I was about to.... Glad it's working now...

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
While typing this post, I was listening to: Gabber by DJ Paul Elstak (Track 1 from the album: Various) What's This?

Hi Imar it's me again. Thanks to the excellent blogs of you and ScottGu I got the site deployed and working! I am running a VWD2005 app and SQL 2K Server backend through Go Daddy and have it working now except for a couple of problems. Since I cannot use the web site administrator feature of VWD on a SQL 2K box, I've developed customized Admin pages for Adding/Editing/Deleting Roles (which does add and/or delete roles by populating the appropriate roles table)as well as other site maintenance pages, and still working on a page to edit users and their roles. In any event, my site map trimming is not working correctly. I have "Admin" pages and "Member" pages identified as such in the website map. When I create a new user I have the Create User Wizard assigning a value for their role of " Member " . When the new user signs up and logs in he sees all pages, including the " Admin " pages. I for the life of me cannot figure out where the error is. I am including code snippets from the CreateUser Wizard code, the section of the web sitemap that is not working and the web config to illustrate the connection strings. Any suggestions as to why this is not putting the user in the correct role so the navigation trimming will work would sure be appreciated.
1. The event code to add the member role via the CreateUser Wizard is as follows:
// CREATE USER METHOD USING CREATE USER WIZARD
public partial class SitePages_CreateAccount : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void CreateUserWizard1_CreatedUser(object sender, EventArgs e)
    {
        Roles.AddUserToRole(CreateUserWizard1.UserName, "Member");
    }
}//END CREATE USER
2. Web site map section that is not working properly. You will note in the web config that follows that security trimming is enabled.

<siteMapNode url="~/MemberPages/ComputerTraining/ComputerTraining.aspx" title="Computer Class" description="Computer Class Materials" roles="Member"/>
<siteMapNode url="~/MemberPages/ChangePassword.aspx" title="Change Password" description="Change my password" roles="Member"/>
<siteMapNode url="~/AdminPages/MaintainSite.aspx" title="Maintain Site" description="Maintain Site Data" roles="Admin"/>
3. The customized connection strings used in the web config look like this:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<connectionStrings>

<add name="ASPNETDBConnectionString" connectionString="
Server=****************secureserver.net;
Database=*******;
User ID=*********;
Password=********;
Trusted_Connection=False " providerName="System.Data.SqlClient" />
<remove name="LocalSqlServer"/>
<add name="LocalSqlServer" connectionString="
****************.secureserver.net;
Database=*******;
User ID=*********;
Password=**********;
Trusted_Connection=False " providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<roleManager enabled="true" defaultProvider="CustomizedRoleProvider">
<providers>
<add name="CustomizedRoleProvider" type="System.Web.Security.SqlRoleProvider"
connectionStringName="LocalSqlServer"/>
</providers>
</roleManager>
<authentication mode="Forms"/>
<compilation debug="false"/>
<membership defaultProvider ="CustomizedProvider">
<providers>

<remove name="AspNetSqlMembershipProvider" />
<add name="CustomizedProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="LocalSqlServer"
minRequiredPasswordLength="5"
minRequiredNonalphanumericCharacters="0"
passwordStrengthRegularExpression=""/>
</providers>
</membership>
<!-SITE MAP TRIMMING ENABLES TO SUPPORT USER ROLES-->
<siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
<providers>
<add name="XmlSiteMapProvider"
description="Default SiteMap provider."
type="System.Web.XmlSiteMapProvider "
siteMapFile="Web.sitemap"
securityTrimmingEnabled="true" />
</providers>
</siteMap>

<customErrors mode="RemoteOnly" defaultRedirect="customError.aspx">
<error statusCode="404" redirect="missingPage.aspx"/>
</customErrors>
</system.web>
 <system.net>
<mailSettings>
<smtp from="***************">
<network host="smtpout.secureserver.net"
userName="******"
password="**********" />
</smtp>
</mailSettings>
</system.net>
</configuration>

Are you expecting the roles element on the sitemap to stop users from accessing specific pages, or do you expect the sitemap to hide nodes to those pages in controls like a TreeView?

Where and how are you using the site map?

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

Hi again and thanks for the quick response. The answer to your question is "both". I am binding the sitemap to my menu/navigation. Based on log-in/role status of a user i.e. Member or Admin I hide pages (and I thought Folder access via access rules). Members can see the Members only stuff and Admin can see the Maintain Site pages. When I set up the project in VWD I only allowed the Admin role to access the Admin Folder which contains all of the admin stuff. The members only pages have things only members can see and anonymous users see the generic site sans members only and admin menu options.
The problem is when someone creates an account at the site the roles= attribute of the sitemap does not seem to be working in that a new user can see all of the pages of the site including admin. This is as I'm sure you understand simply not acceptable for security reasons. Right now I have the maintain site pages url commented out of the site map to keep users from getting into it. I sure hope you can shed some light on this Imar; I appreciate you and your help very much. I did succeed in getting the thing to work with SQL 2k thanks to your help!

Jim

Do you have <location> tags in your main web.config file, or do the folders you want to block have their own config files?

The roles on the sitemap are only used for displaying purposes only; they don't block the actual access. You'll need to add <location> nodes to the main config file, or give each folder its own file, and then override the authorization element like this:

  <location path="Admin">
    <system.web>
      <authorization>
        <allow roles="Manager" />
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

HtH,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

I'll do that and let you know how it goes. If I understand you correctly, I'll need to do that only for the two folders that I wish to restrict access to; Members Only Folder and Admin Folder? Where in the Web Config should I put the location tags? Thanks again. By the way, I've just found another write up on this issue at http://peterkellner.net/?p=24 which if I read it correctly provides a means of creating a Web Site Administration tool external to VWD. Thanks again and I'll let you know and yes; it does help!

Jim

You should place them directly in the <configuration> element, for example at the end of the file like this:



  <location path="Member">
    <system.web>
      <authorization>
        <allow roles="Members" />
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

  <location path="Admin">
    <system.web>
      <authorization>
        <allow roles="Manager" />
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

</configuration>


The "WAT" by Peter is pretty interesting. I used some of the concepts on my own web site. The UI is pretty messy, but there's some pretty interesting code-behind code...

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.

Imar it works! That's all it took. Even the security trimming works on the menu too! I've got a production site Yeah!! I'll finish writing my custom Admin pages now to add/edit users and their roles which is no problem and it's ready to rock.

Beginning ASP dotNet 2.0 was very helpful in learning the rudiments of ASP dot net 2.0. Now I think I can progress to the more advanced books. In particular I'm interested in the one you referenced for membership and roles. I've just got to have that.

Again, thank you very much. Now, perhaps I too can help someone.

Jim Buchan

Congratulations. Glad it's all working now.

This sounds like an ideal moment to plug my latest book: ASP.NET 2.0 Instant Results.

In this book, you'll find twelve complete working applications (a Photo Album, a Web Shop, a Bug Tracking application and more) that show you how to accomplish more complex tasks with ASP.NET 2.0. Instead of providing just little code snippets, the book provides an architectural overview of each application, and then digs deep into its code.

It discusses many of the new ASP.NET 2 features, including the ones you have been working with now: sitemaps, declarative security and security trimming.

You'll find a link to the book in my signature....

Cheers,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
While typing this post, I was listening to: The Kill by Joy Division (Track 17 from the album: Heart And Soul (CD 1)) What's This?

Imar, I am going to add this book to my library forthwidth. Again, thank you.

Jim