Discussion on the membership, role and disposition of ASP.net 2.0

Asp.net| problem First, Introduction

In this article, we will focus on the membership, roles, and configuration issues of ASP.net 2.0. Asp. NET member system provides a programmable API for creating and managing user accounts, and the role part enables developers to define a set of roles and associate users with roles. Typically, a Web site that provides a user account has a portion of the content that is accessed only for certain users, authenticated users, or users belonging to a particular role.

For example, a Web site might have a set of pages-it allows a trusted user to edit the content of the Web site or manage existing users. Not simply trying to hide the page and hoping that no one will accidentally get into trouble browsing it, or hard coded authorization to allow only a single user; a stronger and safer way is to define an administrator role-and then assign it to a select group of trusted users. These management web pages are then further configured to allow access only to those users who have the Administrator role. Similarly, the Web site might contain a set of pages that only authenticated users can access.

Since some parts of the site may be accessible only to some users, this makes it a bit of a dilemma when navigating the site. Do we want to include pages that only authorized users can access in the site map of the Web site? If we do this, then all users will see the restricted page in the menu or tree view of the site. Why can't I show links to these pages to the users who access them? If we remove these restricted pages from the site map, the authorized users who come to see them cannot easily navigate to them because they are not part of the site map and therefore do not appear in the tree view or menu of the site!

Thankfully, site navigation for ASP.net 2.0 provides a feature called security trimming. When you obtain site map information with features that support security trimming, only the site map nodes that are currently logged on are available to the user who has the Access authority. This means that the site's TreeView or menu will contain only those portions that are accessible to the currently logged-on user. To learn how to configure site navigation to support security trimming, read on!

Second, configure ASP.net 2.0 members and (optional) role

Since site navigation security trims the site map data based on the users who access the page and the authorization settings defined for the pages in the site map, before we can analyze security trimming, you must first configure your Web site to use the ASP.net 2.0 Membership service feature. (You can also configure the site to use roles and use role-based authorization benefits, but this is not required to demonstrate a security pruning concept.) It is beyond the scope of this article to discuss in detail how to configure a site to use members and roles.

A usable instance is included in the download at the end of this article-it implements a site map securely trimmed for a web site. The site implements members and roles. If you don't want to spend time on a new Web site to install membership and character features, you can use it. Specifically, there are two roles-administrators (Administrator) and tester (Tester) and four users in the Web site that can be downloaded later in this article:

· Superman, whose role is administrator and tester
· Admin, whose role is administrator
· Mr.tester, whose role is the tester
· Average User, no role

Also, I have three folders in the project: Admin,tester and Authusersonly. The first two folders have been configured to allow access only to users who have administrator and tester roles. The Authusersonly folder is restricted to authenticated users only.

Third, configure site navigation to use security trimming

By default, site navigation does not use security trimming. No matter what user is accessing the site, and no matter what authorization rules are defined, when each user views the site map data through a TreeView or menu Web control, he is able to see all the parts of the site map. By initiating security trimming, the site navigation system automatically restricts the display of results based on the currently logged-on user and the authorization for the page referenced by the element in the site map.

You can use the following modes to configure site navigation settings through the Web.config file:

description= "Default SiteMap provider."
Type= "System.Web.XmlSiteMapProvider"
Sitemapfile= "Sitemapfilename"
Securitytrimmingenabled= "true"/>

Recall the discussion in the first part of this series-the site navigation system uses the provider model. This model provides developers with some well-defined public APIs, but allows, if necessary, customization of internal implementation details. By default, site navigation features use xmlsitemapprovider-to obtain site map information from XML-formatted site-map file Web.sitemap. You can change the provider used by the Web.config file, or modify the default settings for the default provider.

To customize the settings of the default provider, simply add a new provider-it uses the same type as the default provider (System.Web.XmlSiteMapProvider) to customize the desired settings. The code snippet shown above shows the settings for customizing two xmlsitemapprovider:

The sitemapfile setting specifies the file name of the site map file that is used by the provider; By default, this value is Web.sitemap. If you like, you can customize the file name here. However, I encourage you to make sure that the site map filename ends with a. sitemap extension, because by default this extension is protected by the ASP.net engine, preventing web visitors from viewing the site map files.

The securitytrimmingenabled setting shows whether security trimming is used. To use security trimming, you can set it to true, as shown above.

That's all! For this change only, the site navigation system is smart enough to return the correct part based on the currently logged-on user and the authorization settings defined for the URL in the element. The following screenshot shows how the TreeView is displayed when an anonymous visitor (who is not logged in), a normal user, and the Admin user is visited. The anonymous visitor sees only two links-home and my Blog. Ordinary users can see another link-auth users, and anonymous visitors cannot see it because the URL of the node (/~/authusers/default.aspx) is configured to allow only authenticated users to watch. The Admin user can also see additional links because he is the Administrator role and the URL to the Admin site map node (~/admin/default.aspx) is configured to allow access only by the administrator.

Block security pruning with role attributes

There may be times when-you want to explicitly notify security pruning do not trim a site Map section for a particular role or a set of roles. For example, if your site map contains a link to an external resource, it is not possible for the site navigation system to determine the authorization rules for this remote resource. Therefore, it trims the node for all users. That is, if you start the security trimming feature and use a site map with an external link (such as ) , no user will see this in the TreeView or Menu control. However, you may want the site navigation system to show this node to users who have the administrator and tester roles. (or regardless of the role of any user.) )

Similarly, even if they are not authorized to access the resource, you may want to display a local site map node to these users. For example, a user who accesses the site and has not logged on will certainly not see the admin link in the TreeView. However, we may still want to show it. Clicking on it will enable the user to be navigated to the ~/admin/default.aspx page, at which point the system will see that they are not authenticated. This will lead them to the login page. After logging in, they will be automatically booted back to the admin page. If they are not the Administrator role, they will be sent back to the login page, otherwise they will be granted access to the admin section.

To not trim a particular role for a particular site map node, you can use the role attribute in the appropriate element. (Note: This setting is not applied to the descendent element; that is, you must explicitly set this property on each element explicitly specifying another role that should see the node.) This role attribute can contain a role name, a role name with a comma-separated list, or an asterisk (*) to represent all users. The following site map files, contained in the download file at the end of this article, show how to use role attributes to enable all users to have an external site map node reference. (It can be thought that when the security trimming feature is started, if the role attribute is ignored here, this will cause the site map node to not be displayed to any user.) ) >

!--for links to outside, need to explicitly define what
Roles should be shown this section-->
roles= "*"/>

This role attribute can also be used to add some performance improvements to security trimming functionality. After the security trimming feature is started, the Site navigator provider automatically checks the authorization rules for all nodes defined in the site map. For those nodes that you want to show to all users, by adding roles= "*", you can bypass this check, as shown in the example above. By adding this property, you will short-circuit the normal authorization check to improve security trimming performance.

V. Conclusion

In addition to providing site navigation support, ASP.net 2.0 makes it easy to build Web sites that include user account support and role-based authorization. It is not surprising that these two systems interoperate and provide a site map-the return content is based on the currently logged-on user and the authorization settings for the URLs defined in the site map. Configuring site navigation to limit the results based on Access user and authorization settings is as easy as adding some code to the Web.config file.