I have made an ASP.NET 4.5.2 web form application. Recently I implemented role based form authentication and authorization by following this article.
In this article, the writer used a web.sitemap file. Here is the web.sitemap file I made by following the article:
<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode url="~/Home.aspx" title="Home" description="Home Page">
<siteMapNode url="" title="Patients and Physician" description="Patient and Physician Details">
<siteMapNode url="~/EnrollPatient.aspx" title="Enroll Patient" description="EnrollPatient page" />
<siteMapNode url="~/EnterPatientDiagnosis.aspx" title="Enter Patient Diagnosis" description="Enter Patient Diagnosis Page" />
<siteMapNode url="ViewPatientInformation.aspx" title="View Patient Information" description="View Patient Information Page" />
<siteMapNode url="~/SearchPhysician.aspx" title="Search Physician" description="Search Physician Page" />
</siteMapNode>
<siteMapNode url="~/javascript:;" title="Admin" description="AdminPanel">
<siteMapNode url="~/Admin/AddPhysician.aspx" title="Add Physician" description="Add Physician Page" />
<siteMapNode url="~/Admin/AdminPanel.aspx" title="Admin Panel" description="User Moditification" />
</siteMapNode>
<siteMapNode url="~/" title="Login/Register" description="Login Or Register">
<siteMapNode url="~/Login.aspx" title="Login" description="Login" />
<siteMapNode url="~/Register.aspx" title="Register" description="Register" />
</siteMapNode>
</siteMapNode>
</siteMap>
And this is a part of my web.config file:
<system.web>
<authentication mode="Forms">
<forms defaultUrl="~/Home.aspx" loginUrl="~/login.aspx" slidingExpiration="true" timeout="2880"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<siteMap enabled ="true" defaultProvider="SiteMap">
<providers>
<add name="SiteMap" type="System.Web.XmlSiteMapProvider" siteMapFile="~/Web.sitemap" securityTrimmingEnabled="true" />
</providers>
</siteMap>
<system.web>
From what I have found on the internet that it is used to populate <asp:Menu> control items. Although, I'm not using any <asp:Menu> control.
My first question is, does web.sitemap has any influence on the authorization? With some changes in the<provider> section, can I not use the web.sitemap file?
My Second question is, what is ~/javascript:; doing in the third parent SiteMapNode.
No, the sitemap does not have an effect on the authorization. In a sitemap, you can add security-trimming to your menu by adding the roles.
You can restrict access to your website (or parts of it) by including the <authorization> element in a web.config file. A good overview provides this link. The following snippet grants only administrators access to the folder:
<authorization>
<allow roles="Administrators" />
<deny users="*"/>
</authorization>
So in order to protect your website, use the <authorization> element. If you do not need the sitemap, you can remove it by deleting this section from your web.config:
<siteMap enabled ="true" defaultProvider="SiteMap">
<providers>
<add name="SiteMap" type="System.Web.XmlSiteMapProvider" siteMapFile="~/Web.sitemap" securityTrimmingEnabled="true" />
</providers>
</siteMap>
In addition, you can also remove your sitemap files. For details on Sitemaps in ASP.NET, see this link.