All geek questions in one place

How to implement security using mvcSiteMapProvider?

I need to implement role protection using my mvcSiteMapProvider V4 software. I use it with MVC3.

Sample mvcSiteMap code:

<mvcSiteMapNode roles="Admin" title="Your Subscription (All Users)" controller="SOU" action="ListSubscribers">

The role attribute value does not affect:

  <mvcSiteMapNode roles="NoAdmin" title="Your Subscription (All Users)" controller="SOU" action="ListSubscribers">

This is the same. I would expect the above to not work if the administrator logs in? I expect the first example to work if only the user is logged in.

... but no effect.

Many thanks

+4
source share
4 answers

Security trimming is not enabled by default. The first thing you need to do is enable it.

Internal DI (web.config):

 <add key="MvcSiteMapProvider_SecurityTrimmingEnabled" value="true"/>

External DI (in the MvcSiteMapProvider module):

 bool securityTrimmingEnabled = true; // First line in the module

Then you must put the MVC [Authorize] attribute for each of the action methods that you want to protect. In MVC4 +, you can also place it at the controller level or register it globally, and then use the [AllowAnonymous] attribute to selectively allow actions to methods allowed by unidentified users.

 public class FilterConfig { public static void RegisterGlobalFilters(GlobalFilterCollection filters) { filters.Add(new AuthorizeAttribute()); } } [Authorize(Roles="Admin,Manager")] public class MyController { // Everyone has access [AllowAnonymous] public ActionResult Index() { return View(); } // Only Admin and Manager roles have access, everyone else is denied public ActionResult About() { return View(); } }

The role attribute in XML is intended for backward compatibility with ASP.NET. For MVC, the only real security is using the [Authorize] attribute (or inheriting it in your own way), because this is the only way to guarantee access to the resource through an alternative route.

+10
source

On SOUController, do you have the [Authorize] attribute added somewhere? MvcSiteMapProvider uses this to determine the ACL.

+1
source

If you use a site map that you can / should (did not work on it), indicate the roles in the site map.

 <mvcSiteMapNode title="Rechnungen" controller="Customer/Bills" action="Index" roles="CompanyAdmin"/>
0
source

I just put

  <add key="MvcSiteMapProvider_SecurityTrimmingEnabled" value="true"/>

in Web.config appSettings, for example:

 <appSettings> <add key="webpages:Version" value="2.0.0.0" /> <add key="webpages:Enabled" value="false" /> <add key="PreserveLoginUrl" value="true" /> <add key="ClientValidationEnabled" value="true" /> <add key="UnobtrusiveJavaScriptEnabled" value="true" /> <add key="jqueryTheme" value="redmond" /> <add key="MvcSiteMapProvider_IncludeAssembliesForScan" value="Cost3" /> <add key="MvcSiteMapProvider_UseExternalDIContainer" value="false" /> <add key="MvcSiteMapProvider_ScanAssembliesForSiteMapNodes" value="true" /> <add key="MvcSiteMapProvider_SecurityTrimmingEnabled" value="true"/> </appSettings>

and put the [Authorize] attribute on each controller or action, for example:

 [Authorize(Roles = "Administrator")] public class UserManagementController : Controller { public ActionResult Index() { return View(); } }

then ok!

0
source

Source: https://habr.com/ru/post/1498603/

More articles:


All Articles