Freigeben über


Code Access Security in SharePoint

Code access security is a mechanism to limit the access of the code to protect the resources and operations. In SharePoint you can have the two level i.e “WSS_Medium” and “WSS_Minimal”.

    1: <securityPolicy>
    2:      <trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_mediumtrust.config" />
    3:      <trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_minimaltrust.config" />
    4:    </securityPolicy>

By default in SharePoint, you have the “WSS_Minimal”, in web.config file.

    1: <trust level="WSS_Minimal" originUrl="" />

If don’t want to provide your assembly “Full” trust because it will get the full access to your resources.

1) Check the required permission using Permission Calculator Tool (Permcalc.exe)

2) Design the custom policy file [Microsoft Windows SharePoint Services and Code Access Security].SharePoint has provided two security permission class :-

    1) Microsoft.SharePoint.Security.SharePointPermission

     2) Microsoft.SharePoint.Security.WebPartPermission

3) Copied at “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\CONFIG\wss_custom_wss_minimaltrust.config”.

  
    1: <configuration>
    2:   <mscorlib>
    3:     <security>
    4:       <policy>
    5:         <PolicyLevel version="1">
    6:           <SecurityClasses>
    7:               <SecurityClass Name="AllMembershipCondition" Description="System.Security.Policy.AllMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    8:               <SecurityClass Name="AspNetHostingPermission" Description="System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    9:               <SecurityClass Name="ConfigurationPermission" Description="System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
   10:               <SecurityClass Name="DnsPermission" Description="System.Net.DnsPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   11:               <SecurityClass Name="EnvironmentPermission" Description="System.Security.Permissions.EnvironmentPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   12:               <SecurityClass Name="FileIOPermission" Description="System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   13:               <SecurityClass Name="FirstMatchCodeGroup" Description="System.Security.Policy.FirstMatchCodeGroup, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   14:               <SecurityClass Name="IsolatedStorageFilePermission" Description="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   15:               <SecurityClass Name="NamedPermissionSet" Description="System.Security.NamedPermissionSet"/>
   16:               <SecurityClass Name="PrintingPermission" Description="System.Drawing.Printing.PrintingPermission, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
   17:               <SecurityClass Name="ReflectionPermission" Description="System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   18:               <SecurityClass Name="RegistryPermission" Description="System.Security.Permissions.RegistryPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   19:               <SecurityClass Name="SecurityPermission" Description="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   20:               <SecurityClass Name="SmtpPermission" Description="System.Net.Mail.SmtpPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   21:               <SecurityClass Name="SocketPermission" Description="System.Net.SocketPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   22:               <SecurityClass Name="SqlClientPermission" Description="System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   23:               <SecurityClass Name="StrongNameMembershipCondition" Description="System.Security.Policy.StrongNameMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   24:               <SecurityClass Name="UnionCodeGroup" Description="System.Security.Policy.UnionCodeGroup, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   25:               <SecurityClass Name="UrlMembershipCondition" Description="System.Security.Policy.UrlMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   26:               <SecurityClass Name="WebPermission" Description="System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   27:               <SecurityClass Name="ZoneMembershipCondition" Description="System.Security.Policy.ZoneMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   28:               <SecurityClass Name="SharePointPermission" Description="Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"/>
   29:               <SecurityClass Name="WebPartPermission" Description="Microsoft.SharePoint.Security.WebPartPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"/>
   30:           </SecurityClasses>
   31:           <NamedPermissionSets>
   32:             <PermissionSet class="NamedPermissionSet" version="1" Description="Permissions for IBM FileNet Web Parts" Name="fnspwebparts.wsp-ab39a08f-52d9-49c7-a608-f797f52fafb6-1" >
   33:                 <IPermission class="EnvironmentPermission"
   34: version="1"
   35: Unrestricted="true"/>
   36:                 <IPermission class="FileDialogPermission"
   37:                 version="1"
   38:                 Unrestricted="true"/>
   39:                 <IPermission class="FileIOPermission"
   40:                 version="1"
   41:                 Unrestricted="true"/>
   42:                 <IPermission class="IsolatedStorageFilePermission"
   43:                 version="1"
   44:                 Unrestricted="true"/>
   45:                 <IPermission class="ReflectionPermission"
   46:                 version="1"
   47:                 Unrestricted="true"/>
   48:                 <IPermission class="RegistryPermission"
   49:                 version="1"
   50:                 Unrestricted="true"/>
   51:                 <IPermission class="SecurityPermission"
   52:                 version="1"
   53:                 Unrestricted="true"/>
   54:                 <IPermission class="UIPermission"
   55:                 version="1"
   56:                 Unrestricted="true"/>
   57:                 <IPermission class="KeyContainerPermission"
   58:                 version="1"
   59:                 Unrestricted="true"/>
   60:                 <IPermission class="DnsPermission"
   61:                 version="1"
   62:                 Unrestricted="true"/>
   63:                 <IPermission class="PrintingPermission"
   64:                 version="1"
   65:                 Unrestricted="true"/>
   66:                 <IPermission class="SocketPermission"
   67:                 version="1"
   68:                 Unrestricted="true"/>
   69:                 <IPermission class="WebPermission"
   70:                 version="1"
   71:                 Unrestricted="true"/>
   72:                 <IPermission class="EventLogPermission"
   73:                 version="1"
   74:                 Unrestricted="true"/>
   75:                 <IPermission class="StorePermission"
   76:                 version="1"
   77:                 Unrestricted="true"/>
   78:                 <IPermission class="PerformanceCounterPermission"
   79:                 version="1"
   80:                 Unrestricted="true"/>
   81:                 <IPermission class="OleDbPermission"
   82:                 version="1"
   83:                 Unrestricted="true"/>
   84:                 <IPermission class="SqlClientPermission"
   85:                 version="1"
   86:                 Unrestricted="true"/>
   87:                 <IPermission class="DataProtectionPermission"
   88:                 version="1"
   89:                 Unrestricted="true"/>
   90:                 <IPermission
   91:                           class="AspNetHostingPermission"
   92:                           version="1"
   93:                           Level="Medium"
   94:                             />
   95:                 <IPermission
   96:                           class="DnsPermission"
   97:                           version="1"
   98:                           Unrestricted="True"
   99:                             />
  100:                 <IPermission class="WebPartPermission"
  101:                          version="1"
  102:                          Connections="True"
  103:                           Unrestricted="True"  />
  104:                 <IPermission class="SharePointPermission"
  105:              version="1"
  106:              ObjectModel="True" Unrestricted="True" />
  107:  
  108:             </PermissionSet>
  109:             <PermissionSet class="NamedPermissionSet" 
  110:                            version="1" 
  111:                            Unrestricted="true" 
  112:                            Name="FullTrust" 
  113:                            Description="Allows full access to all resources" />
  114:               
  115:             <PermissionSet class="NamedPermissionSet" version="1" Name="Nothing" Description="Denies all resources, including the right to execute" />
  116:               <PermissionSet
  117:                                  class="NamedPermissionSet"
  118:                                  version="1"
  119:                                  Name="SPRestricted">
  120:                   <IPermission
  121:                           class="AspNetHostingPermission"
  122:                           version="1"
  123:                           Level="Medium"
  124:                             />
  125:                   <IPermission
  126:                           class="DnsPermission"
  127:                           version="1"
  128:                           Unrestricted="true"
  129:                             />
  130:                   <IPermission
  131:                           class="EnvironmentPermission"
  132:                           version="1"
  133:                           Read="TEMP;TMP;USERNAME;OS;COMPUTERNAME"
  134:                             />
  135:                   <IPermission
  136:                           class="FileIOPermission"
  137:                           version="1"
  138:                           Read="$AppDir$"
  139:                           Write="$AppDir$"
  140:                           Append="$AppDir$"
  141:                           PathDiscovery="$AppDir$"
  142:                             />
  143:                   <IPermission
  144:                           class="IsolatedStorageFilePermission"
  145:                           version="1"
  146:                           Allowed="AssemblyIsolationByUser"
  147:                           UserQuota="9223372036854775807"
  148:                             />
  149:                   <IPermission
  150:                           class="PrintingPermission"
  151:                           version="1"
  152:                           Level="DefaultPrinting"
  153:                             />
  154:                   <IPermission
  155:                           class="SecurityPermission"
  156:                           version="1"
  157:                           Flags="Assertion, Execution, ControlThread, ControlPrincipal, RemotingConfiguration"
  158:                             />
  159:                   <IPermission class="SharePointPermission"
  160:                           version="1"
  161:                           ObjectModel="True"
  162:                             />
  163:                   <IPermission
  164:                           class="SmtpPermission"
  165:                           version="1"
  166:                           Access="Connect"
  167:                             />
  168:                   <IPermission
  169:                           class="SqlClientPermission"
  170:                           version="1"
  171:                           Unrestricted="true"
  172:                             />
  173:                   <IPermission class="WebPartPermission"
  174:                           version="1"
  175:                           Connections="True"
  176:                             />
  177:                   <IPermission
  178:                           class="WebPermission"
  179:                           version="1">
  180:                       <ConnectAccess>
  181:                           <URI uri="$OriginHost$"/>
  182:                       </ConnectAccess>
  183:                   </IPermission>
  184:               </PermissionSet>
  185:           </NamedPermissionSets>
  186:           <CodeGroup class="FirstMatchCodeGroup" version="1" PermissionSetName="Nothing">
  187:             <IMembershipCondition class="AllMembershipCondition" version="1" />
  188:             <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="fnspwebparts.wsp-ab39a08f-52d9-49c7-a608-f797f52fafb6-1">
  189:               <IMembershipCondition version="1" class="StrongNameMembershipCondition" PublicKeyBlob="00240000048000009400000006020000002400005253413100040000010001009f190b7fe605e7f7ed48417c133425cdd523804bb7c3a7dc12f7dc97ebc1fc804a54d14e30a647e8341b32afcd08adb85d9c23df869bc50ab0d77c8dcbbd4db760f0b6fa69eb2ec6e615d37bfcc2e661e750f378a757de3bbf1cdf6b22ddf4e1a62dae6d2d45d3e2213cc04d65ae7a1f4746fed02248293265be01f7d43dd7c5"/>
  190:             </CodeGroup>
  191:             <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust">
  192:               <IMembershipCondition class="UrlMembershipCondition" version="1" Url="$AppDirUrl$/_app_bin/*" />
  193:             </CodeGroup>
  194:             <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="SPRestricted">
  195:               <IMembershipCondition class="UrlMembershipCondition" version="1" Url="$AppDirUrl$/*" />
  196:             </CodeGroup>
  197:             <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust">
  198:               <IMembershipCondition class="UrlMembershipCondition" version="1" Url="$CodeGen$/*" />
  199:             </CodeGroup>
  200:             <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="Nothing">
  201:               <IMembershipCondition class="ZoneMembershipCondition" version="1" Zone="MyComputer" />
  202:               <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust" Name="Microsoft_Strong_Name" Description="This code group grants code signed with the Microsoft strong name full trust. ">
  203:                 <IMembershipCondition class="StrongNameMembershipCondition" version="1" PublicKeyBlob="002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293" />
  204:               </CodeGroup>
  205:               <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust" Name="Ecma_Strong_Name" Description="This code group grants code signed with the ECMA strong name full trust. ">
  206:                 <IMembershipCondition class="StrongNameMembershipCondition" version="1" PublicKeyBlob="00000000000000000400000000000000" />
  207:               </CodeGroup>
  208:             </CodeGroup>
  209:           </CodeGroup>
  210:         </PolicyLevel>
  211:       </policy>
  212:     </security>
  213:   </mscorlib>
  214: </configuration>

