Microsoft Windows SharePoint Services and code access security

Microsoft Windows SharePoint Services and Code Access Security

Maurice J. Prather
Suraj poozhiyil
Andrew M. Miller
Microsoft Corporation

July 2003

Applicable:
Microsoft Windows SharePoint Services
Microsoft Office SharePoint Portal Server 2003
Public Language Runtime Library

Abstract:This article describes how to implement code access security policies for Microsoft SharePoint products and technologies, and how to customize default security settings for Microsoft Windows SharePoint Services. This article also answers some common questions about code access security and its applicability in Windows SharePoint Services. (This article contains links to English sites .)

Directory

Introduction
Default security permissions in Windows SharePoint Services
ASP. NET and SharePoint security policies
Set the trust level for the Virtual Server
FAQs
Summary

Introduction

Microsoft ASP. NET V1.1 is a major security improvement. It can run Web applications in some trusted environments.Program. For more information, see what's new in the. NET Framework V1.1. This is an improvement based on ASP. NET V1.0. In ASP. NET V1.0, all web applications must be fully trusted. Because ASP. NET V1.1 enables code access security, Windows SharePoint services enables the server administrator to flexibly set the Assembly execution permissions as needed.

Developers who create Web components or custom solutions on the Windows SharePoint services platform should be familiar with how Windows SharePoint Services implements custom security permissions and policy files. Windows SharePoint services enables developers to customize applications for some trusted environments.

Default security permissions in Windows SharePoint Services

Windows SharePoint Services defines two default security permissions, which are in Microsoft. Sharepoint. Security. dll.Microsoft. Sharepoint. SecurityA part of a namespace. Each permission includes one or more of the following attributes:

Sharepointpermission:Controls access to resources used by Windows SharePoint Services.

Attribute	Description
Objectmodel	Use Microsoft. SharePoint object model when set to true
Unsafesaveonget	Save HTTP-GET request data when set to true
Unrestricted	If this parameter is set to true, all permissions associated with this permission are enabled.

Webpartpermission:Control access to Web Part Resources

Attribute	Description
Connections	When this parameter is set to true, the Web Part communicates with the Web part.
Unrestricted	If this parameter is set to true, all permissions associated with this permission are enabled.

ASP. NET and SharePoint security policies

You can specify a level of trust for the predefined permission set of ASP. NET applications. By default, ASP. NET defines the following trust levels:

• Complete
• High
• Medium
• Low
• Lowest

Except for the "full" trust level, all other trust levels only grant partial trust permissions to the application folder of the virtual server instance. For more information about ASP. NET trust levels, see ASP. NET code access security.

In addition, Windows SharePoint Services defines two trust levels:

• Wss_minimal
• Wss_medium

These two trust levels Expand the "lowest" and "medium" trust levels of ASP. NET for Windows SharePoint Services. The security policy files wss_minimaltrust.config and wss_mediumtrust.config define these two levels. By default, Windows SharePoint Services stores these files in the following locations:

Local_drive: \ Program Files \ common files \ microsoft shared \ Web Server Extensions \ 60 \ config

By default, Windows SharePoint Services sets the trust levelWss_minimal. This provides a level of security trust in which the Assembly is granted the minimum permission set required for code execution.

The following table lists some specific permissions granted to the custom security policy file that comes with Windows SharePoint Services.

Permission	Wss_medium trust level	Wss_minimal trust level
Aspnethostingpermission	Medium	Lowest
Environment	Read: temp, TMP, OS, username, computername
Fileio	Read, write, append, pathdiscovery: application directory
Isolatedstorage	Assemblyisolationbyuser, unrestricted userquota
Reflection
Registry
Security	Execution, assertion, controlprincipal, controlthread, remotingconfiguration	Execution
Socket
Webpermission	Connect to the original host (IF configured)
DNS	Unrestricted
Printing	Print by default
Oledbpermission
Sqlclientpermission	Allowblankpassword = false
EventLog
Message Queue
Service Controller
Performance counters
Directory Service
Sharepointpermission	Objectmodel = true
Webpartpermission	Connections = true	Connections = true

Note:By default, Windows SharePoint Services does not grant access to the Microsoft SharePoint object model. To grant access permissions, you must increase the associated trust level in some way. The following section describes the related methods.

Set the trust level for the Virtual Server

Marked by <trust> in the web. config fileLevelAttribute Value to determine the trust level of the virtual server. By default, Windows SharePoint Services sets the trust levelWss_minimal. In the Web. config file of the virtual server extended by Windows SharePoint services, you can find the following <trust>:

 
<Trust level = "wss_minimal" originurl = ""/>
 

By default, you can use any of the seven predefined trust levels listed in the previous section.

Note:After changing the trust level of the virtual server, you must reset the Web Service (iisreset can be used ).

Specifying the trust level in the web. config file will produce the following results:

• The trust level specified in the web. config file will be applied to all the sets used by the specified virtual server.
• All SharePoint sites associated with the specified virtual server use the same level of trust.

FAQs

The following are a series of questions about code access security and Windows SharePoint Services.

What does partial trust mean to Web component developers?

If you install the assembly in the bin directory, make sure that your code can handle errors without the required permissions. Otherwise, unprocessed security exceptions may cause the Web part to fail and may affect the display of the Web Part Page.

The following is a typical example of a security exception:

 
An error occurred while requesting permissions of the Microsoft. Sharepoint. Security. Invalid pointpermission, Microsoft. Sharepoint. Security, version = 11.0.0.0, culture = neutral, publickeytoken = 71e9bce111e9429c type.
 

As mentioned above, the wss_minimal trust level is not granted to the Assembly in the bin directory of the applicationSharepointpermission. objectmodel. Therefore, if the code tries to use the Microsoft SharePoint object model, the Common Language Runtime Library (CLR) will throw an exception.

Because the minimal permission set provides the minimum set of permissions required for code execution, other security exceptions may occur.

Suggestion:Try to capture key areas to deal with situations where you do not have the required permissions to accomplish the specified target.

What if my assembly is installed in GAC?

By default, the Assembly runtime installed in the Global Assembly Cache (GAC) has a "full" trust level. Although Web component assembly can be installed in GAC, it is recommended to install them in the bin directory for safer deployment.

How can I increase the trust level of the Assembly installed in the bin directory?

Windows SharePoint Services can use any of the three methods provided by ASP. NET and CLR to provide sufficient permissions for the Assembly installed in the bin directory. The following table lists the descriptions and requirements of each method.

Method	Advantages	Disadvantages
Improve the trust level of the entire virtual server. For more information, see "set trust level for virtual servers ".	Easy to implement. In the development environment, increasing the trust level allows you to test the Assembly by increasing the trust permission, and allows you to directly compile the assembly to the bin directory without resetting IIS.	This method has the worst security. It will affect all the sets used by the virtual server. The target server cannot have the required level of trust. Therefore, Web components may not work after they are installed on the target server.
Create a custom policy file for the Assembly. For more information, see "how to create a custom policy file ?"	This method is recommended. This method has the best security. You can run an assembly using a unique policy that meets the minimum Assembly permission requirements. By creating custom security policies, you can ensure that the target server can run Web components.	Among the three methods, This method requires the most configuration.
Install the Assembly in GAC	Easy to implement. This method grants the Assembly full trust permission without affecting the trust level of the Assembly installed in the bin directory.	This method is less secure. All virtual servers and applications running Windows SharePoint Services can use the Assembly installed in GAC. This poses a potential security risk because it grants a higher level of permissions than required for a large number of assemblies. In the development environment, IIS must be reset every time the Assembly is re-compiled. The global availability of the Assembly also causes authorization problems.

I changed the trust level in the web. config file-my entire site cannot be displayed now. What should I do?

If the trust level is changed in the web. config file, Windows SharePoint services may not be displayed as per subsequent requests. The following is an example of a typical error:

 
The security permission authorization set of the Assembly <assemblyname> is incompatible with the appdomain.
 

You can useIisresetTo reset the Internet Information Service (IIS ).

Note:This is a familiar question related to the architecture of ASP. NET and. NET Framework.

How do I create a custom policy file?

To customize a built-in policy file, we recommend that you create a copy and then change the copy to ensure that the original file can be used when necessary.

The following procedure describes how to grant access to the Microsoft SharePoint object model to a specific assembly.

To grant access permissions to an assembly

2. Copy the wss_minimaltrust.config file.
4. RenameNew_file_name. ConfigFile.
6. Use a text editor (such as NotePad) to openNew_file_name. Config.
8. In the <securityclasses> element, addSharepointpermissionClass reference:

   <Securityclasses> <! -- For the sake of clarity, other security classes are omitted --> <securityclass name = "sharepointpermission" Description = "Microsoft. sharepoint. security. sharepointpermission, Microsoft. sharepoint. security, version = 11.0.0.0, culture = neutral, publickeytoken = 71e9bce111e9429c "/> </securityclasses>

10. SearchNameAttribute equalsASP. NET<Permissionset>.
12. Copy the entire tag and its sub-tag, and paste the copy to the bottom next to the copied content.
14. change the name of the new permissionset element from Asp. net to new_file_name :

    example (before modification)

     
         
          nodes are omitted for clarity --> 
         

    example (after modification)

     
         
          nodes are omitted for clarity --> 
         

16. Add the following node to the element whose name attribute is new_file_name :

    , the generated custom is as follows:

18. after defining custom elements, you must create a code group to specify when the CLR applies the permission set.
    

    important information: by default, the allcode code group is the firstmatchcodegroup in the ASP. NET policy file. Therefore, after a code group conforms to the preferred code group, CLR stops specifying permissions for the Assembly. To apply custom permissions, you must declare a code group used to specify custom permissions for the Assembly as the preferred code group in the allcode group. This ensures that CLR specifies the mycustompermissions permission set and that CLR stops the specified permission, it does not continue until the default $ appdirurl $/* code group (this code group is used to specify permissions based on whether the Assembly is in the bin directory ).

    In the following example, the membership condition of the new code group is based on a strictly named member identity:

    Note: to retrieve the Public Key blob of an assembly, use the secutil.exe tool as follows:

     secutil.exe-hex-s myassemblyname. dll 

    for more information about secutil.exe, see secutil tool.

20. Save and close the file. Now you can use the policy file.
22. Open the Web. config file of the virtual server that uses Windows SharePoint Services extension, and add the following <trustlevel> flagSecurityPolicyElement:

    <Trustlevel name = "mycustomtrustlevel" policyfile ="New_file_name. Config "/>

    In the Web. config file, change the <trust> tag so that it references the newly defined trust level.

    <Trust level = "mycustomtrustlevel" originurl = ""/>

24. Save and close the Web. config file.
26. You can use iisreset to reset IIS and apply the custom policy to the specified virtual server.

What if there is no strictly named assembly? How do I change the code group?

You can specify the membership conditions for a code group in multiple ways. AvailableUrlmembershipconditionTo specify conditions, as shown below:

 
<Codegroup class = "unioncodegroup" version = "1" permissionsetname = "mycustompermissions"> <imembershipcondition class = "inline" version = "1" url = "$ appdirurl $/bin/myassemblyname. DLL "/> </codegroup>
 

My assembly references the library assembly. When the Assembly is installed in GAC, everything works normally, but once it is installed in the bin directory, an error occurs. What's going on?

If you have granted the required permissions to the Assembly, the cause of the Assembly failure may be related to the build method of the library assembly. By default, strictly-named assemblies can only be called by programs that are granted full trust permissions. Therefore, CLR will prevent some trusted assembly from calling an assembly that can only be called by fully trusted programs.

You can select one of the following feasible solutions:

1. When compiling a dataset, you can add the allowpartiallytrustedcallersattribute attribute to the specified library dataset.

   Important information:You can only add this attributeSource code. If a third-party assembly is used and the source code is not authorized, you cannot select this method. If you select this method, some trusted programs are allowed to execute code in the library. This poses a potential security risk because it allows other programs with partially trusted permissions to use the specified library.

2. You can assign full trust to an assembly by installing it in GAC.
   

   Important information:All virtual servers and applications running Windows SharePoint Services can use the Assembly installed in GAC. This poses a potential security risk because it grants a higher level of permissions than required for a large number of assemblies.

3. As described in the previous section, you can grant the Assembly full trust permission by creating a custom policy file.
   

   Important information:We recommend that you select this method because you can explicitly grant the required minimum permission level to the Assembly without expanding the access scope or granting access permissions to more programs.

I tried to use web parts to access web services. However, the following security exceptions occur each time:

 
Failed to request system. net. webpermission, system, version = 1.0.5000.0, culture = neutral, publickeytoken = b77a5c561934e089.
 

By default, the assembly in the bin directory does not have the required permission system. net. webpermission to access the Web service. To grant this permission, you must add the following content to the corresponding policy file:IpermissionElement:

 
<Ipermission class = "webpermission" version = "1"> <connectaccess> <URI uri = "... URI in the regular expression format... "/> </connectaccess> </ipermission>
 

I want to access web services through Web components. However, the following invalidoperationexception occurs every time:

 
One or more assemblies referenced by xmlserializer cannot be called by some trusted code.
 

When you create a reference pointing to a web service, Microsoft Visual Studio. Net creates and places one or more objects in the dataset to store the parameter data passed to the method in the Web service. When one or more methods in the Web service are calledXmlserializerClass to serialize these objects. By default, if an assembly is named strictly and installed in the bin directory, programs with partial trust permissions cannot access the objects in the Assembly. When you call a web service method,XmlserializerProgram calls with partial trust permissions will be detected.Callstack(Assembly), and will prevent serialization, even if the object is located in the same assembly.

You can select one of the following feasible solutions:

1. You can add the allowpartiallytrustedcallersattribute attribute to the specified library assembly.

   Important information:You can only add this attribute to the source code. If a third-party assembly is used and the source code is not authorized, you cannot select this method. If you select this method, some trusted programs are allowed to execute code in the library. This poses a potential security risk because it allows other programs with partially trusted permissions to use the specified library.

2. You can assign full trust to an assembly by installing it in GAC.
   

   Important information:All virtual servers and applications running Windows SharePoint Services can use the Assembly installed in GAC. This poses a potential security risk because it grants a higher level of permissions than required for a large number of assemblies.

3. As described in the previous section, you can grant the Assembly full trust permission by creating a custom policy file.
   

   Important information:We recommend that you select this method because you can explicitly grant the required minimum permission level to the Assembly without expanding the access scope or granting access permissions to more programs.

Where can I find detailed information about code access security?

For more information about code access security, see the following:

• Introduction to code access security
• Allowpartiallytrustedcallersattribute
• Security Optimizations
• Code Access Permissions

Summary

Windows SharePoint Services uses custom ASP. NET policies and grants partial or full trust permissions to the Assembly as needed. When you use Windows SharePoint Services to create a custom security policy to ensure a safer environment for running a custom assembly, developers and administrators can use the existing ASP. net and code access security knowledge.