CAS in SharePoint

Here i'm going to explain about using Code Access Security (CAS) policy configuration for locking down a webpart that make a "this.Page.LoadControl()" call to load a user control.

Ø First create a custom web part, in the CreateChildControls() method load a custom user control like

Control control = this.Page.LoadControl("~/usercontrols/MyUserControl.ascx");

Ø Then you copy the two DLLs (TestUserControl.dll and TestWebPart.dll) to the bin (e.g. ..\Inetpub\wwwroot\wss\VirtualDirectories\80\bin).

Ø Now copy the ASCX (TestUserControl.ascx) to the usercontrols directory (e.g. ..\Inetpub\wwwroot\wss\VirtualDirectories\80\usercontrols)

Ø In order to use these controls in our SharePoint site, we need to add appropriate SafeControl entries to the web.config, for these 2 dlls.

Ø Make sure the trust level in the web.config is set to "Full" & save.

Ø In SharePoint go into Site Settings, click on "Web Parts" under "Galleries", click "New" and add the web part to the gallery (e.g. MyWebPart). Edit a page and add the web part. The web part will work as expected !! But remember this uses Full trust policy J

Using Custom CAS Configuration :

Ø Now let’s add our own Configuration file in the 12 hive CONFIG folder. The easiest way is to make a copy of the any of the existing config file, say wss_minimal_trust.config policy file and rename it to custom_trust.config.

a. In the new policy file add the <SecurityClass> declarations under <SecurityClasses>

 

        <SecurityClass Name="SharePointPermission" Description="Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"/>

 

        b. make a copy of the <PermissionSet> with the name "SPRestricted", setting the name for the copy to "SPRestrictedCustom"

 

        c. add the following <IPermission> declaration to the new SPRestrictedCustom <PermissionSet>

 

<IPermission class="SharePointPermission"

                       version="1"

                        ObjectModel="True"/> 

      d. add <CodeGroup> declarations for the user control assembly and the web part assembly.:

 

                                                <CodeGroup

                                class="UnionCodeGroup"

                                version="1"

                                PermissionSetName=" SPRestrictedCustom ">

                             <IMembershipCondition

                                    class="StrongNameMembershipCondition"

                                    version="1"

                                    PublicKeyBlob="0024.."

                                    Name="MyUserControl"/>

                        </CodeGroup>

                        <CodeGroup

                                class="UnionCodeGroup"

                                version="1"

                                PermissionSetName=" SPRestrictedCustom ">

                             <IMembershipCondition

                                    class="StrongNameMembershipCondition"

                                    version="1"

                                    PublicKeyBlob="0024…"

                                    Name="MyWebPart"/>

               </CodeGroup>

Ø Modify the web.config for the web application as follows:

 

        a. Add the following <trustLevel> under <system.web><securityPolicy>

 

            <trustLevel name="WSS_Custom" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\custom_trust.config" />

        b. Change the trust level from "Full" to " WSS_Custom"

 

Ø Now try the web part again, and you will end up with this error

 

The file '/usercontrols/MyUserControl.ascx' does not exist. - StackTrace: at System.Web.UI.Util.CheckVirtualFileExists(VirtualPath virtualPath) at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile) at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile) at System.Web.UI.TemplateControl.LoadControl(VirtualPath virtualPath) at System.Web.UI.TemplateControl.LoadControl(String virtualPath) at TestWebPart.TestWebPart.CreateChildControls()

So where does the problem lie ?

     

      Does the error message mean the file MyUserControl doesn’t exist or is the error message misleading us ? The file does exist in the usercontrols folder. Could the error message be because of security exception ? Possibly could be !

            Let’s first make sure that the minimum permission that is required for some of the assemblies is granted. This can be done using Minimum Grant Set Determination tool, PermCalc.exe (http://msdn.microsoft.com/en-us/library/ms165077(VS.80).aspx ). Run this tool with the “-Sandbox” flag and here’s the output we get:

<?xml version="1.0"?>

<Sandbox>

  <PermissionSet version="1" class="System.Security.PermissionSet" Unrestricted="true" />

</Sandbox>

So, this means that we need to have full permission on this class (System.Security.PermissionSet). In our config file we have,

<SecurityClass Name="NamedPermissionSet" Description="System.Security.NamedPermissionSet"/>

Inheritance Hierarchy

> System.Object
> System.Security.PermissionSet
> System.Security.NamedPermissionSet

Hence, in our custom Permission Set named SPRestrictedCustom, add unrestricted=”true”, because its pointing to the class "NamedPermissionSet"

<PermissionSet

                 class="NamedPermissionSet"

                 version="1"

                 Name=" SPRestrictedCustom"

     Unrestricted="true">

            Now, run the SharePoint application with the web part and it should work as expected without any error.

           Reference MSDN Article : http://msdn.microsoft.com/en-us/library/aa302425.aspx