Sitemap Authorization

Topics: Web Client Software Factory
Aug 3, 2007 at 6:04 PM
Hello,

I'm having trouble getting my sitemap to trim entires that the user doesn't have authorization to view.

I'm using the System.Web.Security.ActiveDirectoryMembershipProvider to connect to an LDAP server (ADAM) to grant access to subdirectories. Logging in and file access works great. I can use LoginViews to show and hide differnent content based on Roles and Users from the membership provider. However, I cannot get the sitemap to trim links at all.

Here's the useful parts of my main web.config :
{" <connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://localhost:50000/OU=Users,O=Client"
providerName="WebsiteAccessRuleProvider" />
</connectionStrings>
<securityConfiguration defaultAuthorizationInstance="WebsiteAccessRuleProvider" defaultSecurityCacheInstance="">
<authorizationProviders>
<add type="Microsoft.Practices.EnterpriseLibrary.Security.AuthorizationRuleProvider, Microsoft.Practices.EnterpriseLibrary.Security, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
name="WebsiteAccessRuleProvider" >
<rules>
<add expression="R:SuperUsers" name="AdminModuleAccess"/>
<add expression="NOT I:? " name="LookupsModuleAccess" />
<add expression="NOT I:? " name="UserModuleAccess" />
</rules>
</add>
</authorizationProviders>
</securityConfiguration>
<compositeWeb>
<modules>
<module name="Company.Project.Clients.Website.Shell" assemblyName="Company.Project.Clients.Website.Shell" virtualPath="~/" />
</modules>
</compositeWeb>
<system.web>
<roleManager enabled="true" />
<compilation debug="true">
<assemblies>
<add assembly=".....">
</assemblies>
</compilation>
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/Login.aspx" timeout="60" />
</authentication>
<membership defaultProvider="ZmsAdMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<add name="ZmsAdMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" connectionProtection="None" connectionUsername="CN=ADAMAdmin,OU=Users,O=Client" connectionPassword="password" enableSearchMethods="true" enablePasswordReset="false" requiresQuestionAndAnswer="false" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" />
</providers>
</membership>
<customErrors mode="RemoteOnly">
<error statusCode="403" redirect="~/Errors/AccessDenied.htm" />
</customErrors>
<siteMap defaultProvider="DefaultSiteMapProvider" enabled="true">
<providers>
<add name="DefaultSiteMapProvider" type="Microsoft.Practices.CompositeWeb.Providers.ModuleSiteMapProvider, Microsoft.Practices.CompositeWeb" securityTrimmingEnabled="true" />
</providers>
</siteMap>
<pages styleSheetTheme="Florida" />
<httpModules>
<add name="WebClientAuthorizationModule" type="Microsoft.Practices.CompositeWeb.Authorization.WebClientAuthorizationModule, Microsoft.Practices.CompositeWeb" />
<add name="ExceptionLoggerHttpModule" type="Microsoft.Practices.CompositeWeb.EnterpriseLibrary.ExceptionLogger, Microsoft.Practices.CompositeWeb.EnterpriseLibrary" />
</httpModules>
</system.web>"}

This is one of the web.configs in a sub-directory:

{"<configuration>
<configSections>
<section name="securityConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Security.Configuration.SecuritySettings, Microsoft.Practices.EnterpriseLibrary.Security, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<section name="dataConfiguration" type="Microsoft.Practices.EnterpriseLibrary.Data.Configuration.DatabaseSettings, Microsoft.Practices.EnterpriseLibrary.Data, Version=3.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<sectionGroup name="compositeWeb">
<section name="modules" type="Microsoft.Practices.CompositeWeb.Configuration.ModulesConfigurationSection, Microsoft.Practices.CompositeWeb" />
<section name="authorization" type="Microsoft.Practices.CompositeWeb.Configuration.AuthorizationConfigurationSection, Microsoft.Practices.CompositeWeb" />
</sectionGroup>
</configSections>
<compositeWeb>
<modules>
<module name="Company.Project.Clients.Website.Admin" assemblyName="Company.Project.Clients.Website.Admin" virtualPath="~/Admin">
<dependencies>
<dependency module="Company.Project.Clients.Website.Shell" />
</dependencies>
</module>
</modules>
<authorization>
<rule Url="~/Admin/Default.aspx" Rule="AdminModuleAccess" />
<rule Url="~/Admin/AddUser.aspx" Rule="AdminModuleAccess" />
<rule Url="~/Admin/UserRoles.aspx" Rule="AdminModuleAccess" />
</authorization>
</compositeWeb>
<system.web>
<authorization>
<allow roles="SuperUsers" />
<deny users="*" />
</authorization>
</system.web>
</configuration>"}

I've found lots of info for doing each of the peices individually, but when I stick them all together it doesn't seem to work.

Thanks,
Adam
Aug 3, 2007 at 8:30 PM
Hi Adam!

How are you adding the sitemapnodes?

Are you adding your node with the following addNode overload:

// Specify the authorization rule
siteMapBuilderService.AddNode(moduleNode, “AllowViewModule1”);

Maybe you can find these threads useful:

Hope it helps!

Sebastian Iacomuzzi
http://staff.southworks.net/blogs/siacomuzzi
Aug 6, 2007 at 1:35 PM
Thanks Sebastian,

I must have overlooked that step when I did it the first time. I added the authorization rule to the AddNode call and it worked perfectly.

Thanks again,
Adam