Security for site Navigation
The site navigation attribute can be based on the SiteMapNode instance returned by the authorization rule-out provider. XmlSiteMapProvider can worry about nodes based on the file and URL authorization rules used by the current Web site.
The following example uses the form authorization rule, and the predefined user credentials are stored in the web.config. In Global.asax, the user's role is appended to the current request, depending on the user name. In Web.config, the securityTrimmingEnabled property of the element used by the site map provider that is nested beneath the element is set to true. Also, a set of URL authorization rules is defined at the end of the Web.config file. When you run the example and log in, XmlSiteMapProvider automatically performs authorization detection on the SiteMapNode based on the roles that the user belongs to and the authorization rules defined in Web.config.
Use one of the following three accounts to run the sample:
· Userid:sectionone Password:sectionone
· Userid:sectiontwo Password:sectiontwo
· Userid:allsections password:allsections
There is an "exit" link in the upper-right corner of the page, so you can log in and out with a different account. Note that depending on the account number you log in to, the TreeView and Menu controls displayed by the navigation UI automatically reflect the access rights that the user has received. Providers automatically worry about returning nodes--no additional code is required to implement this functionality. When you log on with the "Sectionone" account, only the "Sectionone" link and the external link are displayed in the TreeView control on the left. When you log on with the "Sectiontwo" account, only the "Sectiontwo" link and the external link are displayed in the TreeView control on the left. When you log in with the "allsections" account, all the links are displayed in the TreeView control. Authorization rules in Web.config are configured to grant partial access to the "Sectionone" and "Sectiontwo" levels.
This example also demonstrates how to handle URL security outside the scope of the application directory. In the Web.sitemap file, the external linked node uses the Roles property. The syntax roles= "*" grants all users the right to access and view nodes in the navigation control. Syntax roles= "adminstrators,regular users" only allows users of these roles to retrieve and view the nodes in the navigation control. Because the Global.asax file in the example divides the user into both roles, you can always see the external link.
Developers can choose to use both file/url authorization rules and Roles properties to control user access to SiteMapNode instances. If the setting information for both is correct, the site navigation provider authenticates the current user based on the role of the file/url authorization rules and roles properties. If the current user passes any one of the authorization checks, the node can be accessed.
If the default security action does not apply to your application, developers can also xmlsitemapprovider derived classes and overload the Isaccessibletouser method with a custom node authorization implementation.
The content of Web.config
The following is a reference fragment:
<system.web>
<authentication mode= "Forms"
<forms name= ". Aspxauth "loginurl=" Login.aspx "protection=" All "timeout=" path= "/" requiressl= "false" slidingexpiration= "true" Defaulturl= "Home.aspx" cookieless= "UseCookies" enablecrossappredirects= "false"
<credentials passwordformat= "Clear"
<user name= "Sectionone" password= "Sectionone"
<user name= "Sectiontwo" password= "Sectiontwo"
<user name= "allsections" password= "Allsections"
</credentials>
</forms>
</authentication>
<authorization>
<deny users= "?" />
</authorization>
</system.web>
<location path= "Sectionone.aspx"
<system.web>
<authorization>
<allow users= "Sectionone" roles= "Administrators"
<deny users= "*"/>
</authorization>
</system.web>
</location>
<location path= "Sectionone"
<system.web>
<authorization>
<allow users= "Sectionone" roles= "Administrators"
<deny users= "*"/>
</authorization>
</system.web>
</location>
<location path= "Sectiontwo.aspx"
<system.web>
<authorization>
<allow users= "Sectiontwo" roles= "Administrators"
<deny users= "*"/>
</authorization>
</system.web>
</location>
<location path= "Sectiontwo"
<system.web>
<authorization>
<allow users= "Sectiontwo" roles= "Administrators"
<deny users= "*"/>
</authorization>
</system.web>
Localize Site Map Data
The navigation data stored in the sitemap file may need to be localized (localize). The URL, title, and description attributes in the element can also be localized. In addition, any custom attributes that the developer places in the element can be localized.
The following example contains localized text in English and French. Its Web.sitemap file uses two types of localized expressions (implicit and explicit) to implement this functionality. The sitemap file uses enablelocalization=true in the root sitemap element to indicate that it uses localized data.
The implicit expression of the Sitemap file allows developers to easily mark each element with the lookup key (lookup key), which is used to retrieve resources from a resource file. In the example Web.sitemap, all nodes have an implicit resource expression in addition to the first node. Its syntax resembles resourcekey= "autos". When XmlSiteMapProvider retrieves SiteMapNode according to the information in the Web.sitemap file, it is based on the name of the SiteMapNode property, ResourceKey and retrieves the string resource for the value of the siteMapFile property that is configured for the provider. When using the "Autos" node in the example, the provider (provider) finds resource files that begin with "Web.sitemap" based on the current culture. This means that for a browser that sends French header information, the provider looks for a resource file named Web.sitemap.fr.resx. In this resource file, the provider finds the resource key based on the ResourceKey + "." + [SiteMapNode property name]. For example, the title attribute of the "autos" node is used as an example, and the provider looks for a resource in the Web.sitemap.fr.resx resource file that has the key as Autos.title.