asp.netsitemapsecurity-trimming

How to affect single child nodes when Security Trimming a SiteMap?

I have a ASP.Net site, in which I'm trying to use Windows Authentication and Active Directory roles to limit access to some pages. I've looked at a tutorial page from Scott Gu, but I can't quite achieve what I want.

I'm ignoring the root node in my SiteMapDataSource. I want to show the "Documents" node to all users, but limit the display of the "Search" and "Upload" roles to 2 different roles. I am in the "DOMAIN\validrole" but not in the "DOMAIN\madeuprole". With the sitemap and web.config below, I am getting all the nodes displayed. If I remove the roles="*" from the "Documents" node (as suggested by Scott Gu), I get no nodes displayed.

Is there a way I can limit the display of individual child nodes without having to write custom code?

This is my sitemap:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0">
    <siteMapNode url="~/Default.aspx" 
                 title="Home">
        <siteMapNode title="Documents" roles="*">
            <siteMapNode url="~/Documents/Search.aspx" 
                         title="Search Documents" 
                         roles="DOMAIN\validrole" />
            <siteMapNode url="~/Documents/Upload.aspx" 
                         title="Upload Documents" 
                         roles="DOMAIN\madeuprole" />
            <siteMapNode url="~/Documents/Publish.aspx" 
                         title="Publish Documents" />
        </siteMapNode>
        <siteMapNode title="Users" roles="*">
            <siteMapNode url="~/Users/Search.aspx" 
                         title="Search Users" 
                         roles="DOMAIN\validrole" />
        </siteMapNode>
    </siteMapNode>
</siteMap>

And this is the relevant section of my web.config:

<authentication mode="Windows"/>
<authorization>
    <allow roles="DOMAIN\validrole"/>
    <deny users="*"/>
</authorization>

<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
    <providers>
        <add name="XmlSiteMapProvider"
             description="Default SiteMap provider."
             type="System.Web.XmlSiteMapProvider"
             siteMapFile="Web.sitemap"
             securityTrimmingEnabled="true" />
    </providers>
</siteMap>
Solution

  • Sorted - you need to set up authorization to the page in the Web.config file like this:

    <location path="Documents/Upload.aspx">
    <system.web>
        <authorization>
            <allow roles="DOMAIN\madeuprole"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

    I had tried this with the path "~/Documents/Upload.aspx", but that didn't work - it needs to be a path relative to the config file.

    Also, I had to put a URL in my sitemap nodes, like this:

    <siteMapNode title="Documents" roles="*" url="Made-Up.aspx">

    This stopped everything disappearing, although I have no idea why. I'm not displaying the URL so any made-up one does the trick.