- Hiding unauthorized pages.
- Including database-driven content in site map data.
The solution to the first problem requires a brief review of ASP.NET 2.0 authorization and page level security, while solving the second problem involves extending the Site Map Provider model and caching dynamic content using ASP.NET 2.0's new SqlCacheDependency class.
#8: Hiding Unauthorized Pages
In ASP.NET 1.1, hiding unauthorized pages involved setting the visibility of LinkButton controls or preventing/enabling the execution of sections of code manually, using a call to
User.IsInRole(). In contrast, ASP.NET 2.0 provides a configurable, extensible, no-code approach. Setting it up involves three steps:
- Configure the SiteMapProvider to use security trimmings.
- Configure the RoleProvider to retrieve roles.
- Configure page- or directory-level authorization rules.
I'll explain each step in the following sections.
Step 1: Enable security trimmings
Site-map files with more than 150 nodes can take substantially longer to perform security-trimming operations.
|
|
Enabling
security trimmings forces the .NET Framework to limit
siteMapNodes exposed by the SiteMapDataSource based on authorization information. Configure the SiteMapProvider to use security trimmings by adding a
securityTrimmingEnabled="true" attribute to the XmlSiteMapProvider in the application's
web.config file as shown below:
<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
<providers>
<add name="XmlSiteMapProvider"
description="Default SiteMap provider"
type="System.Web.XmlSiteMapProvider"
siteMapFile="Web.sitemap"
securityTrimmingEnabled="true" />
</providers>
</siteMap>
It's worth noting Microsoft's warning that "Site-map files with more than 150 nodes can take substantially longer to perform security-trimming operations." Microsoft recommends using the
roles attribute (described at the end of this solution) to help mitigate this potential performance problem.
Print
Dzone.com
Digg.com
Slashdot.org
Reddit.com
Del.icio.us
