Here is what we are trying to achieve in this article.
- Provide side-wide security without writing a single line of code
- Show navigation menus to the user, which automatically hide the options which the user doesn’t have access to (also called Security Trimming)
- Use declarative syntax in web.config to tighten your security so that even if the user knows a particular URL, he cannot get to it, unless he is explicitly granted access to the URL.
I have this hierarchy of folders
|—AdminPage.aspx (Only admins should have access to this page, and the menu control shouldn’t show this option)
I am using a ASP:Menu control and I want all logged in users to be able to see all menu options except the AdminPage link, but I want the administrator to be able to see every single menu option.
Here is a snapshot of the relevant tags from my web.config file —————————————————————-
<!–In this case my Roles are stored in an XML file, your roles can reside in SQL Server or AD or ADAM, it doesn’t matter–>
<add name=“AzManPolicyStore“ connectionString=“msxml://C:/Azman.xml“ />
<!–Here is how we enable the role manager. In this case the built in ASP.Net website config tool will automatically read and write Roles and their membership info in the file mentioned above. i.e Azman.xml–>
<roleManager enabled=“true“ defaultProvider=“RoleManagerProvider“>
type=“System.Web.Security.AuthorizationStoreRoleProvider, System.Web, Version=18.104.22.168, Culture=neutral, publicKeyToken=b03f5f7f11d50a3a“
<!– To make security trimming and declarative security work, we need to follow the pessimistic approach. i.e first we will deny everyone access to our website–>
<!– Then we selectively start permitting users and or Roles access to folders/files–>
<allow roles=“Administrators, Managers, Users”/>
<!– Deny access to everyone except Admin on the Admin only page–>
Here is the excerpt from my Default.aspx page, which has the menu control ———————————–
<asp:Menu ID=“Menu1“ runat=“server“ DataSourceID=“SiteMapDataSource1“
<!–Note that I am explicitly mentioning Sitemapprovider=”” attribute, although if I dont mention it, it should pick up the default provider. But this is what made the security trimming work for me. If you don’t do this, the Security trimming in menus will not work !! –>
<asp:SiteMapDataSource ID=“SiteMapDataSource1“ runat=“server“ SiteMapProvider=“XmlSiteMapProvider“ />
Here is my Web.Sitemap file—————————–
<?xml version=“1.0“ encoding=“utf-8“ ?>
<siteMapNode url=“~/Default.aspx“ title=“Home“ description=“”>
<siteMapNode url=“~/UserManagement/Default.aspx“ title=“Manage security settings“ description=“”/>
<siteMapNode url=“~/UserManagement/ChangePass.aspx“ title=“Change your password“ description=“”/>
<siteMapNode url=“~/UserManagement/AdminPage.aspx“ title=“Admin Only Functions“ description=“”/>
Thats it. Just by following these simple steps, you will have rock solid security for your website. And you don’t have to write a single line of code too.