roleProvider and Windows Authentication

[Mark]

I have a sitemap file containing all of the pages in my application so far. I
have a menu control on a master page which uses this sitemap as it's
datasource to build the menu. I'm using Windows authentication and the
AspNetWindowsRoleTokenProvider but when I assign roles to a siteMapNode, it
is still shown in the menu, even though I'm not in the group specified!

Here's the relevant section of my web.config;

<roleManager defaultProvider="AspNetWindowsTokenRoleProvider" />
<authentication mode="Windows"/>

And my sitemap;

<siteMapNode title="Registers" url="" description="">
<siteMapNode title="New Register" url="~/registers/newregwiz.aspx"
description="Create a new register based upon an issued reigster template" />
<siteMapNode title="Edit Register" url="~/registers/editregister.aspx"
description="Edit an existing register" />
<siteMapNode title="Load Register" url="~/registers/loadregister.aspx"
description="Load a Register for editing" SecurityTrimmingEnabled="true"
roles="ARS_Administrators" />
<siteMapNode title="Quick Register Entry" url="~/registers/qregentry.aspx"
description="Quickly update a register" />
<siteMapNode title="Register Entry" url="~/registers/regentry.aspx"
description="Update a register" />
<siteMapNode title="Register History" url="~/registers/reghist.aspx"
description="Show the history of a register" />
</siteMapNode>

Any ideas why it's not working?

[Dominick]

Hello Mark,

The roles attribute is intended to specifiy roles that should see the node
in the navigation, regardless of their authorization.

"securityTrimmingEnabled" uses the <authorization> elements in web.config
to determine which nodes to show to whom.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
 

[Mark]

Which is what I'm getting at. How come I can still see this item in the menu
when it's role attribute is set to a group which I am NOT a member of?

"Dominick Baier [DevelopMentor]" wrote:
 
>
>
>
>[/ref]

[ManniAT]

Hi Mark,

did you enable securityTrimming in Web.config??

Here is what I mean for the Sitmapprovider:
<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
<providers>
<add name="XmlSiteMapProvider"
description="Default SiteMap provider."
type="System.Web.XmlSiteMapProvider "
siteMapFile="Web.sitemap"
securityTrimmingEnabled="true" /> !!!!!!!!!
</providers>
..........

You don't even have to add to specify the roles in the sitemap if there is a URL.
(To be short I replace sineMapNode with SMN)
<SMN title="Yust an element" roles="Have, to, add, them, here">
<SMN title="Here is a page" url="~/to/the/page.aspx" description="no roles neede" / >
</SMN>

HTH

Manfred

[Mark]

Hi,

My web.config is as laid out below;

<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
<providers>
<add name="XmlSiteMapProvider"
description="SiteMap provider which reads in .sitemap XML files."
type="System.Web.XmlSiteMapProvider, System.Web,
Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
securityTrimmingEnabled ="true"
siteMapFile="Web.sitemap" />
</providers>
</siteMap>

None of the security features seem to be working properly. I've also noticed
that when securitytrimming is enabled, my siteMapPath control no longer
displays the full path, it only shows the current page. For example, with
securityTrimmingEnabled = "false", my siteMapPath shows;

Page 1 > Page 2 > Page 3

with it set to "false", my siteMapPath shows;

Page 3

????

Maybe I'm just being stupid but it just isn't performing as expected.

"ManniAT" wrote:
 

[ManniAT]

Hi Mark,

as I take a close look to your sitemap I found the following:
<siteMapNode title="Registers" url="" description="">
<siteMapNode title="New Register" url="~/registers/newregwiz.aspx"
description="Create a new register based upon an issued reigster template" />
<siteMapNode title="Edit Register" url="~/registers/editregister.aspx"
description="Edit an existing register" />
<siteMapNode title="Load Register" url="~/registers/loadregister.aspx"
description="Load a Register for editing" SecurityTrimmingEnabled="true"
roles="ARS_Administrators" />
<siteMapNode title="Quick Register Entry" url="~/registers/qregentry.aspx"
description="Quickly update a register" />
<siteMapNode title="Register Entry" url="~/registers/regentry.aspx"
description="Update a register" />
<siteMapNode title="Register History" url="~/registers/reghist.aspx"
description="Show the history of a register" />
</siteMapNode>

Try to Change this to:
<siteMapNode roles="*" title="Registers" url="" description="Everyone sees">
<siteMapNode title="New Register" url="~/registers/newregwiz.aspx"
description="Create a new register based upon an issued reigster template" />
<siteMapNode title="Edit Register" url="~/registers/editregister.aspx"
description="Edit an existing register" />
<siteMapNode title="Load Register" url="~/registers/loadregister.aspx"
description="Load a Register for editing" />
<siteMapNode title="Quick Register Entry" url="~/registers/qregentry.aspx"
description="Quickly update a register" />
<siteMapNode title="Register Entry" url="~/registers/regentry.aspx"
description="Update a register" />
<siteMapNode title="Register History" url="~/registers/reghist.aspx"
description="Show the history of a register" />
</siteMapNode>

What did I change??
Firts I added roles="*" to the first line.
Then I removed (not needed) the roles="ARS_Administrators" from another node.

