ASP.NET Membership/Role Model + Sitemap Security Trimming

The scenario is like this, I want to extend the ability of ASP Membership and role mode, also want to display content depends on user role.

So, I am going to use a SQL server to store and be able to extend. You can even implement you own provider class.

I will focus on how to setup and enable these features in this article.

We start with building tables in our database which we store our membership and role information.

Look under %WINDOWS%\Microsoft.NET\Framework\v2.0.50727\

There should be a ASPNET_REGSQL.exe, use it to create tables in your database.

ASPNET_REGSQL -S database_host -U username -P password -d database_name -A support_providers

for example : ASPNET_REGSQL -S -U sa -P 1234 -d membershipDb -A All

And then, we need to configure the web.config to tell the web application that we are using membership and role.

Also, tell the provider where to get those information.

Setup a connection string to the database.

 <remove name="LocalSqlServer"/>
 <add name="LocalSqlServer" connectionString="data source=.;Initial Catalog=MemRoleProvider;user id=sa;password=1234" providerName="System.Data.SqlClient" />

The [remove] delete the connect string whose name is LocalSqlServer. This seems to be the default connection string name.

You may use your own connection string name and do not remove the default one.

At last, we create the provider for the application in the [system.web] section.

<membership defaultProvider="AnaSystemSqlMembershipProvider" userIsOnlineTimeWindow="15">
 <add name="AnaSystemSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider,System.Web, Version=, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false"
enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false"
passwordFormat="Hashed" maxInvalidPasswordAttempts="5" passwordAttemptWindow="10"/>

 <roleManager enabled="true" defaultProvider="AnaSystemSqlRoleProvider">
 <add name="AnaSystemSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="LocalSqlServer" applicationName="/"/>

The [clear] remove all existing provider. The attributes reference can be found here.

ConnectionStringName should be the one that you previously configure. You should now able to leverage the power of ASP membership and role model.

The next step is to integrate with Security Trimming. I will use this feature to populate navigation menu depending on user role.

You have to have a  sitemap in your web application, then activeate the security trimming like this.

Inside [system.web].

<siteMap enabled="true" defaultProvider="XmlSiteMapProvider">
 <add name="XmlSiteMapProvider"
 description="Default SiteMap provider."
 securityTrimmingEnabled="true" />

[clear] is to remove existing sitemap provider. Next we have to enable the authenticatin feature.

Inside [system.web]

<authentication mode="Forms">
 <forms name=".mycookie" path="/" loginUrl="Default.aspx" protection="All" timeout="90"/>

The name attribute inside forms tag is the unique cookie name for the application.

Reference for other attribute can be found here.

The next step is to setup access rule for your directories. ASP access rule is directory base.

The root directory access rule is inside project’s web.config. Each directory will also have its

own web.config. Here is an example to give you an idea. inside [system.web]

 <allow users="admin" />
 <deny users="?" />

This means the root directory is accessable by admin role and forbid anonymous users.

You can manage access rule with a UI, in VS2008->Project->ASP.NET administration tools->security.

The final step is to add some setting to your sitemap file, web.sitemap.

Add roles=”*” to your siteMapNode to enable security trimming base on access rules.

Here is an example.

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="" >
 <siteMapNode title="Home" description="Home"
 url="~/default.aspx" >

 <siteMapNode title="Guest Area" roles="*">
 <siteMapNode url="~/Guest/Guest.aspx" title="guest only"  description="" />
 <siteMapNode title="Power Area" roles="*">
 <siteMapNode url="~/PowerUser/Content.aspx" title="power user"  description="" />


That’s it. You can also fine tune it to access rule base on page file by that is beyond the scope of this article.

You can find a little reference about that here.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s