Focus on Microsoft Technologies - Tutorials, Articles, Code Samples.

Saturday, September 02, 2006

Hiding Unauthorized Pages in ASP.NET

Hiding Unauthorized Pages in ASP.NET
In ASP.NET 1.1, hiding unauthorized pages involved setting the visibility of LinkButton controls or preventing/enabling the execution of sections of code manually, using a call to User.IsInRole(). In contrast, ASP.NET 2.0 provides a configurable, extensible, no-code approach. Setting it up involves three steps:

  1. Configure the SiteMapProvider to use security trimmings.
  2. Configure the RoleProvider to retrieve roles.
  3. Configure page- or directory-level authorization rules.
I'll explain each step in the following sections.

Step 1: Enable security trimmings
Enabling security trimmings forces the .NET Framework to limit siteMapNodes exposed by the SiteMapDataSource based on authorization information. Configure the SiteMapProvider to use security trimmings by adding a securityTrimmingEnabled="true" attribute to the XmlSiteMapProvider in the application's web.config file as shown below:

<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">     
<add name="XmlSiteMapProvider"
description="Default SiteMap provider"
securityTrimmingEnabled="true" />

It's worth noting Microsoft's warning that "Site-map files with more than 150 nodes can take substantially longer to perform security-trimming operations." Microsoft recommends using the roles attribute (described at the end of this solution) to help mitigate this potential performance problem.


Post a Comment