使用站点地图和 asp:Menu 控件进行表单身份验证
我的网站有 2 个部分 - 本质上,一个部分用于客户,一个部分用于管理员。 每个部分都位于其自己的目录中,并具有自己的 web.config 和站点地图。安全和访问工作正常。
然而,当我以管理员身份登录时,我想查看链接到其他部分的菜单项。我添加了站点地图的链接,例如:
<siteMapNode url="~/Customer/Default.aspx?3" title="Customer Site"
description="Switch to customer site" roles="Administrator"/>
这似乎没有效果,因为当我以客户身份登录时仍然看到菜单项。 当我打开安全修剪时,
<siteMap enabled="true">
<providers>
<add name="InternalSiteMap" type="System.Web.XmlSiteMapProvider"
siteMapFile="~/Internal/Internal.sitemap" />
<add name="CustomerSiteMap" type="System.Web.XmlSiteMapProvider"
siteMapFile="~/Customer/Customer.sitemap" securityTrimmingEnabled="true" />
</providers>
</siteMap>
所有菜单项都消失了。
我实际上在内部和客户文件夹中都有 web.configs,例如对于客户:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Customer" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
和管理员:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
再次,授权有效,当我以客户身份登录并单击菜单中的内部站点链接时,我被重定向到登录页面。作为管理员,我可以点击进入管理站点。一旦我打开站点地图提供商的安全调整(该调整应该将我无权访问的链接从菜单中删除),整个菜单就会消失。我缺少什么?我是否需要配置 asp.menu 控件才能与其一起工作?
更新:我对这个问题给予了赏金,因为我仍然无法让它发挥作用。我们倾向于扔掉菜单控件并编写自己的菜单控件,但如果有人可以提供提示,那当然是首选。 同样,问题不在于安全性,角色和访问规则按预期工作。它具有菜单控制和安全微调功能。当站点地图的安全修剪打开时,菜单会完全消失。
更新:感谢您找到这篇博文,Pavel。我从中学到的是,如果站点地图条目没有路径和 URL(对于我的某些子菜单也是如此),则控件无法从 web.config 中的设置推断权限,您必须指定站点地图中的角色。否则,它们将默认隐藏。
I have a site with 2 sections - one for customers and one for admins, in essence.
Each section is in its own directory with its own web.config and sitemap. Security and access works fine.
When I am logged in as admin, I want to see menu items that link to the other section, however. I added links to the sitemap, e.g.:
<siteMapNode url="~/Customer/Default.aspx?3" title="Customer Site"
description="Switch to customer site" roles="Administrator"/>
This seems to have no effect, since I still see the menu item when logged in as a customer.
When I turn on security trimming, as in
<siteMap enabled="true">
<providers>
<add name="InternalSiteMap" type="System.Web.XmlSiteMapProvider"
siteMapFile="~/Internal/Internal.sitemap" />
<add name="CustomerSiteMap" type="System.Web.XmlSiteMapProvider"
siteMapFile="~/Customer/Customer.sitemap" securityTrimmingEnabled="true" />
</providers>
</siteMap>
all menu items are gone.
I actually have web.configs in both the Internal and the Customer folders, e.g. for the customer:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Customer" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
and the administrator:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Again, authorization works, and when I am logged in as a Customer and I click on the internal site link in the menu, I am being redirected to the login page. As an admin, I can click through to the admin site. As soon as I turn on security trimming for the sitemap provider, which is supposed to take the links that I am not authorized for off the menu, the entire menu disappears. What am I missing? Do I need to configure the asp.menu control to work together with this?
Update: I put a bounty on this question, because I still cannot get it to work. We are inclined to throwing out the menu control and writing our own, but if someone can provide a hint, that would be preferred of course.
Again - the problem is not with security - the roles and access rules work as expected. It is with the menu control and security trimming. The menu disappears alltogether when security trimming is turned on for a sitemap.
Update: Thanks for finding this blog post, Pavel. What I learned from this is that if there are sitemap entries that do not have a path and URL (which is also true for some of my submenues), the control cannot infer permissions from the settings in the web.config, and you have to specify the roles in the sitemap. Otherwise, they will be hidden by default.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
来自 水平菜单随着 securityTrimmingEnabled="true" 消失:
From Horizontal Menu Disappears with securityTrimmingEnabled="true":
http://www.vbforums.com/showthread.php?p=3625975
检查登录用户是否具有管理员角色。
编辑:
我也很确定您不会在 siteMapNode 中指定角色。我相信基于角色的站点地图可以解决现有角色,例如,如果用户有权访问站点注释指定的路径,那么它将显示它。
还要在 webs.config 中指定路径。
最后从站点地图中删除“~”,以便比较匹配。
完成这一切后,如果仍然不起作用,请合并 web.configs 以确保权限不会丢失。
http://www.vbforums.com/showthread.php?p=3625975
Check the logged in user has the Administrator role.
Edit:
I'm also pretty sure your not ment to specify the role in the siteMapNode. I belive role based site maps work off existing roles, eg if a user has access to the path that the site note specifys then it will display it.
Also specify the path in the webs.config.
And finally remove the '~' from your site map so that the comparison will match.
Once this is all done and if this is still not working, merge the web.configs to make sure permisions are not being lost.