roleProvider and Windows Authentication

Discussion in 'ASP .Net Security' started by Mark Parter, May 21, 2005.

  1. Mark Parter

    Mark Parter Guest

    I have a sitemap file containing all of the pages in my application so far. I
    have a menu control on a master page which uses this sitemap as it's
    datasource to build the menu. I'm using Windows authentication and the
    AspNetWindowsRoleTokenProvider but when I assign roles to a siteMapNode, it
    is still shown in the menu, even though I'm not in the group specified!

    Here's the relevant section of my web.config;

    <roleManager defaultProvider="AspNetWindowsTokenRoleProvider" />
    <authentication mode="Windows"/>

    And my sitemap;

    <siteMapNode title="Registers" url="" description="">
    <siteMapNode title="New Register" url="~/registers/newregwiz.aspx"
    description="Create a new register based upon an issued reigster template" />
    <siteMapNode title="Edit Register" url="~/registers/editregister.aspx"
    description="Edit an existing register" />
    <siteMapNode title="Load Register" url="~/registers/loadregister.aspx"
    description="Load a Register for editing" SecurityTrimmingEnabled="true"
    roles="ARS_Administrators" />
    <siteMapNode title="Quick Register Entry" url="~/registers/qregentry.aspx"
    description="Quickly update a register" />
    <siteMapNode title="Register Entry" url="~/registers/regentry.aspx"
    description="Update a register" />
    <siteMapNode title="Register History" url="~/registers/reghist.aspx"
    description="Show the history of a register" />
    </siteMapNode>

    Any ideas why it's not working?
     
    Mark Parter, May 21, 2005
    #1
    1. Advertisements

  2. Hello Mark,

    The roles attribute is intended to specifiy roles that should see the node
    in the navigation, regardless of their authorization.

    "securityTrimmingEnabled" uses the <authorization> elements in web.config
    to determine which nodes to show to whom.
     
    Dominick Baier [DevelopMentor], May 21, 2005
    #2
    1. Advertisements

  3. Mark Parter

    Mark Parter Guest

    Which is what I'm getting at. How come I can still see this item in the menu
    when it's role attribute is set to a group which I am NOT a member of?
     
    Mark Parter, May 21, 2005
    #3
  4. Mark Parter

    ManniAT Guest

    Hi Mark,

    did you enable securityTrimming in Web.config??

    Here is what I mean for the Sitmapprovider:
    <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
    <providers>
    <add name="XmlSiteMapProvider"
    description="Default SiteMap provider."
    type="System.Web.XmlSiteMapProvider "
    siteMapFile="Web.sitemap"
    securityTrimmingEnabled="true" /> !!!!!!!!!
    </providers>
    ..........

    You don't even have to add to specify the roles in the sitemap if there is a URL.
    (To be short I replace sineMapNode with SMN)
    <SMN title="Yust an element" roles="Have, to, add, them, here">
    <SMN title="Here is a page" url="~/to/the/page.aspx" description="no roles neede" / >
    </SMN>

    HTH

    Manfred
     
    ManniAT, May 22, 2005
    #4
  5. Mark Parter

    Mark Parter Guest

    Hi,

    My web.config is as laid out below;

    <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
    <providers>
    <add name="XmlSiteMapProvider"
    description="SiteMap provider which reads in .sitemap XML files."
    type="System.Web.XmlSiteMapProvider, System.Web,
    Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    securityTrimmingEnabled ="true"
    siteMapFile="Web.sitemap" />
    </providers>
    </siteMap>

    None of the security features seem to be working properly. I've also noticed
    that when securitytrimming is enabled, my siteMapPath control no longer
    displays the full path, it only shows the current page. For example, with
    securityTrimmingEnabled = "false", my siteMapPath shows;

    Page 1 > Page 2 > Page 3

    with it set to "false", my siteMapPath shows;

    Page 3

    ????

    Maybe I'm just being stupid but it just isn't performing as expected.
     
    Mark Parter, May 22, 2005
    #5
  6. Mark Parter

    ManniAT Guest

    Hi Mark,

    as I take a close look to your sitemap I found the following:
    <siteMapNode title="Registers" url="" description="">
    <siteMapNode title="New Register" url="~/registers/newregwiz.aspx"
    description="Create a new register based upon an issued reigster template" />
    <siteMapNode title="Edit Register" url="~/registers/editregister.aspx"
    description="Edit an existing register" />
    <siteMapNode title="Load Register" url="~/registers/loadregister.aspx"
    description="Load a Register for editing" SecurityTrimmingEnabled="true"
    roles="ARS_Administrators" />
    <siteMapNode title="Quick Register Entry" url="~/registers/qregentry.aspx"
    description="Quickly update a register" />
    <siteMapNode title="Register Entry" url="~/registers/regentry.aspx"
    description="Update a register" />
    <siteMapNode title="Register History" url="~/registers/reghist.aspx"
    description="Show the history of a register" />
    </siteMapNode>

    Try to Change this to:
    <siteMapNode roles="*" title="Registers" url="" description="Everyone sees">
    <siteMapNode title="New Register" url="~/registers/newregwiz.aspx"
    description="Create a new register based upon an issued reigster template" />
    <siteMapNode title="Edit Register" url="~/registers/editregister.aspx"
    description="Edit an existing register" />
    <siteMapNode title="Load Register" url="~/registers/loadregister.aspx"
    description="Load a Register for editing" />
    <siteMapNode title="Quick Register Entry" url="~/registers/qregentry.aspx"
    description="Quickly update a register" />
    <siteMapNode title="Register Entry" url="~/registers/regentry.aspx"
    description="Update a register" />
    <siteMapNode title="Register History" url="~/registers/reghist.aspx"
    description="Show the history of a register" />
    </siteMapNode>

    What did I change??
    Firts I added roles="*" to the first line.
    Then I removed (not needed) the roles="ARS_Administrators" from another node.

