- Inside the MvcSiteMapProvider - Part 1
- Inside the MvcSiteMapProvider - Part 2: Dynamic node providers
- Inside the MvcSiteMapProvider – Part 3: The ISiteMapVisibilityProvider
- Inside the MvcSiteMapProvider - Part 4: The IAclModule
- Inside the MvcSiteMapProvider - Part 5: The ISiteMapNodeUrlResolver
InternalsFirstly it is important to know that for any IAclModule to be used, security trimming must be enabled in the web.config, otherwise correctly implemented modules will always return true. The reason for this that all modules in theory should check if security trimming is enabled, but this is not enforce in the current version, 3.2.2, meaning that it depends on the module implementation. But all modules included checks if security trimming is enabled.
The default implementation actually consists of two modules, XmlRolesAclModule and AuthorizeAttributeAclModule, called in succession.
Performance Tip: If you don’t need security trimming, disable it. It can seriously kill performance with many nodes, at least with the default implementation.
Update: My pull request to enforce the security trimming check before the ACL modules are called has been accepted and merged into the master branch. So in the next version you won’t have to manually check it in the module.
XmlRolesAclModuleThis ACL module allows you to define which role has access to a node. The roles are defined in the sitemap XML using the roles attribute like this:
Multiple roles can be separated by a comma. A star means authenticated users, a question mark means unauthenticated users and a string defines the name of the role needed to access this node.
AuthorizeAttributeAclModuleBasically use the [Authorize] attribute from ASP.NET MVC to check for access. This is by far the most expensive ACL module provided with MvcSiteMapProvider.
Tip: This module also works with custom attributes derived from AuthorizeAttribute
Custom ACL modulesCreating a custom ACL module is easy. Just created a new class implementing the IAclModule interface, and define it in either the web.config or by using dependency injection.
A basic ACL module which just checks if the a user is authenticated could look like this:
The method IsAccessibleToUser, takes the following parameters: