1

I have something with role execution with my Sitemap. Let me explain it step by step. Login UserA has RoleXYZ. Inside myFolder, I have two resources: file1, file2. My web.config configuration for this part:

<location path="myFolder">
  <system.web>
   <authorization>
    <allow roles="RoleXYZ, RoleABC" />
    <deny users="*" />
   </authorization>
 </system.web>
</location>

My Sitemap:

<siteMapNode title="$Resources:Web.sitemap, Home" url="~/Home.aspx">    
   <siteMapNode title="Process"  roles="RoleXYZ, RoleABC">
      <siteMapNode title="Add Customers" url="~/myFolder/file1.aspx" roles="RoleXYZ"> </siteMapNode>
      <siteMapNode title="Add Partners" url="~/myFolder/file2.aspx" roles="RoleABC"> </siteMapNode>
   </siteMapNode>
   <siteMapNode title="ContactUs" url="~/ContactUs.aspx"></siteMapNode>
 </siteMapNode>

Since UserA has only one role RoleXYZ, normally he is not suppose to see siteMapNode (Add Partners).

Any idea, where is the problem?

Brian Mains
  • 50,520
  • 35
  • 148
  • 257
Alex Bob
  • 23
  • 1
  • 5

1 Answers1

0

The "Roles" attribute can only be used to widen visibility to a certain siteMapNode, never to restrict it. The MSDN documentation is misleading about this at best.

Also, bear in mind your configuration would not be secure: Users of roles RoleXYZ and RoleABC would both be able to access both pages by, say, typing their address in the browser. You should restrict access to individual pages in your Web.config instead of trying to use the "roles" attribute.

Yogster
  • 884
  • 1
  • 7
  • 27
  • How should I restrict access to individual pages in Web.config to prevent access by typing their address in the browser – Muhammad Saad Jan 20 '14 at 06:00
  • @Saadkhatri, it depends on your user and roles. The web.config from Alex Bob above will deny access to all users (``) except those with a role XYZ or ABC (``). I hope this helps. Otherwise, can you be more specific? – Yogster Jan 20 '14 at 10:16
  • Please tell me where should I put the web.config file.. Do I make new folder with same name as my Role or what.... – Muhammad Saad Jan 23 '14 at 06:45
  • The folder name is irrelevant. You put the web.config inside the folder where you want the rules to apply. The role names are specified in the line ``. I suggest you read up about controlling authorisation with web.config. Just google it or check out: http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx – Yogster Jan 23 '14 at 15:32