[Mono-bugs] [Bug 467221] New: asp.net security trimming / authorization not working

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Sun Jan 18 21:29:47 EST 2009 

https://bugzilla.novell.com/show_bug.cgi?id=467221


           Summary: asp.net security trimming / authorization not working
    Classification: Mono
           Product: Mono: Class Libraries
           Version: unspecified
          Platform: x86-64
        OS/Version: openSUSE 11.1
            Status: NEW
          Severity: Major
          Priority: P5 - None
         Component: Sys.Web
        AssignedTo: mhabersack at novell.com
        ReportedBy: mmorano at mikeandwan.us
         QAContact: mono-bugs at lists.ximian.com
          Found By: ---


User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5)
Gecko/2008121300 SUSE/3.0.5-1.1 Firefox/3.0.5

I have a navigation control that is driven from a SiteMapDataSource (using the
default Xml sitemap provider), and have configured security trimming in the
web.config as such:

<siteMap enabled="true" defaultProvider="SecuredSiteMapProvider">
            <providers>
                <clear />
                <add name="SecuredSiteMapProvider" 
                     type="System.Web.XmlSiteMapProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 
                     siteMapFile="web.sitemap" 
                     securityTrimmingEnabled="true" />
            </providers>
        </siteMap>

further on in the web.config, I have a number of elements defined to restrict
access to various resources within the site, such as the admin directory, and
is configured as such:

<location path="admin">
        <system.web>
            <authorization>
                <allow roles="admin" />
                <deny users="*" />
            </authorization>
        </system.web>
    </location>

If I run this application on the version from SVN, then the navigation control
gets all the available nodes as configured, but also gets the admin node, which
it shouldn't as a user in the admin role has not authenticated yet.  The user
can then click on the link to the secured resource, and access it, even though
they have not logged in yet.

However, if I run with the mono/xsp2 from the opensuse 11.1 install (2.0.1),
the node is not returned, and resources are properly secured in the website.

Reproducible: Always



Expected Results:  
All nodes that do not meet their authorization requirement should not be
returned.  Additionally, if a resource location is configured to require a
particular user/role for the page to be accessed, the page should not be
processed if this condition is not met.

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list