R – Forms Authentication with Sitemap and asp:Menu control

asp.netforms-authenticationrolessitemap

I have a site with 2 sections – one for customers and one for admins, in essence.
Each section is in its own directory with its own web.config and sitemap. Security and access works fine.

When I am logged in as admin, I want to see menu items that link to the other section, however. I added links to the sitemap, e.g.:

<siteMapNode url="~/Customer/Default.aspx?3" title="Customer Site"
description="Switch to customer site" roles="Administrator"/>

This seems to have no effect, since I still see the menu item when logged in as a customer.
When I turn on security trimming, as in

<siteMap enabled="true">
  <providers>
    <add name="InternalSiteMap" type="System.Web.XmlSiteMapProvider" 
        siteMapFile="~/Internal/Internal.sitemap" />
    <add name="CustomerSiteMap" type="System.Web.XmlSiteMapProvider" 
     siteMapFile="~/Customer/Customer.sitemap" securityTrimmingEnabled="true" />
  </providers>
</siteMap>

all menu items are gone.

I actually have web.configs in both the Internal and the Customer folders, e.g. for the customer:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="Customer" />
      <deny users="*" />
    </authorization>
  </system.web>
</configuration>

and the administrator:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
            <allow roles="Administrator" />
            <deny users="*" />
        </authorization>
    </system.web>
</configuration>

Again, authorization works, and when I am logged in as a Customer and I click on the internal site link in the menu, I am being redirected to the login page. As an admin, I can click through to the admin site. As soon as I turn on security trimming for the sitemap provider, which is supposed to take the links that I am not authorized for off the menu, the entire menu disappears. What am I missing? Do I need to configure the asp.menu control to work together with this?

Update: I put a bounty on this question, because I still cannot get it to work. We are inclined to throwing out the menu control and writing our own, but if someone can provide a hint, that would be preferred of course.
Again – the problem is not with security – the roles and access rules work as expected. It is with the menu control and security trimming. The menu disappears alltogether when security trimming is turned on for a sitemap.

Update: Thanks for finding this blog post, Pavel. What I learned from this is that if there are sitemap entries that do not have a path and URL (which is also true for some of my submenues), the control cannot infer permissions from the settings in the web.config, and you have to specify the roles in the sitemap. Otherwise, they will be hidden by default.

Best Answer

From Horizontal Menu Disappears with securityTrimmingEnabled="true":

Make sure that every role has access to the (unused) dummy siteMapNode at the root by including roles="*" in web.sitemap shown below:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap  enableLocalization="true"
     xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
    <siteMapNode url="" title="" roles="*"  description="">
      <siteMapNode url="~/default.aspx" resourceKey="siteMapHome" 
       title="Home" roles="admin,account" description="" />
<!-----More nodes-->
Related Topic