Click here to Skip to main content
Click here to Skip to main content

Why securitytrimming is Not Necessary

, 28 Aug 2009 CPOL
Rate this:
Please Sign up or sign in to vote.
Why securitytrimming is not necessary

Introduction

I was investigating ASP.NET roles and wondered why and when an Asp:Menu displays items for certain roles. I thought it had something to do with securitytrimming, which applies to an XmlSiteMap, so I decided to investigate it a little more. It seemed that if I wanted to hide menu-items for roles, I didn't need securityTrimming at all. So I wondered what the use of securityTrimming was and I started a thread in the ASP.NET Forums (I'm 'ze Steef') and some users responded that the purpose of securitytrimming is displaying menuitems based on roles. Well, it isn't, but I still don't know what it's for...

Anyway, in this forum-thread, I was asked to show how you can show/hide menu items solely based on authorisationrules, so I decided to post it as an article on CodeProject. 

The Questions to be Answered

Do I need securitytrimming to show menuitems based on roles ?  

To answer this question, I want to focus on this alone and try to take away unnecessary plumbing like a database. The first step in this was creating my own membership- and role provider as they normally go to some datastore. My providers hardcode usernames in it, which serves my purpose fine.

How It Works

In my Web.Config, I have declared access rules : 

<location path="Secured/users">
	<system.web>
		<authorization>
			<deny users="?"/>
			<deny roles="administrator"/>
			<allow roles="user"/>
		</authorization>
	</system.web>
</location>	

These access rules say pages under folder 'Secured/users' are only accessible by users belonging to the role 'user'. Users belonging to the role 'administrators' are denied access.  

<location path="Secured/Administrators">
      <system.web>
		<authorization>
			<deny users="?"/>
			<deny roles="user"/>
			<allow roles="administrator"/>
		</authorization>
	</system.web>
</location>

The second rule says pages under folder 'Secured/Administrators' are only accessible by users belonging to the role 'administrator'. Users belonging to the role 'user' are denied access. 

I have an Web.sitemap file with the following content :

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
    <siteMapNode url="xx" title="xx"  description="xx">
      <siteMapNode url="Default.aspx" title="Home" />
      <siteMapNode url="UnAuthorizedOnly.aspx" title="Anon only" />
      <siteMapNode url="Secured/Geautoriseerd.aspx" title="Authorized only"/>
      <siteMapNode url="Secured/users/WebForm1.aspx" title="Users only"/>
      <siteMapNode url="Secured/Administrators/WebForm1.aspx" title="Admins only"/>
      <siteMapNode url="Secured/Geautoriseerd.aspx?wannerWordtDitItemGetoond=true" 
		title="Authorized only 2"/>
      <siteMapNode 
	url="Secured/Administrators/WebForm1.aspx?wannerWordtDitItemGetoond=true" 
	title="Admins only"/>
    </siteMapNode>
</siteMap> 

If I was using securitytrimming, there would be 'roles' nodes present in this file, but notice the absence of these.

I now have defined the following users:

# Login Role
1 pietje@puk.com user
2 boss@puk.com administrator
3 arie@puk.com 

If I now start my project 'zeWeb' and login using the 'pietje@puk.com' account (the password doesn't matter, any password is accepted, a password is only required by the Asp:login control) a menu will show up with item 'Users only' in it. Also, item 'Admins only' is not visible.

If I then logout and login as user 'boss@puk.com', the item 'Users only' is not visible, but 'Admins only' is.

For all these users, only the menuitems pointing to pages where they have access to based on the access rules defined in the Web.Config are displayed, I don't need securitytrimming at all !

Conclusion

You don't need any 'roles' in XmlSiteMap files at all as the article at MSDN suggests.

History

  • 28th August, 2009: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Steef D.
Software Developer (Senior) Merkator
Netherlands Netherlands
Busy with Intergraph G/Technology-GIS
Follow on   Twitter

Comments and Discussions

 
GeneralThat's fine, but PinmemberJeremy Likness28-Aug-09 10:50 
If you have a site where you secure larger folders, i.e. "Security" and "Printing" etc, but then want to control access to specific pages, security trimming is useful.
 
Instead of going into the web.config everytime you add a new file, you simply trim it in the sitemap. Your example works because of the folder-level security, but doesn't take into account a finer-grained security to specific files within the folder.
 

GeneralRe: That's fine, but PinmemberSteef D.28-Aug-09 11:27 
GeneralMy vote of 2 PinmemberJeremy Likness28-Aug-09 10:49 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.141220.1 | Last Updated 28 Aug 2009
Article Copyright 2009 by Steef D.
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid