Security Trimmed Cross Site Collection Navigation

Posted on 5/24/2010 @ 8:29 PM in #SharePoint by | Feedback | 8767 views

This article will serve as documentation of a fully functional codeplex project that I just created. This project will give you a WebPart that will give you security trimmed navigation across site collections.

The first question is, why create such a project?

In every single SharePoint project you will do, one question you will always be faced with is, what should the boundaries of sites be, and what should the boundaries of site collections be? There is no good or bad answer to this, because it really really depends on your needs. There are some factors in play here.

  1. Site Collections will allow you to scale, as a Site collection is the smallest entity you can put inside a content database
  2. Site collections will allow you to offer different levels of SLAs, because you put a site collection on a separate content database, and put that database on a separate server.
  3. Site collections are a security boundary – and they can be moved around at will without affecting other site collections.
  4. Site collections are also a branding boundary.
  5. They are also a feature deployment boundary, so you can have two site collections on the same web application with completely different nature of services.
  6. But site collections break navigation, i.e. a site collection at “/”, and a site collection at “/sites/mySiteCollection”, are completely independent of each other. If you have access to both, the navigation of / won’t show you a link to /sites/mySiteCollection. Some people refer to this as a huge issue in SharePoint.

Luckily, some workarounds exist. A long time ago, I had blogged about “Implementing Consistent Navigation across Site Collections”. That approach was a no-code solution, it worked – it gave you a consistent navigation across site collections. But, it didn’t work in a security trimmed fashion! i.e., if I don’t have access to Site Collection ‘X’, it would still show me a link to ‘X’.

Well this project gets around that issue. Simply deploy this project, and it’ll give you a WebPart. You can use that WebPart as either a webpart or as a server control dropped via SharePoint designer, and it will give you Security Trimmed Cross Site Collection Navigation.

The code has been written for SP2010, but it will work in SP2007 with the help of http://spwcfsupport.codeplex.com .

What do I need to do to make it work?

I’m glad you asked! Simple! Deploy the .wsp (which you can download here). This will give you a site collection feature called “Winsmarts Cross Site Collection Navigation” as shown below.

Go ahead and activate it, and this will give you a WebPart called “Winsmarts Navigation Web Part” as shown below:

Just drop this WebPart on your page, and it will show you all site collections that the currently logged in user has access to. Really it’s that easy! This is shown as below -

In the above example, I have two site collections that I created at /sites/SiteCollection1 and /sites/SiteCollection2. The navigation shows the titles. You see some extraneous crap as well, you might want to clean that – I’ll talk about that in a minute.

What? You’re running into problems? If the problem you’re running into is that you are prompted to login three times, and then it shows a blank webpart that says “Loading your applications ..” and then craps out!, then most probably you’re using a different authentication scheme. Behind the scenes I use a custom WCF service to perform this job. OOTB, I’ve set it to work with NTLM, but if you need to make it work alternate authentications such as forms based auth, or client side certs, you will need to edit the %14%\ISAPI\Winsmarts.CrossSCNav\web.config file, specifically, this section -

   1: <bindings>
   2:   <webHttpBinding>
   3:     <binding name="customWebHttpBinding">
   4:       <security mode="TransportCredentialOnly">
   5:         <transport clientCredentialType="Ntlm"/>
   6:       </security>
   7:     </binding>
   8:   </webHttpBinding>
   9: </bindings>
  • For Kerberos, change the “clientCredentialType” to “Windows”
  • For Forms auth, remove that transport line
  • For client certs – well that’s a bit more involved, but it’s just web.config changes – hit a good book on WCF or hire me for a billion trillion $. But fair warning, I might be too busy to help immediately. If you’re running into a different problem, please leave a comment below, but the code is pretty rock solid, so .. hmm .. check what you’re doing! BTW, I don’t  make any guarantee/warranty on this – if this code makes you sterile, unpopular, bad hairstyle, anything else, that is your problem!

But, there are some known issues -

  • I wrote this as a concept – you can easily extend it to be more flexible. Example, hierarchical nav, or, horizontal nav, jazzy effects with jquery or silverlight– all those are possible very very easily.
  • This webpart is not smart enough to co-exist with another instance of itself on the same page. I can easily extend it to do so, which I will do in my spare(!?) time!

Okay good! But that’s not all! As you can see, just dropping the WebPart may show you many extraneous site collections, or maybe you want to restrict which site collections are shown, or exclude a certain site collection to be shown from the navigation. To support that, I created a property on the WebPart called “UrlMatchPattern”, which is a regex expression you specify to trim the results :). So, just edit the WebPart, and specify a string property of “http://sp2010/sites/” as shown below. Note that you can put in whatever regex expression you want! So go crazy, I don’t care! And this gives you a cleaner look.

 

w00t! Enjoy!

Sound off but keep it civil:

Older comments..


On 7/19/2010 3:45:47 PM Maarten said ..
Are there any plans for posting the source code for this web part? I see the WSP on the codeproject site for this web part but no source download. Importing the WSP in to Visual Studio just see's the compiled DLL.

Thanks!


On 7/19/2010 6:59:35 PM Sahil Malik said ..
Maarten, it's on codeplex.


On 7/20/2010 7:57:40 PM Maarten said ..
Oops! Was looking under the releases rather than source code tab :)


On 7/21/2010 6:15:49 PM Cory Isakson said ..
Sodeplex source tab says: The source control server is currently unavailable. Source code cannot be accessed at this time.

Please allow access to the source.

Thanks!


On 10/4/2010 2:56:39 PM evan said ..
This is exactly what I am looking for. I installed it and am trying to configure it, but it appears to be throwing the login 3 times and nothing problem. I am certian that I am using NTLM on my sharepoint server. Could anything else be causing this problem?


On 10/14/2010 6:57:13 AM Andy said ..
Sahil, thanks for the post, although it doesn't seem that I can use it with 2007 since you've specified a SharePointProductVersion of 14.0 in the manifest.xml and when I download the solution to edit it I need VS2010 not 2008, any solution?


On 11/15/2010 2:33:04 PM Dave said ..
Doesn't work, gives this error:

This solution contains invalid markup or elements that cannot be deployed as part of a sandboxed solution. Solution manifest for solution '27147970-8877-4665-9bb5-33a37d7f5308' failed validation, file manifest.xml, line 10, character 4: The element 'Solution' in namespace 'http://schemas.microsoft.com/sharepoint/' has invalid child element 'RootFiles' in namespace 'http://schemas.microsoft.com/sharepoint/'. List of possible elements expected: 'FeatureManifests, ActivationDependencies' in namespace 'http://schemas.microsoft.com/sharepoint/'.


On 12/29/2010 2:28:19 AM Sahil Malik said ..
Cory,

The source code is available. See http://spcrosssitenav.codeplex.com/SourceControl/list/changesets

Evan, hard to say, I'd have to see your web.configs, and SP install.

Andy, you can use it with 2007 by changing the manifest.xml :).

Dave - deploy it as a farm solution please.


On 1/26/2011 7:54:16 PM Mr. Profiler said ..
Hi there


Will this across joined farms? Say I've got 3 farms in various geographical locations with various web apps and site collection. I want to get complete access (security trimmed) to a listing of all the site collections across.


How will this work? How would you set it up?


On 1/31/2011 1:47:51 PM Naz said ..
Hi there, good solution, is there a way we can sit this in our top link navigation?


On 2/8/2011 3:30:00 PM Ned said ..
I was very excited to see this project and immediately went about trying to get it setup on a development instance of MOSS 2007. I followed the instructions for enabling WCF on 2007 (using 2008 R2 OS) and that seemed to go smoothly. However, after following the webpart deployment and setup (including a modification to the manifext.xml), all i seem to get is a webpart that says "Results will load here...". Any idea what might've gone wrong? How to debug or what to check?

