ASP.NET Menu and SiteMap Security Trimming

With ASP.NET 2005 Microsoft introduced a pretty solid menu which is integrated with a configuration driven sitemap. The cool part is that the menu can be hooked in with your security roles, so you don’t have to worry about hiding or showing menu options based on the user – the menu options are automatically kept in sync with what the user is allowed to see.


Step one – Define the Sitemap

I’m using a static sitemap defined in a Web.sitemap file, and it’s especially simple since there’s no is no hierarchy involved. This uses the default XmlSiteMapProvider; there are other sitemap providers available on the internets, such as a SQL Sitemap Provider for database driven site structure, or you can implement your provider if you’ve got a custom situation.

<?xml version="1.0" encoding="utf-8" ?> <siteMap xmlns="https://schemas.microsoft.com/AspNet/SiteMap-File-1.0" > <siteMapNode url="~/" title="Home" description="" roles="*"> <siteMapNode url="~/About" title="About" description="" roles="*" /> <siteMapNode url="~/Contact" title="Contact" description="" roles="*" /> <siteMapNode url="" title="Admin" description="" roles="Administrator"> <siteMapNode url="~/Admin/SendEmail.aspx" title="Send email" description="" roles="Administrator" /> <siteMapNode url="~/Admin/Test.aspx" title="Test transaction" description="" roles="Administrator" /> </siteMapNode> <siteMapNode url="~/Report/ReportTransactions.aspx" title="Transaction" description="" roles="Administrator" /> </siteMapNode> </siteMap>


Step two – Define the Sitemap in web.config

 <siteMap defaultProvider="XmlSiteMapProvider" enabled="true"> <providers> <add name="XmlSiteMapProvider" description="Default SiteMap provider." type="System.Web.XmlSiteMapProvider" siteMapFile="Web.sitemap" securityTrimmingEnabled="true" /> </providers> </siteMap> 


Step three – Set required roles for the pages

This section of the web.config looks long, but you’ll see it very repetitive. MSDN’s information on setting up authorization rules is pretty well written, so take a look there if you’d like more info. The high points:

  • Rules are processed top to bottom. For example in the Upload.aspx case, a user in the Uploader role is allowed right off the bat, everyone else is denied.
  • Pages which are displayed to all authenticated users just need to deny unauthenticated users, like this: <deny users=?”>
  • There’s no wildcard for roles, so you can’t say something like <allow roles=”*”>.
  • Role based permissions is configured by default in machine.config (using both AspNetSqlRoleProvider and AspNetWindowsTokenRoleProvider). The Sql Role Provider assumes a database connectionstring named LocalSqlServer, so if your profile information is stored somewhere.
 <location path="psta.aspx"> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </location> 


Step four – add a Sitemap Data Source and a Menu

<asp:SiteMapDataSource runat="server" ID="siteMapDataSource" ShowStartingNode="false" /> <asp:Menu runat="server" ID="MainMenu" Orientation="Horizontal" DataSourceID="siteMapDataSource" />

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.