First, Introduction
In this article, we will explore the membership, roles, and configuration issues of ASP.net 2.0. Asp. NET member system provides a programmable API for creating and managing user accounts, and the role part enables developers to define a set of roles and associate users with roles. Typically, a Web site that provides a user account has a portion of the content that is accessed only for certain users, authenticated users, or users belonging to a particular role.
For example, a Web site might have a set of pages-it allows a trusted user to edit the content of the Web site or manage existing users. Instead of simply trying to hide the page and hoping that no one will accidentally get into trouble browsing it, or hard coded authorization to only allow a single user, a stronger and safer way is to define an administrator role-and then assign him a select set of trusted users. Finally, these management Web pages are further configured to allow access to only those users who have the Administrator role. Similarly, the Web site might contain a set of pages that only authenticated users can access.
Since some parts of the site may be accessible only to some users, this makes it a bit of a dilemma when setting up site navigation. Do we want to include pages that only authorized users can access in the site map of the Web site? If we do this, then all users will see the restricted page in the menu or tree view of the site. Why can't I show links to these pages to the users who access them? If we remove these restricted pages from the site map, the authorized users who come to see them cannot easily navigate to them because they are not part of the site map and therefore do not appear in the tree view or menu of the site!
Thankfully, site navigation for ASP.net 2.0 provides a feature called security trimming. When you obtain site map information with features that support security trimming, only the site map nodes that are currently logged on are available to the user who has the Access authority. This means that the site's TreeView or menu will contain only those portions that are accessible to the currently logged-on user. To learn how to configure site navigation to support security trimming, read on!
Second, configure ASP.net 2.0 members and (optional) role
Since site navigation security trims the site map data based on the users who access the page and the authorization settings defined for the pages in the site map, before we can analyze security trimming, you must first configure your Web site to use the ASP.net 2.0 Membership service feature. (You can also configure the site to use roles and use role-based authorization benefits, but this is not required to demonstrate a security pruning concept.) It is beyond the scope of this article to discuss in detail how to configure a site to use members and roles.
If you don't want to spend time on a new Web site to install membership and character features, you can use it. Specifically, there are two roles-administrators (Administrator) and tester (Tester), and four users in the Web site that can be downloaded later in this article:
· Superman, whose role is administrator and tester
· Admin, whose role is administrator
· Mr.tester, whose role is the tester
· Average User, no role
Also, I have three folders in the project: Admin,tester and Authusersonly. The first two folders have been configured to allow access only to users who have administrator and tester roles. The Authusersonly folder is restricted to authenticated users only.
Third, configure site navigation to use security trimming
By default, site navigation does not use security trimming. No matter what user is accessing the site, and no matter what authorization rules are defined, when each user views the site map data through a TreeView or menu Web control, he is able to see all the parts of the site map. By initiating security trimming, the site navigation system automatically restricts the display of results based on the currently logged-on user and the authorization for the page referenced by the <siteMapNode> element in the site map.
You can use the following modes to configure site navigation settings through the Web.config file:
<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
<providers>
<add name="XmlSiteMapProvider"
description="Default SiteMap provider."
type="System.Web.XmlSiteMapProvider"
siteMapFile="siteMapFileName"
securityTrimmingEnabled="true" />
</providers>
</siteMap>
Recall the discussion in the first part of this series-the site navigation system uses the provider model. This model provides developers with some well-defined public APIs, but allows, if necessary, customization of internal implementation details. By default, site navigation features use xmlsitemapprovider-to obtain site map information from XML-formatted site-map file Web.sitemap. You can change the provider used by the Web.config file, or modify the default settings for the default provider.
To customize the settings of the default provider, simply add a new provider-it uses the same type as the default provider (System.Web.XmlSiteMapProvider) to customize the desired settings. The code snippet shown above shows the settings for customizing two xmlsitemapprovider:
The sitemapfile setting specifies the file name of the site map file that is used by the provider; By default, this value is Web.sitemap. If you like, you can customize the file name here. However, I encourage you to make sure that the site map filename ends with a. sitemap extension, because by default this extension is protected by the ASP.net engine, preventing web visitors from viewing the site map files.
The securitytrimmingenabled setting shows whether security trimming is used. To use security trimming, you can set it to true, as shown above.