    Assume the following (I state - not very clear - in my post before):
    If a node has no URL the system can't decide if this node is enabled for a specific role.
    Default==not visible -- this means (and I did here) you have to enter the appropriate roles to such a node.
    ---
    If a node has an URL the system can decide what roles are allowed to see this node.
    I prefer to leave roles out in this case - because when I make changes to the access rules,
    thei are reflected automaticly in the siteMap.

    So give this slightly changed siteMap a chance :)

    HTH

    Manfred
     
    ManniAT, May 22, 2005
    #6
  7. Mark Parter

    Mark Parter Guest

    Thanks, that did the treat for the "broken" siteMapPath :)

    So, if I want to restrict/hide say, the 'Edit Register" menu item, do I add
    a roles attribute to the node in the siteMap or add an authorization element
    to the web.config file, or both?

    Thanks again.
     
    Mark Parter, May 22, 2005
    #7
  8. Mark Parter

    ManniAT Guest

    Hi Mark,

    I would not do it in the siteMap.
    As I mentioned in the post before - if you do on both places - you will forget one :)

    So do it where it should be - and if you don't want somebody (not in a special role) to open
    page XXXX - then do this with Access becaus if you only do it in the sitemap...."they" will find the link
    and the page opens (sitemap does only hide the link!!!).
    And on the other hand - if you want another role to also open page XXXX ----
    add the apropriate access right for the role --- BUT the link wont
    show up if you don't correct it in sitemap.

    So (my suggestion): for "non links" you have to do it in sitemap
    ---would be great if sitemap could learn from the pages below
    ---or don't display an item if below is nothing
    and for nodes with links - don't do it in sitemap.

    Cheers

    Manfred
     
    ManniAT, May 23, 2005
    #8
  9. Mark Parter

    Mark Parter Guest

    Hi,

    If I deny access to a URL via web.config like so;

    <location path="registers/editregister.aspx">
    <system.web>
    <authorization>
    <allow roles="ARS Administrators" />
    <deny users="*" />
    </authorization>
    </system.web>
    </location>

    it works great, but when adding the roles attrbiute to the siteMap, it's
    still not "hiding" the menu option.
     
    Mark Parter, May 23, 2005
    #9
  10. Mark Parter

    ManniAT Guest

    Hi,

    for me it works - but I give access to diretories - not to files!
    One dir like this:

    <system.web>
    <authorization>
    <allow roles="Admins" />
    <allow roles="BSTR Admins" />
    <allow roles="BSTR Members" />
    <deny users="?" />
    </authorization>
    </system.web>
    And the other like this:
    <system.web>
    <authorization>
    <allow roles="Admins" />
    <allow roles="BSTR Admins" />
    <deny users="*" />
    </authorization>
    </system.web>
    If you are an Admin you see both - instead you see only the first!
    Even one dir where every role (or better no anonymus) can access pages works like this:
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    So last not least my siteMap
    <siteMapNode url="~/Default.aspx" title="Startseite" description="Zur ISatTrack Startseite">
    <siteMapNode roles="Admins, BSTR Admins" title="Administration" description="Administrationsbereich">
    <siteMapNode url="~/Admin/Default.aspx" title="Hauptseite" description="sbersicht fr Administratoren">
    <siteMapNode url="~/Admin/UserMgmt.aspx" title="Benutzer" description="Verwaltung der Benutzer" />
    <siteMapNode url="~/Admin/PCs.aspx" title="PCs" description="Administration der PCs" />
    </siteMapNode>
    </siteMapNode>
    <siteMapNode roles="Admins, BSTR Admins, BSTR Members" title="Mitarbeiterbereich" description="Mitarbeiterbereich">
    <siteMapNode url="~/Members/Default.aspx" title="Hauptseite" description="sbersicht fr Mitarbeiter">
    <siteMapNode url="~/Members/Software.aspx" title="Software" description="Softwaredownloads" />
    </siteMapNode>
    </siteMapNode>
    <siteMapNode roles="Users, Admins, BSTR Admins, BSTR Members" title="Benutzerbereich" description="Bereich Benutzer">
    <siteMapNode url="~/RegistredUsers/Default.aspx" title="Hauptseite" description="sbersicht fr angemeldete Benutzer">
    <siteMapNode url="~/RegistredUsers/CMRRequest.aspx" title="CMR Abfrage" description="CMRs abfragen" />
    <siteMapNode url="~/RegistredUsers/ChgPWD.aspx" title="Passwort "ndern" description="Zndern Sie regelm"√°ig Ihr Passwort"
    />
    </siteMapNode>
    </siteMapNode>
    </siteMapNode>
    The things work like expected for me!
    The unly "unexpexted" thing was - that for "Bereich Benutzer" I had to add all roles,
    since roles="'*" works also for user not in any role - and roles="?" is not supported.

    Cheers

    Manfred
     
    ManniAT, May 23, 2005
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.