Here is the glimpse of type of permission which may help to design the file:-

<IPermissionclass="EnvironmentPermission"version="1"Unrestricted="true"/>

<IPermissionclass="FileDialogPermission"version="1"Unrestricted="true"/>

<IPermissionclass="FileIOPermission"version="1"Unrestricted="true"/>

<IPermissionclass="IsolatedStorageFilePermission"version="1"Unrestricted="true"/>

<IPermissionclass="ReflectionPermission"version="1"Unrestricted="true"/>

<IPermissionclass="RegistryPermission"version="1"Unrestricted="true"/>

<IPermissionclass="SecurityPermission"version="1"Unrestricted="true"/>

<IPermissionclass="UIPermission"version="1"Unrestricted="true"/>

<IPermissionclass="KeyContainerPermission"version="1"Unrestricted="true"/>

<IPermissionclass="DnsPermission"version="1"Unrestricted="true"/>

<IPermissionclass="PrintingPermission"version="1"Unrestricted="true"/>

<IPermissionclass="SocketPermission"version="1"Unrestricted="true"/>

<IPermissionclass="WebPermission"version="1"Unrestricted="true"/>

<IPermissionclass="EventLogPermission"version="1"Unrestricted="true"/>

<IPermissionclass="StorePermission"version="1"Unrestricted="true"/>

<IPermissionclass="PerformanceCounterPermission"version="1"Unrestricted="true"/>

<IPermissionclass="OleDbPermission"version="1"Unrestricted="true"/>

<IPermissionclass="SqlClientPermission"version="1"Unrestricted="true"/>

<IPermissionclass="DataProtectionPermission"version="1"Unrestricted="true"/>

<IPermissionclass="AspNetHostingPermission"version="1"Level="Medium" />

<IPermissionclass="DnsPermission"version="1"Unrestricted="True" />

<IPermissionclass="WebPartPermission"version="1"Connections="True"Unrestricted="True" />

<IPermissionclass="SharePointPermission"version="1"ObjectModel="True"Unrestricted="True" />

And articles:-

1) How to demand permissions by using Code Access Security

2) ASP.NET Code Access Security

4) You have to modify you web.config file and its looks like this:-

    1: <securityPolicy>
    2:       <trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_mediumtrust.config" />
    3:       <trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_minimaltrust.config" />
    4:       <trustLevel name="WSS_Custom" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_custom_wss_minimaltrust.config" />
    5:     </securityPolicy>

5) Modify the trust’s level attribute with you custom trust level name.

    1: <trust level="WSS_Custom" originUrl="" />

Comments

  • Anonymous
    August 12, 2010
    What total Ipermission classes equate to a FullTrust permission? I tried using your total list and set all to unrestricted but the feature that was deployed still receives a "Request Failed" error. The Feature is attempting to import a CSV file into SP. I've tried using PermCalc and added those classes but still no luck.  If I set to fulltrust it works.