Assume the following (I state - not very clear - in my post before):
If a node has no URL the system can't decide if this node is enabled for a specific role.
Default==not visible -- this means (and I did here) you have to enter the appropriate roles to such a node.
---
If a node has an URL the system can decide what roles are allowed to see this node.
I prefer to leave roles out in this case - because when I make changes to the access rules,
thei are reflected automaticly in the siteMap.

So give this slightly changed siteMap a chance :-)

HTH

Manfred

[Mark]

Thanks, that did the treat for the "broken" siteMapPath :)

So, if I want to restrict/hide say, the 'Edit Register" menu item, do I add
a roles attribute to the node in the siteMap or add an authorization element
to the web.config file, or both?

Thanks again.

"ManniAT" wrote:
 

[ManniAT]

Hi Mark,

I would not do it in the siteMap.
As I mentioned in the post before - if you do on both places - you will forget one :-)

So do it where it should be - and if you don't want somebody (not in a special role) to open
page XXXX - then do this with Access becaus if you only do it in the sitemap...."they" will find the link
and the page opens (sitemap does only hide the link!!!).
And on the other hand - if you want another role to also open page XXXX ----
add the apropriate access right for the role --- BUT the link wont
show up if you don't correct it in sitemap.

So (my suggestion): for "non links" you have to do it in sitemap
---would be great if sitemap could learn from the pages below
---or don't display an item if below is nothing
and for nodes with links - don't do it in sitemap.

Cheers

Manfred

[Dominick]

Enable security trimming in web.config and use the authorization element - you have to authorize anyway - then use the role attribute in the sitemap file - if you want to show the links regardless of authorization.

Dominick Baier - DevelopMentor
http://www.leastprivilege.com

nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<com>

Thanks, that did the treat for the "broken" siteMapPath :)

So, if I want to restrict/hide say, the 'Edit Register" menu item, do I add
a roles attribute to the node in the siteMap or add an authorization element
to the web.config file, or both?

Thanks again.

"ManniAT" wrote:
 

[microsoft.public.dotnet.framework.aspnet.security]

[Mark]

Hi,

If I deny access to a URL via web.config like so;

<location path="registers/editregister.aspx">
<system.web>
<authorization>
<allow roles="ARS Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>

it works great, but when adding the roles attrbiute to the siteMap, it's
still not "hiding" the menu option.

"ManniAT" wrote:
 

[ManniAT]

Hi,

for me it works - but I give access to diretories - not to files!
One dir like this:

<system.web>
<authorization>
<allow roles="Admins" />
<allow roles="BSTR Admins" />
<allow roles="BSTR Members" />
<deny users="?" />
</authorization>
</system.web>
And the other like this:
<system.web>
<authorization>
<allow roles="Admins" />
<allow roles="BSTR Admins" />
<deny users="*" />
</authorization>
</system.web>
If you are an Admin you see both - instead you see only the first!
Even one dir where every role (or better no anonymus) can access pages works like this:
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
So last not least my siteMap
<siteMapNode url="~/Default.aspx" title="Startseite" description="Zur ISatTrack Startseite">
<siteMapNode roles="Admins, BSTR Admins" title="Administration" description="Administrationsbereich">
<siteMapNode url="~/Admin/Default.aspx" title="Hauptseite" description="sbersicht f�r Administratoren">
<siteMapNode url="~/Admin/UserMgmt.aspx" title="Benutzer" description="Verwaltung der Benutzer" />
<siteMapNode url="~/Admin/PCs.aspx" title="PCs" description="Administration der PCs" />
</siteMapNode>
</siteMapNode>
<siteMapNode roles="Admins, BSTR Admins, BSTR Members" title="Mitarbeiterbereich" description="Mitarbeiterbereich">
<siteMapNode url="~/Members/Default.aspx" title="Hauptseite" description="sbersicht f�r Mitarbeiter">
<siteMapNode url="~/Members/Software.aspx" title="Software" description="Softwaredownloads" />
</siteMapNode>
</siteMapNode>
<siteMapNode roles="Users, Admins, BSTR Admins, BSTR Members" title="Benutzerbereich" description="Bereich Benutzer">
<siteMapNode url="~/RegistredUsers/Default.aspx" title="Hauptseite" description="sbersicht f�r angemeldete Benutzer">
<siteMapNode url="~/RegistredUsers/CMRRequest.aspx" title="CMR Abfrage" description="CMRs abfragen" />
<siteMapNode url="~/RegistredUsers/ChgPWD.aspx" title="Passwort "ndern" description="Zndern Sie regelm"áig Ihr Passwort"
/>
</siteMapNode>
</siteMapNode>
</siteMapNode>
The things work like expected for me!
The unly "unexpexted" thing was - that for "Bereich Benutzer" I had to add all roles,
since roles="'*" works also for user not in any role - and roles="?" is not supported.

Cheers

Manfred

[Mark]

The main problem I seem to be having is that the authorization elemnt in the
web.config is not picking up any local groups. If I add my AD account to a
doma account, it works fine. If I add my AD account to a local group on my
test machine and change the web.config accordingly, it doesn't work.

I've seen a few people having issues with local groups but none of them ever
posted if they got it working or not :(

"Dominick Baier [DevelopMentor]" wrote:
 
>
> [microsoft.public.dotnet.framework.aspnet.security]
>[/ref]

[ManniAT]

Hi Mark,

I didn't see that you use AD and not a role provied by the default role provider!!

Manfred