Appreciate your help.


On 2/9/2011 12:00:06 AM Sahil Malik said ..
Ned, you shouldn't have to make any mods to Manifest.xml etc. Just download, deploy, and run. Chances are something messed up in the mods or deployment. Too many moving pieces here to diagnose over blog comments though.

S


On 2/10/2011 10:59:24 AM Robert said ..
Great work... One thing I noticed is that this solution does not work with alternate access mappings...

If I have a web application on http://mymachine:21312 but my users access it through DNS at http://myapp.internal (using AAM), the links generated by the webpart will be using the http://mymachine:21312 address.


On 2/10/2011 3:38:50 PM Ned said ..
Ahem... Sahil, didn't you tell Andy that a mod to manifest.xml was required for use with 2007? I'd be happy to try it again, if you can clarify how to do this.

Thanks!


On 4/6/2011 5:08:48 PM Jason said ..
Great web part! Exactly what I was looking for.

I don't know if this will apply to anyone else, but I thought I'd mention though that i was running it on a 2010 site with https and was getting the login issues. I had to edit the web.config file and change the line:

<security mode="TransportCredentialOnly">

To:

<security mode="Transport">

After that, the web part worked correctly!


On 4/14/2011 12:11:27 PM zied said ..
Is your webpart work with wss3 please ?

It seem not work!


On 5/14/2011 9:10:06 PM Matt said ..
This is absolutely fantastic! Do you think you could post a guide to implement into the Top Link Navigation?


On 5/18/2011 2:24:07 PM Dan said ..
Has anyone had an issue with the error: Object reference not set to an instance of an object.

This is all that displays when I add the web parts. Also, the icon does not load in Site Collection Features, which may or may not matter.


On 6/3/2011 4:28:58 PM Nick said ..
Is there a way to add the description of the site to this webpart? If not it is still amazing!


On 6/9/2011 5:26:35 AM Steven said ..
I've encountered same issue as Dan. Error: Object reference not set to an instance of an object. Anyone can advice?


On 8/2/2011 10:01:20 AM Stefan said ..
I'm having issue setting this up with claims based authentication. What web.config settings should I use ?

Thank you!


On 8/9/2011 3:49:42 PM Stefan said ..
I was able to resolve my issues.

For claims based authentication use <security mode="None">

If you are getting "This collection already contains an address with scheme http. There can be at most one address per scheme in this collection." it could be because by design, WCF can't have multiple bindings for the same schema (HTTP). Extending the application could be a solution in such case.


On 9/14/2011 11:15:36 AM Prakash Acharya said ..
Can this be used for SP2010 Top Global Navigation?


On 9/22/2011 9:24:38 AM Eric Akawie said ..
I installed it and it was working. Then I changed the name of my content database, and got the error: Object reference not set to an instance of an object.

I've undeployed, deleted the solution, and re-added and redeployed the solution, and I still get the same error.

Any suggestions?


On 11/7/2011 5:50:13 AM Sean said ..
Evan, did you ever resolve the logon three times problem? I have recently added this web part to a page and I am experiencing the exact same issue. What's strange about it is that I have also added this web part to dev and test versions of this site, on completely separate servers, and don't get this issue on them. I have compared the authentication setup on each of the servers and they are the exact same, is there something else I need to check that may get this working? Thanks in advance, Sean.


On 11/15/2011 2:33:23 PM TODD said ..
Sahil, Is there anyway to sort the order of the links, either automatically or manually? Thank you.


On 8/9/2012 11:08:56 AM SD said ..
Should this work in current versions of SP 2010? Has this project been abandoned or are updates planned for future versions? Thanks!


On 10/29/2012 5:37:35 AM Jim said ..
Thanks Jason!

It asked me to log on three times and showed nothing.

But I'm using https!

Your solutions help me a lot!

Best

Jim