ASP.NET的web.sitemap - 角色似乎没有控制的知名度? [英] ASP.NET web.sitemap - roles do not seem to control visibility?
问题描述
我有一个(简单)网站地图,我试图找出为什么某个子菜单的总是的可见的。
I have a (simple) sitemap and am trying to figure out why a certain sub-menu is always visible.
<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode url="~/Login.aspx" title="Home" description="RivWorks" roles="*">
<siteMapNode url="" title="Dashboard" description="" roles="campaigns, auto_negotiation">
<siteMapNode url="CampaignBuilder.aspx" title="Campaign Manager" description="Manage your campaign settings" roles="campaigns" />
<siteMapNode url="ProductManager.aspx" title="Negotiation Manager" description="Manage your product and negotiation settings" roles="auto_negotiation" />
</siteMapNode>
<siteMapNode url="" title="Support Options" description="" roles="customers, customer_super, riv_admins, riv_super">
<siteMapNode url="ChangePassword.aspx" title="Change Password" description="" roles="customers, customer_super, riv_admins, riv_super" />
<siteMapNode url="http://rivworks.zendesk.com/requests/anonymous/new" title="Submit a Support Ticket" description="" roles="customers, customer_super, riv_admins, riv_super" />
<siteMapNode url="http://rivworks.zendesk.com/forums/49919/entries" title="Tips & Tricks" description="" roles="customers, customer_super, riv_admins, riv_super" />
</siteMapNode>
</siteMapNode>
</siteMap>
注意:web.config设置
<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
<providers>
<add name="XmlSiteMapProvider"
description="Default Site Map Provider"
type="System.Web.XmlSiteMapProvider"
siteMapFile="Web.sitemap"
securityTrimmingEnabled="true" />
</providers>
</siteMap>
我有仪表盘的主菜单选项。在这个菜单项我有2个选择:1)广告经理和放大器; 2)谈判经理。现在,什么是有趣的是,当我无论是在运动的作用或自协商的作用我看仪表盘和 BOTH 子菜单项。这不是我所期望的行为。我希望只看到两个子菜单时,我在运动的作用和自动协商的作用。在或情景应该给我的仪表盘菜单项和一个或其他子项...
I have a main menu option of "Dashboard". Under this menu item I have 2 options: 1) Campaign Manager & 2) Negotiation Manager. Now, what is interesting is when I am in either the campaigns role OR the auto-negotiation role I see the Dashboard and BOTH sub-menu items. This is not the behavior I expected. I expect to only see both sub-menus when I am in the campaigns role AND auto-negotiation role. The OR scenario should give me the Dashboard menu item and one OR the other sub-item...
难道我在这里做得不对或思考一个错误的方式?
Am I doing something wrong here or thinking a wrong way?
TIA
推荐答案
我怀疑你已经掉进陷阱,我们都这样做,在相信这个角色属性限制了节点的可见性。没有的话,它实际上加宽可视性。所有限制与web.config中的标准部分来完成。
I suspect you've fallen into the trap we all do, in believing that the roles attribute restricts visibility of the nodes. It doesn't, it actually widens visibility. All restrictions are done with the standard section in web.config.
全文从原来的职位在<一个href=\"https://web.archive.org/web/20130408064047/http://ipona.com/asp-net-site-maps-security-trimming-and-roles/\" rel=\"nofollow\">https://web.archive.org/web/20130408064047/http://ipona.com/asp-net-site-maps-security-trimming-and-roles/ )
Full text below is from original post at https://web.archive.org/web/20130408064047/http://ipona.com/asp-net-site-maps-security-trimming-and-roles/ )
这是最常见的问题之一,似乎混乱的一个恒定的来源为大家,因为这是对我来说,当我第一次读到它。 ASP.NET的网站地图允许导航结构被定义为一组XML元素,这是完美用于描述菜单项层次结构的。这些XML项目是一个的SiteMapNode元件,它具有一个属性的角色。很明显,这个定义可以看到这个项目的作用,但显而易见的是在实际上是错误的。这里是关于网站地图的最重要的事实:
This is one of the most frequently asked questions and seems a constant source of confusion for everyone, as it was for me when I first read about it. The ASP.NET SiteMap allows a navigational structure to be defined as a set of XML elements, which are perfect for describing a hierarchy of menu items. These XML items are a siteMapNode element, which has an attribute roles. It seems obvious that this defines the roles that can see this item, but the obvious is in fact wrong. Here is the most important fact about site maps:
角色属性不会限制一个节点的可见性。
这应该是足够清晰,即使它似乎仍然是错误的。下面是它如何工作的。
所有限制网页是通过授权来处理。你可以做到这一点无论是在web.config中的基础,或者在文件夹中的Web.config文件。例如,假设有一个Admin文件夹,其下所有的管理页面被保留。您只希望这些网页访问到管理角色中的用户。你会配置您的授权,像这样:
That should be clear enough, even if it still seems wrong. Here’s how it works. All restriction to pages is handled via authorization. You can do this either in the base web.config, or in web.config files in folders. For example, assume there is an Admin folder, under which all the administration pages are kept. You only want these pages accessible to users within the Admin role. You would configure your authorization like so:
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
管理文件夹,现在可以不再受任何人谁不在管理员角色访问;如果你不是在管理作用,并尝试导航到一个页面中的Admin文件夹,或者通过其他页面上的链接或直接输入网址到浏览器,你会被重定向到登录页面。你可以在你的web.config多个位置的元素,不同的文件夹,甚至单个文件;其实如果你有一个严格的网站,你可能要明确地打开某些页面,如登录页面;很难登录到网站时,您不必授权访问登录页面。如果preFER不要弄乱你的基地web.config中,您可以创建在相同的规则管理文件夹中的web.config文件;因为配置应用到当前文件夹,您将不再需要的位置元素。
The Admin folder can now no longer be accessed by anyone who is not in the Admin role; if you aren’t in the Admin role and try to navigate to a page in the Admin folder, either via link on another page or by typing the URL directly into the browser, you’ll be redirected to the login page. You can have multiple location elements in your web.config, for different folders or even individual files; in fact if you have a restrictive site, you may want to explicitly open up certain pages, such as the login page; it’s hard to login to a site when you don’t have authorization to access the login page. If you prefer not to clutter your base web.config you can create a web.config file in the Admin folder with the same rules; you won’t need the location element since the configuration applies to the current folder.
