Re: Authorization based on roles or directory access?

---

• From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng[MSFT])
• Date: Fri, 12 Jan 2007 01:22:31 GMT

---

Hi Jakob,

As you said:

=========
It would be fine if the <authorization> setting was only checked as an
extra
security check for nodes that I in the sitemap decided to show.
==========

Actually, the case here is that the "roles" in <sitemapnode> is considered
as an extra check here. <authorization> setting is the essential rule, this
rule will always be applied. In other words, the sitemap provider first
determine node's visibility through <authorization> setting, then, if
"roles" is specified in <sitemapnode>, it will use it to add more "allowed"
(but can not exclue other "allowed" ones defined in <authorization>
setting).

Also, for below:

===========
I do specify roles="Editors" on one of my nodes.
But this node is visible even for users that don't belong to this role.
I guess it is because I in the web.config specify <allow roles="Members"/>.
==============

Sure, because you have specify <allow roles="Members"/>, that means users
in "Members" role can access those pages in that directory, and surely
sitemapprovider will display those nodes(match the url in that directory)
to users in "Members" role. If you want to prevent certain users from
seeing sitemap node to a page, you need to deny them in <authorization>
setting, "roles" attribute of <sitemapprovider> won't help( it is not
exclusive).

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

.

---

• References:
  • Re: Authorization based on roles or directory access?
    • From: rmgalante

• Prev by Date: Re: Access Denied
• Next by Date: Re: Using more than one database field for a DropDownList's DataTextFi
• Previous by thread: Re: Authorization based on roles or directory access?
• Next by thread: rowselect in gridview
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: User.IsInRole with * wildcard, web.sitemap etc. ... You don't specify any authorization requirements in web.sitemap!!! ... You use the <authorization> element in web.config for that - the sitemap just uses this information - and the role attribute in the sitemap file allows to override the information found in the authorization element for visual presentation. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Sitemap trimming with Forms auth (Active Directory) ... Sitemap will pick up these settings. ... The roles attribute in web.sitemap is ONLY for overriding the settings made in <authorization> ... Dim ticket As FormsAuthenticationTicket = ... (microsoft.public.dotnet.framework.aspnet.security) Re: Authorization based on roles or directory access? ... Your authorization sections in the web.config file can specify a script ... But the roles attribute in the sitemap works for this authorization ... "For navigation node ... (microsoft.public.dotnet.framework.aspnet) Re: newbie: asp.net 2.0 security question ... With the current settings unathenticated users cannot view the ... more sitemap nodes ... (microsoft.public.dotnet.framework.aspnet) RE: any way to view SYS1.VTAMLST (ANY FREE UTILS ?) ... You need authorization to use the commands 'D NET', ... I see no reason why you should not be allowed to read the members. ... For IBM-MAIN subscribe / signoff / archive access instructions, ... email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO Search ... (bit.listserv.ibm-main)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.framework.aspnet  > 2007-01