Unit 7: Web Part Security

Contents
Overview Web Part Security Default Security Permissions in Windows SharePoint Services Specifying Safe Web Parts Code Access Security Default Trust Level in the Web.config File Creating and Editing Policy Files Lab A: Specifying Safe Web Parts Lab Discussion Course Evaluation 1 2 3 4 6 7 8 10 15 16

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2004 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Windows Server, C#, FrontPage, SharePoint, Visual Basic, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Unit 7: Web Part Security

Overview

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Microsoft ASP.NET enables Web applications to operate in a partially trusted environment. Windows SharePoint Services uses ASP.NET enabled code access security and provides developers the ability to customize their applications for partially trusted environments. This unit describes how Windows SharePoint Services implements custom security permissions and policy files.

Objectives
After completing this unit, you will be able to:

Understand the manner in which Windows SharePoint Services uses ASP.NET enabled code access security. Define both default security permissions for Windows SharePoint Services. Designate Web Parts as safe to make them available on the virtual server. Use code access security to ensure your Web Part assemblies get required permissions. Identify Windows SharePoint Services default trust level values. Edit and create policy configuration files.

Unit 7: Web Part Security

Web Part Security

*****************************ILLEGAL FOR NON-TRAINER USE****************************** One of the key security enhancements of Microsoft ASP.NET is the ability for Web applications to operate in a partially trusted environment. Windows SharePoint Services uses ASP.NET enabled code access security to provide server administrators the flexibility to set execution permissions on assemblies tailored to their needs. Developers creating Web Parts or custom solutions on the Windows SharePoint Services platform should familiarize themselves with its implementation of custom security permissions and policy files. The Windows SharePoint Services implementation allows developers the opportunity to customize their applications for partially trusted environments.

Partially Trusted Environment

ASP.NET now supports partial trust in Web-based applications, offering greater security for multiple applications, including SharePoint Portal Server. The ability to enable applications programs and process to execute with the minimum required permissions while allowing the server to maintain the highest possible security implementation.

Unit 7: Web Part Security

Default Security Permissions in Windows SharePoint Services

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Windows SharePoint Services defines two security permissions by default as part of the Microsoft.SharePoint.Security namespace located in the Microsoft.SharePoint.Security.dll. These permissions specifically control access to SharePoint Portal Server resources and APIs. The control is still bound by Common Language Runtime compilation. The permissions contain one or more attributes as follows:

SharePointPermission. Controls rights to access resources used by Windows SharePoint Services.

Attribute ObjectModel UnsafeSaveOnGet Unrestricted Description Set to TRUE to use the Microsoft.SharePoint object model Set to TRUE to save data on HTTP-GET requests. This prevents saves to the SharePoint database by default. Set to TRUE to enable all rights associated with this permission.

WebPartPermission. Controls rights to access Web Part resources.

Attribute Connections Unrestricted Description Set to TRUE to participate in Web Part to Web Part communications Set to TRUE to enable all rights associated with this permission.

Unit 7: Web Part Security

Specifying Safe Web Parts

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Allowing users or even members of the Administrator site group to have unrestricted freedom in importing new Web Parts can expose a server to security threats. Therefore, Web Parts must be explicitly designated as safe before they become available on the virtual server. To designate a Web Part as safe, you must enter it in the SafeControls section of a Web.config file for the virtual server. The Web.config file is typically found at this location:
system_drive:\Inetpub\wwwroot\Web.config

Each SafeControls entry identifies an assembly that contains one or more Web Parts. You can list Web Part classes individually or you can specify that all Web Parts in the assembly are safe.

Four Attributes of SafeControl Elements

Assembly - The name of an assembly that contains one or more Web Parts. For assemblies that are strong named, you must include the name, version, culture and public key token. For other assemblies, only the name is required, although all four parts may be included. Caution If you give a strong name to an assembly by adding the path to a key pair file in the Assemblyinfo.cs file for the project, you must add the public key token to the SafeControl entry for that assembly.

Namespace - The .NET namespace for the Web Part class. Note that Web Parts in nested namespaces must be listed separately, even if an asterisk is entered for TypeName. For example, the SafeControls XML section shown earlier includes two separate entries for the assembly Microsoft.SharePoint; one for the Microsoft.SharePoint namespace one for the Microsoft.SharePoint.WebPartPages namespace.

TypeName - The class name of the Web Part. You can use an asterisk (*) to indicate that an entry applies to all Web Part classes in the specified assembly and namespace. This is especially handy when you are developing the assembly; because no changes are required as you add new Web Part classes and recompile your assembly.

Unit 7: Web Part Security

Safe - This attribute usually has a value of True. However, members of the Administrator site group can deny the safety of a Web Part and make it unavailable by setting this attribute to False. The SafeControls listing prevents rogue Web Parts from becoming available to users. Additionally, Web Parts are subject to the same Code Access Security controls that are applied to all managed code.

Unit 7: Web Part Security

Code Access Security

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Among the valuable services that the Common Language Runtime provides for Web Parts is code access security. Your Web Part code can be prevented from performing certain types of actions, such as reading or writing files, according to policies that are under the control of members of the local computer Administrator account. The default security settings for Windows SharePoint Services are very restrictive. Therefore, it is important that you ensure your Web Part assemblies get the permissions they require. The Runtime evaluates various types of evidence for each .NET assembly. For example, a strong name is a type of evidence, as is the location of an assembly, whether the assembly is installed in the GAC or in a bin folder. The Runtime also evaluates configuration files that specify security policies. Based on the evidence and the policies, each assembly is granted a set of permissions. The following sections describe several techniques you can use to enable functionality in Web Parts by adjusting code access security evidence and policies.

Unit 7: Web Part Security

Default Trust Level in the Web.config File

*****************************ILLEGAL FOR NON-TRAINER USE****************************** The Web.config file for a SharePoint site contains a trust element that specifies the default level of security granted to Web Parts running on that server. This element appears in the System.Web section of the configuration file:
<trust level="WSS_Minimal" originUrl="" />

The values for the level attribute that are available by default are:

Full High Medium Low Minimal WSS_Medium WSS_Minimal

Only three of these levels permit Web Parts to run: Full, WSS_Medium, or WSS_Minimal. The other trust levels apply to ASP.NET but do not include specific permissions needed by Web Parts. By default, when you extend a virtual server with Windows SharePoint Services, Windows SharePoint Services sets the default assembly trust level to WSS_Minimal and does not grant access to the Microsoft SharePoint object model. This helps provide a secure trust level in which assemblies operate with the smallest set of permissions required for code to execute. To grant access to the SharePoint Object Model, you must raise the associated trust level. You will learn more about how to set trust levels later in this unit. Additional Information For a complete list of the permissions granted by Windows SharePoint Services custom policy files, please see Specific Permissions Granted By Windows SharePoint Services Custom Policy Files in the Resource Toolkit.

Unit 7: Web Part Security

Creating and Editing Policy Files

*****************************ILLEGAL FOR NON-TRAINER USE****************************** The trust levels available in the Web.config file correspond to a policy configuration file that specifies a set of permissions. For example, the permissions for the WSS_Minimal trust level are specified in a file named wss_minimaltrust.config. You can edit existing policy configuration files to change the default policies. You can also create your own policy files and refer to your custom policies in the Web.config file. The SecurityPolicy section of the Web.config file lists available custom trust levels and the files upon which they are based. The following code shows the default listing in a Web.config file for a SharePoint site:
<securityPolicy> <trustLevel name="WSS_Medium" policyFile="C:\Program Files\ Common Files\Microsoft Shared\Web Server Extensions\60\ config\wss_mediumtrust.config" /> <trustLevel name="WSS_Minimal" policyFile="C:\Program Files\ Common Files\Microsoft Shared\Web Server Extensions\60\ config\wss_minimaltrust.config" /> </securityPolicy>

You can add trust level elements that reference your own custom policies. Each policy file contains:

A list of permission classes. A list of named permission sets containing permissions for each set. A list of code groups that define the evidence required by an assembly to be assigned a particular permission set.

Unit 7: Web Part Security

You can also edit one of the default policy files. For example, you can modify the wss_minimaltrust.config file to grant the necessary file I/O permissions to the Northwind Web Parts even when the server trust level is set to WSS_Minimal. To modify a default policy file 1. Specify any required permission classes. 2. Define permission sets. 3. Define code groups that assign permission sets based on evidence.

10

Unit 7: Web Part Security

Lab A: Specifying Safe Web Parts

*****************************ILLEGAL FOR NON-TRAINER USE****************************** After completing this lab, you will be able to: Designate Web Parts as safe

Make entries in the SafeControls section of a Web.config file for the virtual server

Setup
In this lab, you will use the following values:
Variable Virtual computer Virtual computer - Domain controller Value Dublin Glasgow

Solution Files
The solution files provide you the Microsoft Visual Studio .NET project as it would appear after successfully completing all of the exercises in this lab. The solution files may be accessed at the following locations:

C# solution files: C:\Program Files\Microsoft Learning\2014\Labfiles\Unit07\CS\Solution Visual Basic .NET solution files: C:\Program Files\Microsoft Learning\2014\Labfiles\Unit07\VB\Solution

Lab Time
Estimated time to complete this lab: 20 minutes

Unit 7: Web Part Security

11

Scenario
In the previous unit, the final exercise required you to add your new Web Parts to the Sales page; however after you dragged the Web Parts onto the Sales Web Part page, you noticed an error message that reads as follows: Request for the permission of type System.Security.Permissions.FileIOPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed. Steps to correct this are included in the documentation for this sample. You will now resolve this error and satisfy the security requirements for SharePoint Web Parts.

Email
From: To: Subject: Don Hall, Manager, Northwind IT Department Corporate Web Developer RE: Problem Deploying Web Parts?

OK, I was looking into the issue you described in which the Web Parts we created for the Sales team were not working when you attempted to add them to the Web Part page in SharePoint Portal Server 2003. I believe the problem is that our Web Part has not been granted the permissions it needs. You must add the public key token to the minimal configuration for that Northwind assembly. I tested the procedure again just to be sure the error was not being caused by incorrect code or syntax and I received the same errors again. So, I believe we have isolated the cause: Our Web Parts dont have high enough permissions to access the file system. To resolve this problem, we need to strongly name the Northwind Web Part assembly and modify the Windows SharePoint minimal configuration file. Again, let me know if you need further assistance in sorting this issue out. Thank you again for your persistence on this project. - Don

12

Unit 7: Web Part Security

Exercise 1 Creating a Strongly Named Assembly

In this exercise, you will strongly name the Northwind Web Part assembly.

Tasks
1.

Supporting information C#:

Open the Northwind Complete project in Microsoft Visual Studio .NET.

Open the starter file located at: C:\Program Files\Microsoft Learning\2014\Labfiles\Unit07\CS\Starter\Northwind Complete

Double-click the Northwind Complete.sln file. Open the starter file located at: C:\Program Files\Microsoft Learning\2014\Labfiles\Unit07\VB\Starter\Northwind Complete

Visual Basic:

Double-click the Northwind Complete.sln file. Important: If the sn.exe file cannot be found, you must right-click My Computer and select Properties. Click the Advanced Tab. Click the Environment Variables button. In the System variables field, select Path. Click the Edit button. Click in the Variable value field at the end of the defaulted text. Type a semi-colon (;), then enter, C:\Program Files\Microsoft Visual Studio.NET 2003\SDK\v1.1\Bin. Click OK to close the first dialogue box. Click OK again. Click OK one final time to close the System Properties dialogue box. Now you may open a command prompt, and continue with the steps below. See the toolbox resources:

2.

Reference: Code Access Security Reference: Code Access Security Basics Reference: Creating Your Own Code Access Permissions Reference: FileIOPermissionAccess Enumeration Reference: Introduction to Code Access Security Reference: Specific Permissions Granted By Windows SharePoint Services Custom Policy Files Reference: Using Libraries from Partially Trusted Code Reference: Writing Secure Class Libraries Reference: Writing Secure Managed Controls Answer Key for Lab A: Exercise 1 Creating a Strongly Named Assembly.

Open a Visual Studio .NET Command prompt

Unit 7: Web Part Security (continued) Tasks

3.

13

Supporting information C#:

Navigate to the output path of the Northwind project assembly.

Use the following as the output path: C:\Program Files\Microsoft Learning\2014\labfiles\Unit07\VB\Starter\Northwind\bin Use the following as the output path C:\Program Files\Microsoft Learning\2014\labfiles\Unit07\VB\Starter\Northwind\bin

Visual Basic .NET:

4. 5.

Use the Strong Name utility to generate the key pair file. Associate the key file with the Visual Studio Project by modifying the AssemblyInfo file. Retrieve the PublicKeyToken for the strongly named assembly.

Associate the key file with the Visual Studio project by modifying the AssemblyInfo file.

6.

Open another command prompt, if it has been closed. Use the Strong Name utility with the Tp option. The PublicKeyBlob is needed to grant File IO permissions to the assembly.

7. 8.

Rebuild the solution. Redeploy the Northwind Web Part package. C#:

Open another command prompt if it has been closed, and change the directory to the following location: C:\Program Files\Microsoft Learning\2014\labfiles\Unit07\CS\Starter\Northwind Complete\NorthwindCAB\Debug\

Use the command line to add the NorthwindCAB.CAB Web Part package. The specified Web Part Package is already installed. To reinstall the package, use the -force parameter. Open another command prompt if it has been closed, and change the directory to the following location: C:\Program Files\Microsoft Learning\2014\labfiles\Unit07\VB\Starter\Northwind Complete\NorthwindCAB\Debug\

Visual Studio .NET:

Use the command line to add the NorthwindCAB.CAB Web Part package. The specified Web Part Package is already installed. To reinstall the package, use the -force parameter.

14

Unit 7: Web Part Security

Exercise 2 Installing a Web Part

In this exercise, you will deploy and register the sample Northwind Web Parts as safe.

Tasks
1.

Supporting information

Register the sample Northwind Web Parts as a safe control within SharePoint.

The sample Northwind Web Part is located at: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\config Locate and open the file wss_minimaltrust.config in a text editor. Add the code to the wss_minimaltrust.config file that will register the Web Parts as safe. You will need to add or modify code in the following sections and then save the file: <SecurityClasses> <NamedPermissionSets> <CodeGroup> Note that you need to Insert the Public Key in this section. See the toolbox resources: Answer Key for Lab A: Exercise 2 Installing a Web Part.

2. 3.

Restart IIS Verify the Northwind Web Parts on the Northwind Sales site are registered as safe. Enable the Web Parts to connect to each other.

You can restart IIS either through the Internet Information Services MMC console, or from the command line. Use the following URL: http://dublin/sites/Sales/default.aspx Log on as Administrator with a password of P@ssw0rd.

4.

When you access the Edit Connection Web Page Dialog box, select Customer ID.

Unit 7: Web Part Security

15

Lab Discussion

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Discuss the following:

What is the importance of making a Web Part safe? While it is possible to completely remove the security features of deploying Web Parts on SharePoint, it is not a recommended practice, why?

16

Unit 7: Web Part Security

Workshop Evaluation

*****************************ILLEGAL FOR NON-TRAINER USE****************************** Your evaluation of this workshop will help Microsoft understand the quality of your learning experience. At a convenient time before the end of the workshop, please complete a workshop evaluation, which is available at http://www.CourseSurvey.com. Microsoft will keep your evaluation strictly confidential and will use your responses to improve your future learning experience.

THIS PAGE INTENTIONALLY LEFT BLANK