Security Trimming

one of my developer fellow ask me his name is manumpak, 

how do i make previlleges for pages and combining them by restricting/hidding the menu based on role.

in indonesian="Bagaimana caranya supaya Halaman hanya bisa di buka berdasarkan peranan Mis: Sales hanya bisa lihat report sales, Marketing lihat Marketing report Dan Menunya di halaman default bisa hilang(Sesuai Peranan))".

approach:

1. can code on master page

2. on base page

OR

u can use security trimming from asp.net 2.0.

 1. Enabled on web.config

 <system.web>
    <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
      <providers>
        <add name="XmlSiteMapProvider" description="Default SiteMap provider" type="System.Web.XmlSiteMapProvider" siteMapFile="Web.sitemap" securityTrimmingEnabled="true"/>
      </providers></siteMap>

 2.Make Every SiteMapNode on Web.sitemap contains Roles statement

<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0"  >
    <siteMapNode url="Default.aspx" title="Home"  description="Home" roles="SME,EWO,CSA,FACTORY,Commercial">
      <siteMapNode url="SalesSME.aspx" title="Sales SME"  description="Sales SME" roles="SME" />
      <siteMapNode url="EWO.aspx" title="EWO"  description="EWO" roles="EWO"/>     
    </siteMapNode>
</siteMap>

 3. There are connection between these sitemapnode to authorization tag, which must specify to make this Trimming works(THIS IS THE MAIN TRICK

 <location path="EWO.aspx">
        <system.web>
            <authorization>
                <allow roles="EWO"/>
                <deny users="*"/>
            </authorization>
        </system.web>
    </location>
  <location path="SalesSME.aspx">
    <system.web>
      <authorization>
        <allow roles="SME"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

 4. To Test it make a user and give role to it.

 on global asax place these following code:

void Application_Start(object sender, EventArgs e)
    {
        // Code that runs on application startup
        //Create Role
        if(!Roles.RoleExists("Commercial"))
            Roles.CreateRole("Commercial");
        if (!Roles.RoleExists("CSA"))
            Roles.CreateRole("CSA");
        if (!Roles.RoleExists("EWO"))
            Roles.CreateRole("EWO");
        if (!Roles.RoleExists("Factory"))
            Roles.CreateRole("Factory");
        MembershipUser cipto = Membership.GetUser("cipto");
        if (cipto == null)
        {
            try
            {
                Membership.CreateUser("cipto", "ciptodeveloperterganteng","cipto@Plasxxxxx.com");
                Roles.AddUserToRole("cipto", "EWO");
            }
            catch (Exception ex)
            {
           
            }
        }
       
    }

5. Create The menu on Default Page.you can use asp TREE, or ultrawebmenu and place sitemapdatasource

 

 6. Deny anonymous authorization '?'

 7. Login from your login page .

8.You should see only EWO menu

 

 jamekovacs have made own httpmodule, map from exists role from ntaccount if windows authentication and from Roles if Form authentication.

and map to an xml, so we just modified the xml for easiness.

 http://www.jameskovacs.com/blog/DevelopingAndTestingRoleBasedASPNETApplicationsWithImpostorHttpModule.aspx

you can add the httpmodule on web.config

    <httpModules>
            <add name="ImpostorHttpModule" type="JamesKovacs.Web.HttpModules.ImpostorHttpModule, JamesKovacs.Web.HttpModules"/>
    

There you are. Hope it helps.

Have a nice week end

Share this post: | | | |
Published Friday, July 04, 2008 1:43 PM by cipto
Filed under:

Comments

# re: Security Trimming

Saturday, October 04, 2008 5:13 AM by o5k4r.m4dr1d

Hi..

Do you have an example?? I've done all your steps and it doesn't work.

Thanks in advance.

# re: Security Trimming

Tuesday, October 07, 2008 8:57 AM by cipto

usually you have to use the asp.net configuration tools, or by manualy create a web.config, they inconjunction

Deny all user

Allow [Roles that you want to give permission to]

than the Menu shall works