Sitemap is puzzling me a bit. I'm not getting security trimming happening, and I don't see docs on how it works with anonymous users.

 

I'm setting up a site for both anonymous and logged-in access.

I want the logged in users to see more menu items than anon users. I have not made a "users" role for all users since this seems like needless complexity - what would it mean then if a user is logged in but is not in the "users" role?

 

I've also got some admin functions that only users in the admin role can see. I've set up a Web.config and Web.sitemap that seem to be correct, but I can still see all the items even when not logged in.

The roles specification does not seem to be working, and I don't even see a way to specify that some items are barred from anon users.

 

The web.config is like this (cut down a bit):

 

<?xml version="1.0" encoding="utf-8" ?>

<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >

    <siteMapNode url="Default.aspx" title="Home"  description="The main page" roles="*">

        <siteMapNode url="~/Toys/apage.aspx" title="A page" />

        <siteMapNode url="~/Admin/Adminpage.aspx" title="An admin page" roles="Administrator" />

    </siteMapNode>

  </siteMap>

 

 

The web.config is like this:

 

            <system.web>

...

    <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">

      <providers>

        <add name="XmlSiteMapProvider"

          description="Default SiteMap provider."

          type="System.Web.XmlSiteMapProvider"

          siteMapFile="web.Sitemap"

          securityTrimmingEnabled="true" />

      </providers>

    </siteMap>

Give role=* to the pages which you want the unsigned user to access just specify roles=users,admin which you want to hide from anan user thats it.

cheers 

---

Dont forget to click "Mark as Answer" on the post that helped you. This credits that member, earns you a point and marks your thread as Resolved so we will all know you have been helped.
http://www.geekswithblogs.net/aghausman

Hi

 

I have tried putting roles="*" on all other sitemap nodes, and it makes no difference, I am still seeing all entries regardless of if I am logged in as Administrator, a regular user, or not logged in at all. 

Is "users" a special, built-in role? I have stated that I have not created a role for all users.

I have replicated this in a simple app, which is completely included. I'm sure that there's something that I'm not getting that is preventing it from working correctly.

The web.sitemap is as follows:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
    <siteMapNode url="Default.aspx" title="Home"  description="Home page" roles="*">
      <siteMapNode url="AnonPage.aspx" title="Anon"  description="Anon" roles="*" />
      <siteMapNode url="UserPage.aspx" title="User"  description="User" roles="Users" />
        <siteMapNode url="AdminPage.aspx" title="Admin"  description="Admin" roles="Admin" />
    </siteMapNode>
</siteMap>

so there is a home page, an anon page, a page for logged in users and one for admins.

The master page contains a menu to show the sitemap, as follows:

<%@ Master Language="C#" AutoEventWireup="true" CodeFile="MasterPage.master.cs" Inherits="MasterPage" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Untitled Page</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
            <asp:Menu ID="Menu1" runat="server" DataSourceID="SiteMapDataSource1">
            </asp:Menu>
        <br />
        <br />
            <asp:SiteMapDataSource ID="SiteMapDataSource1" runat="server" />
        <asp:contentplaceholder id="ContentPlaceHolder1" runat="server">
        </asp:contentplaceholder>
    </div>
    </form>
</body>
</html>

The actual pages are all just stubs, like this:

<%@ Page Language="C#" MasterPageFile="~/MasterPage.master" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" Title="Untitled Page" %>
<asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">
    Default page
</asp:Content>


The web.config is as follows, with securityTrimmingEnabled:


<?xml version="1.0"?>
<configuration>
    <appSettings/>
    <connectionStrings/>
    <system.web>
        <compilation debug="true"/>
      <authentication mode="Forms"/>
    <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
      <providers>
        <add name="XmlSiteMapProvider"
          description="Default SiteMap provider."
          type="System.Web.XmlSiteMapProvider"
          siteMapFile="web.Sitemap"
          securityTrimmingEnabled="true" />
      </providers>
    </siteMap>
  </system.web>
</configuration>


Now when I run it, the menu shows all four items. I expected the non-anon ones to be trimmed off, since I am not in any roles. In fact there are no roles, or a database. but no trimming happens. Why am I seeing admin pages in the menu when I am not logged in?

I've had some luck adding in authorisation into web.config:
i.e.
<configuration>
 ...
system.web>

    <authorization>
      <deny users="?" />
    </authorization>


and
<configuration>
...

  <location path="default.aspx">
    <system.web>
      <authorization>
        <allow users ="*" />
      </authorization>
    </system.web>
  </location>


  <location path="anonpage.aspx">
    <system.web>
      <authorization>
        <allow users ="*" />
      </authorization>
    </system.web>
  </location>


And menu trimming happens. However, this is ignoring the roles specified in the web.sitemap file, which is defeating the point.

Did you figure it out?

 I had the same thing, then realized the files were not being "seen" as they had been placed in a different directory...hence no trimming.

In other words the files must exist and must be correctly identified.

 I'm not using the web.sitemap file for this any more, I've got some code called from the master page that generates menu items based on logged in or not, and roles. Works great.