Security Trimming attribute in the SiteMap is a pretty
cool feature to hide the links which are not approachable by the user of the
desired role. Yes, I think "NOT APPROACHABLE" is the correct
word as most of the people think about security trimming feature in a different
way (THE WRONG WAY).
Check out the Web.config settings of the Site Map below:
<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
<providers>
<add name="XmlSiteMapProvider" type="System.Web.XmlSiteMapProvider"
siteMapFile="Web.siteMap" securityTrimmingEnabled="true"/>
</providers>
</siteMap>
As, you can see above that securityTrimmingEnabled is set to
true which will enable the security trimming on the sitemap nodes.
Here is the Web.sitemap file:
<?xml version="1.0" encoding="utf-8"?>
<siteMap>
<siteMapNode title="Root" Description="Root" Url="~/">
<siteMapNode siteMapFile = "~/SomeFolder/Header.sitemap"/>
<siteMapNode siteMapFile ="~/SomeFolder/Footer.sitemap" />
</siteMapNode>
</siteMap>
Now, take a look at the Footer.sitemap since that contains the roles
attribute.
<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode url="~/PostMenu.aspx" title="root">
<siteMapNode url="~/UserPages/AddNewReply.aspx" title="Reply" />
<siteMapNode url="~/Admin/ApprovePosts.aspx"
title="Delete" roles="Admin" />
</siteMapNode>
</siteMap>
The bold line above represents that the node"~/Admin/ApprovePosts.aspx"
should only be visible to Admin and not all the users. This also means that your
Admin folder should only be accessed by Admin and not anyone else. For that
check out the web.config authorization section below:
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny roles="Developer"/>
<deny roles="User"/>
</authorization>
</system.web>
</location>
So, basically what sitemap enableSecurityTrimming does is it goes to the path
and see if the path is approachable if so, then it displays it else it won't
display.
powered by IMHO 1.3