Search code examples
asp.netsitemapprovidersecuritytrimmingenabled

SecurityTrimming in asp.net SiteMap


i am facing strange issue in my site, i have menu, which i am handling with asp:menu and SiteMap, now i want to restrict menu's based on roles, so i am using securityTrimmingEnable="true" in web.config, now my problem is i have some menu items which need to enabled by 2 types of users (Administrator and Logged-In users), now in the Web.Sitemap file, i have created siteMapNode which is used in Menu, here i have added roles attribute to specify which types of users can access the menu, there is a Home menu which should be accessed by only these 2 users and no one else (i.e non anonymous), now i cannot find the way to specify multiple roles in the roles attribute, i also tried specifying * but that seems to work for non-anonymous users too, which is not my requirement, here is the sample of my web.sitemap file

 <siteMapNode roles="*">
    <siteMapNode roles="Administrator" url="~/default.aspx" title="HOME" />
 </siteMapNode>

in above case the Home menu is available to Administrator only. now if i specify * to make it available to non-administrator but logged in user, it works for non-logged in users too.

 <siteMapNode roles="*">
    <siteMapNode roles="*" url="~/default.aspx" title="HOME" />
 </siteMapNode>

is there anyway i can make the above menu available to administrator and logged in users only.
below is my web.config settings:

<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
      <providers>
        <clear/>
        <add name="XmlSiteMapProvider"
          description="Default SiteMap provider."
          type="System.Web.XmlSiteMapProvider "
          siteMapFile="Web.sitemap"
          securityTrimmingEnabled="true" />
      </providers>
    </siteMap>

Solution

  • Actually there is misconception about usage of roles attribute. In your case, instead of restricting to "administrator", it shows up for other roles as well. Menu items are restricted based on authorization settings which are specified using <location> tags in web.config file. Check out below article for more info.

    http://stweet.wordpress.com/2010/06/13/designing-the-folder-structure-of-the-asp-net-web-application/