Code Free Web Page Security with the SiteMapPath Control
This article will show you how to control Web page access within a Web application without writing a single line of code. You will use controls from the .NET Framework 2.0, the built in SiteMapPath Provider and attribute settings in the Web.Config file. This example will be shown using Microsoft Active Directory Groups to control the authorization. For information on using roles without Active Directory Groups see “Understanding Role Management” in Microsoft Visual Studio 2005 Help.
SETUP
First you need to create a new Web site project and add a SiteMap file. The SiteMap file will provide a datasource to ASP.NET controls. This will allow you to easily modify the navigation links contained in your application without recompiling. You will be able to control the hierarchical order of the navigation links for your pages by adding <node> elements to the SiteMap file. See “ASP.NET Site Navigation Overview” in Microsoft Visual Studio 2005 Help for more details.
· Using Visual Studio 2005, create a new Web site.
· Delete the Default.aspx page.
· Add a SiteMap file to the project.
CREATE THE MASTER PAGE
Master pages provide a way to create a template for child pages. The Master page provides a content area to the child pages. The remainder of the page is locked to the child pages. We will add the navigation functionality to the Master page. Not only does this provide a consistent look and feel to all child pages, but it will allow us to make future changes to the navigation UI in one place. See “ASP.NET Master Pages” in Microsoft Visual Studio 2005 Help for more details.
· Add a Master Page to the project.
· Add the following controls to the Master Page setting the properties as indicated.
o SiteMapDatasource
o Menu control
o Set the following Menu control properties.
§ datasource to the SiteMapDataSource control that was just added
§ StaticDisplayLevels property to “3” (This will allow you to see the links to the Web pages without user interaction)
CREATE THE WEB PAGE(s)
Any number of child pages can now be created using the Master page. Once the child page is created you will add controls to the content placeholder(s) on the page. The area controlled by the Master page will be shaded and “locked”.
· Add a new Web Form to the project using the Master Page.
· Add a node for the page to the Web.Sitemap file as follows:
<siteMapNodeurl="Page1.aspx"title="Page1" description="Page 1" />
· Add a second page in the same way.
· Select a page as the “Start Page” by right clicking on the page in the Solution Explorer and then click “Set as Start Page”
· Build and test the application. You should see a menu link for each Page you have added.
ADD THE SECURITY
The web.config file contains sections that allow you to control authorization. You can control authorization on individual pages within the application with the use of the <location> node. The <authorization> element is then used to “allow” or “deny” access to the page. This authorization can be given at a user or group level. The authorizations are read in a sequential order, that is, once a “rule” is found for the current user, that authorization is granted or denied and the parsing stops. The last authorization given should always be a “deny” to all remaining users.
· In the <configuration> section of the web.config file add a <location> element for each page.
· Include roles or users that are authorized to visit the page. Multiple groups or users may be used by separating with each value with commas.
· Add a final deny to deny access to all other users.
<locationpath="Page1.aspx">
<system.web>
<authorization>
<allowroles="My-AD-Group1, My-AD-Group2"/>
<denyusers="*"/>
</authorization>
</system.web>
</location>
<locationpath="Page2.aspx">
<system.web>
<authorization>
<allowroles=”Some-Other-Group1, Some-Other-Group2"/>
<denyusers="*"/>
</authorization>
</system.web>
</location>
· Run the application again. Page 1 should be displayed. In the sample code shown above, the current user belongs to the group “My-AD-Group1”. This user has been given authorization to Page1 but has not been given authorization to Page2. The current user will be denied access to the page with the “deny users” rule. If you click on the link in the menu for Page 2, you will receive an “Access is denied.” Error.
ADDING USER FRIENDLY SECURITY
Although you now have an application that successfully controls authorization at the page level it is not very user friendly. It is a better user experience to only allow users to perform functionality for which they are authorized. It is an even better experience if you provide a UI that only shows the user functionality for which they are authorized.
The menu and SiteMapPathDatasource controls added previously work as they do by using the underlying ASP.NET default site-map provider. The default settings have been used to this point in the application. The “securityTrimmingEnabled” attribute is set to “false” by default. Enabling “securityTrimmingEnabled” will hide any link for which the current user does not have authorization. Settings in the web.config file are used to enable this functionality.
· Add a <siteMap> element to <system.web> section of the web.config file.
· Remove the default AspNetXmlSiteMapProvider.
· Add a new AspNetXmlSiteMapProvider setting values as follows.
o SecurityTrimmingEnabled = “true”
<siteMapdefaultProvider="AspNetXmlSiteMapProvider"enabled="true">
<providers>
<removename="AspNetXmlSiteMapProvider"/>
<addname="AspNetXmlSiteMapProvider"description="SiteMap provider which reads in .sitemap XML files."type="System.Web.XmlSiteMapProvider"securityTrimmingEnabled="true"siteMapFile="Web.sitemap"/>
</providers>
</siteMap>
· Run the application again. This time the menu control will only show links for the pages for which you are authorized. In this example, “Page 1”.
ADDING SUCCESSIVE PAGES
Adding successive pages is quite easy. After adding the page, there are two steps (no code) to add the page to the navigation menu and provide the required security.
· Create the Web page.
· Add a node to the web.sitemap file.
· Add a <location> attribute to the web.config file.
One other item that might be helpful during development is to perform all of the steps listed above, but only add the developer AD-groups to the <authorization> attribute. With this, the pages are added to the project, but not seen by anyone in the production application until ready.
EXTENDING THE APPLICATION
One way to extend the application and provide security for a group of Web pages is to add a Wizard control to the Web Page. By doing this, you are creating the look of a Web site within a Web site. For example, there are three distinct business areas in a finance department; accounts payable, accounts receivable and purchasing. There are 5 separate Web pages per department. You can use the Wizard control to create one Web page per area, and then create each of the 5 pages as a Wizard Step. The Wizard steps become the navigation and pages for the “inner Web application”. It would look something like this.
SUMMARY
This technique takes advantage of the SiteMapPath control, the SiteMapPath provider and authorization in the web.config file to provide role based security to specific pages within a Web application without writing any code. In addition, it provides extensibility and maintainability in that additional pages can be added quickly and security changes can be made with no recomipilation of the application.