Click here to Skip to main content
13,252,259 members (62,758 online)
Click here to Skip to main content
Add your own
alternative version


3 bookmarked
Posted 28 Aug 2009

Why securitytrimming is Not Necessary

, 28 Aug 2009
Rate this:
Please Sign up or sign in to vote.
Why securitytrimming is not necessary


I was investigating ASP.NET roles and wondered why and when an Asp:Menu displays items for certain roles. I thought it had something to do with securitytrimming, which applies to an XmlSiteMap, so I decided to investigate it a little more. It seemed that if I wanted to hide menu-items for roles, I didn't need securityTrimming at all. So I wondered what the use of securityTrimming was and I started a thread in the ASP.NET Forums (I'm 'ze Steef') and some users responded that the purpose of securitytrimming is displaying menuitems based on roles. Well, it isn't, but I still don't know what it's for...

Anyway, in this forum-thread, I was asked to show how you can show/hide menu items solely based on authorisationrules, so I decided to post it as an article on CodeProject. 

The Questions to be Answered

Do I need securitytrimming to show menuitems based on roles ?  

To answer this question, I want to focus on this alone and try to take away unnecessary plumbing like a database. The first step in this was creating my own membership- and role provider as they normally go to some datastore. My providers hardcode usernames in it, which serves my purpose fine.

How It Works

In my Web.Config, I have declared access rules : 

<location path="Secured/users">
			<deny users="?"/>
			<deny roles="administrator"/>
			<allow roles="user"/>

These access rules say pages under folder 'Secured/users' are only accessible by users belonging to the role 'user'. Users belonging to the role 'administrators' are denied access.  

<location path="Secured/Administrators">
			<deny users="?"/>
			<deny roles="user"/>
			<allow roles="administrator"/>

The second rule says pages under folder 'Secured/Administrators' are only accessible by users belonging to the role 'administrator'. Users belonging to the role 'user' are denied access. 

I have an Web.sitemap file with the following content :

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="" >
    <siteMapNode url="xx" title="xx"  description="xx">
      <siteMapNode url="Default.aspx" title="Home" />
      <siteMapNode url="UnAuthorizedOnly.aspx" title="Anon only" />
      <siteMapNode url="Secured/Geautoriseerd.aspx" title="Authorized only"/>
      <siteMapNode url="Secured/users/WebForm1.aspx" title="Users only"/>
      <siteMapNode url="Secured/Administrators/WebForm1.aspx" title="Admins only"/>
      <siteMapNode url="Secured/Geautoriseerd.aspx?wannerWordtDitItemGetoond=true" 

		title="Authorized only 2"/>


	title="Admins only"/>

If I was using securitytrimming, there would be 'roles' nodes present in this file, but notice the absence of these.

I now have defined the following users:


If I now start my project 'zeWeb' and login using the '' account (the password doesn't matter, any password is accepted, a password is only required by the Asp:login control) a menu will show up with item 'Users only' in it. Also, item 'Admins only' is not visible.

If I then logout and login as user '', the item 'Users only' is not visible, but 'Admins only' is.

For all these users, only the menuitems pointing to pages where they have access to based on the access rules defined in the Web.Config are displayed, I don't need securitytrimming at all !


You don't need any 'roles' in XmlSiteMap files at all as the article at MSDN suggests.


  • 28th August, 2009: Initial post


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Steef D.
Software Developer (Senior) Merkator
Netherlands Netherlands
Busy with Intergraph G/Technology-GIS

You may also be interested in...

Comments and Discussions

GeneralThat's fine, but Pin
Jeremy Likness28-Aug-09 10:50
memberJeremy Likness28-Aug-09 10:50 
GeneralRe: That's fine, but Pin
Steef D.28-Aug-09 11:27
memberSteef D.28-Aug-09 11:27 
GeneralMy vote of 2 Pin
Jeremy Likness28-Aug-09 10:49
memberJeremy Likness28-Aug-09 10:49 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.171114.1 | Last Updated 28 Aug 2009
Article Copyright 2009 by Steef D.
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid