Inside the MvcSiteMapProvider - Part 4: The IAclModule

• Inside the MvcSiteMapProvider - Part 1
• Inside the MvcSiteMapProvider - Part 2: Dynamic node providers
• Inside the MvcSiteMapProvider – Part 3: The ISiteMapVisibilityProvider
• Inside the MvcSiteMapProvider - Part 4: The IAclModule
• Inside the MvcSiteMapProvider - Part 5: The ISiteMapNodeUrlResolver

The IAclModule extension point in MvcSiteMapProvider, are just like the ISiteMapVisibilityProvider very useful and easily implemented. It allows you to control which nodes are accessible to users. The default module checks for [Authorize] attributes on action methods and the roles attribute defined in the sitemap XML. The documentation lacks some information about the role attribute, and some about the creation of the actual module, this will be addressed in this post.

Internals

Firstly it is important to know that for any IAclModule to be used, security trimming must be enabled in the web.config, otherwise correctly implemented modules will always return true. The reason for this that all modules in theory should check if security trimming is enabled, but this is not enforce in the current version, 3.2.2, meaning that it depends on the module implementation. But all modules included checks if security trimming is enabled.

Performance Tip: If you don’t need security trimming, disable it. It can seriously kill performance with many nodes, at least with the default implementation.

Update: My pull request to enforce the security trimming check before the ACL modules are called has been accepted and merged into the master branch. So in the next version you won’t have to manually check it in the module.

The default implementation actually consists of two modules, XmlRolesAclModule and AuthorizeAttributeAclModule, called in succession.

XmlRolesAclModule

This ACL module allows you to define which role has access to a node. The roles are defined in the sitemap XML using the roles attribute like this:
Multiple roles can be separated by a comma. A star means authenticated users, a question mark means unauthenticated users and a string defines the name of the role needed to access this node.

AuthorizeAttributeAclModule

Basically use the [Authorize] attribute from ASP.NET MVC to check for access. This is by far the most expensive ACL module provided with MvcSiteMapProvider.

Tip: This module also works with custom attributes derived from AuthorizeAttribute

Custom ACL modules

Creating a custom ACL module is easy. Just created a new class implementing the IAclModule interface, and define it in either the web.config or by using dependency injection.
A basic ACL module which just checks if the a user is authenticated could look like this:
The method IsAccessibleToUser, takes the following parameters:

controllerTypeResolver : IControllerTypeResolver

This is an interface used to resolve the type of a controller.

provider : DefaultSiteMapProvider

The sitemap provider used.

context : HttpContext

The current HttpContext.

node : SiteMapNode

The node to check.