这就是授权进行;访问页面被锁定。现在,让我们考虑的导航。在ASP.NET框架导航荣誉的授权,但只有当你上配置提供者,它不是默认配置的安全性修剪。这意味着你需要在站点地图配置添加到web.config中:
So that’s authorization done; access to the pages is locked down. Now lets consider navigation. The ASP.NET navigation framework honours the authorization, but only if you configure security trimming on the provider, which isn’t configured by default. This means that you need to add the site map configuration to web.config:
<siteMap enabled="true" defaultProvider="AspXmlSiteMapProvider">
<providers>
<clear />
<add name="AspXmlSiteMapProvider" securityTrimmingEnabled="true"
type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
siteMapFile="web.sitemap"/>
</providers>
</siteMap>
这其中大部分机器级配置安装ASP.NET的时候,但关键的securityTrimmingEnabled值默认设置为false。什么上面确实是明确了现有的配置,并添加设置为true属性的新条目。在这个阶段,导航框架现在将信守授权规则,这样的菜单项将不会显示,如果用户不具有该项目的授权书;如果您使用菜单或树视图显示菜单项,(如果你手动构建菜单或站点地图API)的重要组成部分使用的SiteMapDataSource也没关系。如果你有一个自定义站点地图提供程序,如数据库驱动的一个(像这样一个在MSDN),那么这可能需要做它自己的安全检查,但要看你从哪个继承基类。这是另一篇文章另一个故事虽然。
Most of this is configured at the machine level when ASP.NET is installed, but crucially the securityTrimmingEnabled value is set to false by default. What the above does is clear out the existing configuration and add a new entry with the attribute set to true. At this stage the navigation framework will now honour the authorization rules, so menu items won’t be shown if the user doesn’t have authorization for that item; it doesn’t matter if you use a Menu or TreeView to display the menu items, the crucial part is using the SiteMapDataSource (or the Sitemap API if you’re building the menu manually). If you have a custom site map provider, such as a database driven one (such as this one on MSDN), then this might have to do it’s own security checking, but it depends at which base class you inherit from. That’s another story for another post though.
所以,如果你不需要修改站点地图元素本身,什么角色属性呢?那么这部作品在你可能期望相反的方式,通过打开知名度的节点,显示节点,如果用户在规定的角色,即使他们没有权限访问该页面本身(因为授权规则限制他们访问它)。你为什么要这么做?那么,你必须了解如何安全修整工作。在决定用户是否可以看到一个节点,无论是授权和权限检查物理文件;如果要么失败,节点将被视为不可访问。有两种很常见的时候,物理文件检查失败:
So if you don’t need to modify the site map elements themselves, what’s the roles attribute for? Well this works in the opposite way you probably expect, by opening up visibility of the node, showing the node if the user is in the stated role even if they don’t have authorization to access the page itself (because the authorization rule restrict them from accessing it). Why would you do this? Well, you have to understand how security trimming works. When deciding whether a user can see a node, both the authorization and the physical file permissions are checked; if either fail then the node is deemed inaccessible. There are two very common times when physical file checks fail:
- 的URL是不是本地的。如果该文件不存在本地则没有检查才能进行。
- 没有一个URL。节点可能只是一个容器节点,子页面,但没有页面本身。
在这两种情况下的物理文件检查失败,因此该节点将不显示。因此,您可能需要打通节点的知名度。例如,请考虑以下内容:
In both of these cases the physical file checks fail so the node won’t be shown. You therefore may need to open up the visibility of the node. For example, consider the following:
<siteMapNode title="Admin" roles="Admin">
<siteMapNode url="~/Admin/membership_CreateMember.aspx" title="Create User" />
<siteMapNode url="~/Admin/membership_GetUsers.aspx" title="View Users" />
<siteMapNode url="~/Admin/roleManager_CreateRole.aspx" title="Create Role" />
<siteMapNode url="~/Admin/roleManager_AddUserToRole.aspx" title="Add User to Role" />
</siteMapNode>
下面管理节点不具有物理页,这纯粹是为允许管理员项组织到自己的子菜单。如果没有其他角色属性的节点,孩子也不会出现,但角色=管理员指出,节点也应显示在管理员角色中的用户,即使安全检查失败。我们不需要孩子节点上的属性,因为他们有物理页,因此该文件的检查会成功。
Here the Admin node doesn’t have a physical page, it’s purely to allow organisation of the admin items into their own submenu. Without the additional roles attribute the node and children wouldn’t appear, but roles="Admin" states that the node should also be shown to users within the Admin role, even if the security checking fails. We don’t need the attribute on the child nodes because they have physical pages, so the file checks will succeed.
所以,如果你还记得的规则相当简单:
So it’s fairly straightforward if you remember the rules:
- 配置与在授权页面的安全限制
web.config中。 - 重新定义站点地图提供商,能够实现安全性
修剪。 - 添加角色属性站点地图节点以扩大
知名度。
这篇关于ASP.NET的web.sitemap - 角色似乎没有控制的知名度?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
