Why securitytrimming is Not Necessary

• Download source - 62.49 KB

Introduction

I was investigating ASP.NET roles and wondered why and when an Asp:Menu displays items for certain roles. I thought it had something to do with securitytrimming, which applies to an XmlSiteMap, so I decided to investigate it a little more. It seemed that if I wanted to hide menu-items for roles, I didn't need securityTrimming at all. So I wondered what the use of securityTrimming was and I started a thread in the ASP.NET Forums (I'm 'ze Steef') and some users responded that the purpose of securitytrimming is displaying menuitems based on roles. Well, it isn't, but I still don't know what it's for...

Anyway, in this forum-thread, I was asked to show how you can show/hide menu items solely based on authorisationrules, so I decided to post it as an article on CodeProject. 

The Questions to be Answered

Do I need securitytrimming to show menuitems based on roles ?  

To answer this question, I want to focus on this alone and try to take away unnecessary plumbing like a database. The first step in this was creating my own membership- and role provider as they normally go to some datastore. My providers hardcode usernames in it, which serves my purpose fine.

How It Works

In my Web.Config, I have declared access rules : 

<location path="Secured/users">
	<system.web>
		<authorization>
			<deny users="?"/>
			<deny roles="administrator"/>
			<allow roles="user"/>
		</authorization>
	</system.web>
</location>	

These access rules say pages under folder 'Secured/users' are only accessible by users belonging to the role 'user'. Users belonging to the role 'administrators' are denied access.  

<location path="Secured/Administrators">
      <system.web>
		<authorization>
			<deny users="?"/>
			<deny roles="user"/>
			<allow roles="administrator"/>
		</authorization>
	</system.web>
</location>

The second rule says pages under folder 'Secured/Administrators' are only accessible by users belonging to the role 'administrator'. Users belonging to the role 'user' are denied access. 

I have an Web.sitemap file with the following content :

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
    <siteMapNode url="xx" title="xx"  description="xx">
      <siteMapNode url="Default.aspx" title="Home" />
      <siteMapNode url="UnAuthorizedOnly.aspx" title="Anon only" />
      <siteMapNode url="Secured/Geautoriseerd.aspx" title="Authorized only"/>
      <siteMapNode url="Secured/users/WebForm1.aspx" title="Users only"/>
      <siteMapNode url="Secured/Administrators/WebForm1.aspx" title="Admins only"/>
      <siteMapNode url="Secured/Geautoriseerd.aspx?wannerWordtDitItemGetoond=true" 
		title="Authorized only 2"/>
      <siteMapNode 
	url="Secured/Administrators/WebForm1.aspx?wannerWordtDitItemGetoond=true" 
	title="Admins only"/>
    </siteMapNode>
</siteMap> 

If I was using securitytrimming, there would be 'roles' nodes present in this file, but notice the absence of these.

I now have defined the following users:

If I now start my project 'zeWeb' and login using the 'pietje@puk.com' account (the password doesn't matter, any password is accepted, a password is only required by the Asp:login control) a menu will show up with item 'Users only' in it. Also, item 'Admins only' is not visible.

If I then logout and login as user 'boss@puk.com', the item 'Users only' is not visible, but 'Admins only' is.

For all these users, only the menuitems pointing to pages where they have access to based on the access rules defined in the Web.Config are displayed, I don't need securitytrimming at all !

Conclusion

You don't need any 'roles' in XmlSiteMap files at all as the article at MSDN suggests.

History

• 28^th August, 2009: Initial post