asp.net + web.sitemap + individual page security

I am using a sitemap and am trying to restrict access to certain pages depending on the roles

I have a folder - Disputes - that has 4 pages, 3 of the pages are accessible by anyone logged in, but the one page is restricted to 2 roles, i have added the following code to my web.config file, but all 4 pages show up in the menu tree.

<add name="AspNetXmlSiteMapProvider" description="SiteMap provider which reads in .sitemap XML files." type="System.Web.XmlSiteMapProvider" securityTrimmingEnabled="true" siteMapFile="Web.sitemap"/>

  <location path="Disputes">
    <system.web>
      <authorization>
        <allow roles="Administrator,  Manager, Customer"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="~/Disputes/Disputes.aspx">
    <system.web>
      <authorization>
        <allow roles="Administrator, Manager, Customer"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="~/Disputes/Review.aspx">
    <system.web>
      <authorization>
        <allow roles="Administrator, Manager"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

how can i restrict the individual pages inside the folder
dkilbyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RyanAndresCommented:
Hi dkilby, I had a similar problem last week.

You should also set the roles in the .Sitemap file for each of these pages.

These pages should help you solve your problem in more depth:
http://aspadvice.com/blogs/dsussman/archive/2004/10/16/2268.aspx
http://aspadvice.com/blogs/dsussman/archive/2005/03/02/2271.aspx
dkilbyAuthor Commented:
so do i need to have separate web.config files in each folder, i can not do the restrictions from the main web.config file? am i reading that correct
RyanAndresCommented:
Your web.config is fine. I'm referring to your web.sitemap file.

For example, the following is one of my sitemap files and in the SiteMapNode attributes I set the roles attribute to allow/display certain nodes to these roles.

If you want to post your web.sitemap file here that might help.
<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0">
  <siteMapNode url="~/Default.aspx" title="Home">
    <siteMapNode title="User" roles="*">
      <siteMapNode url="~/User/Profile.aspx" title="Profile" />
      <siteMapNode url="~/User/ChangePassword.aspx" title="Change Password" />
    </siteMapNode>
    <siteMapNode title="Admin" roles="administrator">
      <siteMapNode url="~/Admin/AddUser.aspx" title="Create A Login" />
      <siteMapNode url="~/Admin/ViewUsers.aspx" title="View Users" />
    </siteMapNode>
  </siteMapNode>
</siteMap>

Open in new window

Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

dkilbyAuthor Commented:
attached is web.sitemap, i still see the all pages in the menu tree
<?xml version="1.0" encoding="utf-8"?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0">
  <siteMapNode url="/" title="Menu" description="top" roles="*">
    <siteMapNode url="default.aspx" title="Home" description="Home page" />
    <siteMapNode url="Disputes" title="Disputes" description="Disputes" >
      <siteMapNode url="~/Disputes/Disputes.aspx" title="Disputes" description="Disputes To Review" />
      <siteMapNode url="~/Disputes/ReviewedDisputes.aspx" title="Reviewed Disputes" description="Disputes That Have Been Reviewed" />
      <siteMapNode url="~/Disputes/Review.aspx" title="Disputes To Review By Manager" description="Disputes To Review By Manager" roles="Administrator, Manager" />
    </siteMapNode>
    <siteMapNode url="~/Admin/Default.aspx" title="Admin" description="Admin" >
      <siteMapNode url="~/Admin/EmailDistro.aspx" title="Email Distros" description="Email Distros For Reports" />
      <siteMapNode url="~/Admin/DuplicateEntries.aspx" title="Duplicate Entries" description="Check Data For Duplicate Entries" />
    </siteMapNode>
  </siteMapNode>
</siteMap>

Open in new window

RyanAndresCommented:
You need to set the roles attributes in your web.sitemap.

The reason authorizations set in web.config doesn't hide it is to allow menu items to display even if the user doesn't have access to it. In this situation your website should allow the user to log in as another account. This is useful for websites whose users have multiple hats and accounts.

So, to HIDE menu items in the sitemap, do something like the following.

Line 05: <siteMapNode url="default.aspx" title="Home" description="Home page" roles="*" />
Line 10: <siteMapNode url="~/Admin/Default.aspx" title="Admin" description="Admin" roles="Administrator">

If you want to hide items in the sub menus, add roles to every child node.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dkilbyAuthor Commented:
Thanks for the help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.