locked
Security trimming stripping menu items I should have RRS feed

  • Question

  • User2077282992 posted

    I've done this forever on multiple apps successfully:  Attach roles from my own source in the global.asax.  Have a sitemap provider in the web.config with securityTrimmingEnabled set to true, and have various web.configs in sub directories to manage the allowed roles.

    This is working on my dev box and has been working in production.  Working on a site redesign.  To demo the new beta design I created a nested child app in production.  The nested version is properly trimming menu items that only depend on being authenticated.  The links depending on roles however are all being trimmed.  It's acting like I don't have any roles.  I wrote a page to spit out the roles I do have to confirm and it reports that I do have them.  So the menu items should be visible. 

    I did a nested app on my dev box to see if I could reproduce the problem by chance that was the issue, but both dev versions work as expected.

    This is a 3.5 app. I am also using my own hacked version of FriendlyCssAdapters to spit out bootstrap markup for the menu.  I set both apps in production to use the same cookie and machine key so its a single sign on system for both apps.

    Thursday, April 17, 2014 11:36 PM

Answers

  • User1140095199 posted

    Hi,

    I updated the page I had to display the user's rolenames from the database (returns right ones) and iterated those through User.IsInRole(rolename) they all returned negative. I was wrong I do not have the roles in the nested production app.  I've since discovered none of the events in the nested production app global.asax are firing.  Why the same setup works on my development box?  The production is godaddy with IIS7 and integrated mode and precompiled.  Development is IIS8.5 integrated with no precompilation.

    How are you deploying your website to the production server. Simple copy of the global.asax file might NOT work.This behavior occurs because the Global.asax file is not precompiled.

    Refer to the following article:

    To resolve this behavior there are two possible paths you can take:

    • Delete the Global.asax file from the ASP.NET 2.0 application root directory.
    • Compile the ASP.NET 2.0 application.

    Source Article- http://support.microsoft.com/kb/937095

    I would suggest you to Publish the website following proper steps so that the global.asax is precompiled and deployed properly. Refer to the following article:

    http://www.asp.net/web-forms/tutorials/deployment/deployment-to-a-hosting-provider/deployment-to-a-hosting-provider-deploying-to-iis-as-a-test-environment-5-of-12

    Hope it helps!

    Best Regards!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, April 20, 2014 10:26 PM
  • User2077282992 posted

    I updated the *.compiled files from the compiled output directory and it's working!  The attributes other than the assembly name appear to make a difference.

    Thanks Sam! If I wasn't verifying the non existence of the physcial global.asax file I may have not looked closer at the *.compiled files to notice they weren't valid anymore.  I treated them too much like the marker files.  They bite if you change your assemby name and don't update them too.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 21, 2014 8:02 PM

All replies

  • User2077282992 posted

    I updated the page I had to display the user's rolenames from the database (returns right ones) and iterated those through User.IsInRole(rolename) they all returned negative. I was wrong I do not have the roles in the nested production app.  I've since discovered none of the events in the nested production app global.asax are firing.  Why the same setup works on my development box?  The production is godaddy with IIS7 and integrated mode and precompiled.  Development is IIS8.5 integrated with no precompilation.

    Saturday, April 19, 2014 11:45 AM
  • User1140095199 posted

    Hi,

    I updated the page I had to display the user's rolenames from the database (returns right ones) and iterated those through User.IsInRole(rolename) they all returned negative. I was wrong I do not have the roles in the nested production app.  I've since discovered none of the events in the nested production app global.asax are firing.  Why the same setup works on my development box?  The production is godaddy with IIS7 and integrated mode and precompiled.  Development is IIS8.5 integrated with no precompilation.

    How are you deploying your website to the production server. Simple copy of the global.asax file might NOT work.This behavior occurs because the Global.asax file is not precompiled.

    Refer to the following article:

    To resolve this behavior there are two possible paths you can take:

    • Delete the Global.asax file from the ASP.NET 2.0 application root directory.
    • Compile the ASP.NET 2.0 application.

    Source Article- http://support.microsoft.com/kb/937095

    I would suggest you to Publish the website following proper steps so that the global.asax is precompiled and deployed properly. Refer to the following article:

    http://www.asp.net/web-forms/tutorials/deployment/deployment-to-a-hosting-provider/deployment-to-a-hosting-provider-deploying-to-iis-as-a-test-environment-5-of-12

    Hope it helps!

    Best Regards!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, April 20, 2014 10:26 PM
  • User2077282992 posted

    When I said the nested production global.asax events were not firing I did not literally mean I had such a file in production, though it could be read that way.  The production version is already compiled and there is no literal global.asax file, I was just referencing code that comes from that file.  I did notice looking at the nested app production bin's App_global.asax.compiled (xml file) was referencing the wrong assembly.  I usually merge all my web code into a single assembly and had renamed that assembly recently.  After the first upload of the bin I was just uploading my single assembly and hadn't updated the other four *.compiled files.  I just manually updated the references in the *.compiled files but still not getting the events yet.  Maybe the hash attribute values in those files need updating also.  Have to try later at home.

    Monday, April 21, 2014 11:44 AM
  • User2077282992 posted

    I updated the *.compiled files from the compiled output directory and it's working!  The attributes other than the assembly name appear to make a difference.

    Thanks Sam! If I wasn't verifying the non existence of the physcial global.asax file I may have not looked closer at the *.compiled files to notice they weren't valid anymore.  I treated them too much like the marker files.  They bite if you change your assemby name and don't update them too.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 21, 2014 8:02 PM