note:

    I tried adding the following to the forms auth tag but it didn't fix
    it:

    protection="All"

    Conor.
     
    CJ, May 9, 2007
    #2
    1. Advertisements

  3. CJ

    CJ Guest

    A quick note:

    I tried adding the following to the forms auth tag but it didn't fix
    it:

    protection="All"

    Conor.
     
    CJ, May 9, 2007
    #3
  4. you have to set up authorization elements for the pages/directories. Sitemap
    will pick up these settings.

    The roles attribute in web.sitemap is ONLY for overriding the settings made
    in <authorization>

    add <location path="xxx"> with authorization settings.

    btw - this is redundant:


    > <deny users="?"/>
    > <allow users="*"/>



    remove the allow at the end.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Hi All,
    >
    > I am trying to get a site map working using the roles tag, but cannot
    > get the items displaing/hiding depending on the roles. I am using
    > forms authentication. I have tried multiple forms of autherization
    > flags, adding locations etc. I've gone back to the basic configuration
    > just to try get the sitemap working properly so I'm not worried about
    > people accessing the urls directly. I will add that again. So at the
    > current stage the things I added to my web.config look like this:
    >
    > <system.web>
    > .
    > .
    > .
    > <authentication mode="Forms">
    > <forms loginUrl="Logon.aspx" name="adAuthCookie" timeout="60"
    > path="/">
    > </forms>
    > </authentication>
    > <authorization>
    > <deny users="?"/>
    > <allow users="*"/>
    > </authorization>
    > <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
    > <providers>
    > <add name="XmlSiteMapProvider"
    > description="Default SiteMap provider."
    > type="System.Web.XmlSiteMapProvider "
    > siteMapFile="Web.sitemap"
    > securityTrimmingEnabled="true" />
    > </providers>
    > </siteMap>
    > </system.web>
    > My logon page seems to work fine using this method. I removed any
    > location path="role names,,,"> tags just to try get the sitemap
    > working. The particular role I am trying to work on is called
    > "adviser". I have some users in active directory in this group and
    > some that aren't so trying to get it working for the different users.
    > My sitemap file looks like this:
    >
    > <?xml version="1.0" encoding="utf-8" ?>
    > <siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0"
    > <siteMapNode url="Default.aspx" title="Main Menu">
    > <siteMapNode url="home_content.aspx" title="Home"
    > roles="adviser" />
    > .
    > .
    > etc
    > I tried adding the following to my global.asax to get the identity
    > object set up. This seems to go through fine when debugging, but not
    > sure if it's necessary:
    >
    > Protected Sub Application_AuthenticateRequest(ByVal sender As
    > Object, ByVal e As System.EventArgs)
    > If (HttpContext.Current.User IsNot Nothing) Then
    > If (HttpContext.Current.User.Identity.IsAuthenticated)
    > Then
    > If (TypeName(HttpContext.Current.User.Identity) =
    > "FormsIdentity") Then
    > Dim id As FormsIdentity =
    > CType(HttpContext.Current.User.Identity, FormsIdentity)
    > Dim ticket As FormsAuthenticationTicket =
    > id.Ticket
    > ' Get the stored user-data, in this case, our
    > roles
    > Dim userData As String = ticket.UserData
    > Dim roles() As String = userData.Split("|")
    > HttpContext.Current.User = New
    > System.Security.Principal.GenericPrincipal(id, roles)
    > End If
    > End If
    > End If
    > Any ideas on what I'm doing wrong is much appreciated!
    >
    > Conor.
    >
     
    Dominick Baier, May 9, 2007
    #4
  5. CJ

    CJ Guest

    That works perfect thanks! I think I mis-interpreted what that section
    was for and just removed it :S.

    Thanks very much for you guidance!

    Conor.
     
    CJ, May 9, 2007
    #5
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    979
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. =?Utf-8?B?QW5kZXJzQmo=?=

    Forms Auth. using Active Directory - time out

    =?Utf-8?B?QW5kZXJzQmo=?=, Nov 5, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    559
    =?Utf-8?B?QW5kZXJzQmo=?=
    Nov 8, 2004
  3. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    780
    Elton Wang
    Jan 8, 2005
  4. =?Utf-8?B?TSBIYW1tZXR0?=

    Security Trimming and SiteMap

    =?Utf-8?B?TSBIYW1tZXR0?=, May 15, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    419
    =?Utf-8?B?TSBIYW1tZXR0?=
    May 15, 2006
  5. Chris Mohan

    Configuring Windows Auth & Forms Auth in Asp.Net

    Chris Mohan, Apr 28, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    717
    Chris Mohan
    Apr 29, 2004
  6. Patrick Olurotimi Ige

    Role Based Forms Auth with Active Directory

    Patrick Olurotimi Ige, Dec 29, 2004, in forum: ASP .Net Security
    Replies:
    7
    Views:
    328
    Patrick Olurotimi Ige
    Mar 20, 2005
  7. Forms Auth Info passed to Windows Auth?

    , Apr 28, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    412
    Hernan de Lahitte
    May 3, 2005
  8. Ed Staffin
    Replies:
    1
    Views:
    566
    Ken Schaefer
    Apr 17, 2006
Loading...