Code Access Security in SharePoint
Code access security is a mechanism to limit the access of the code to protect the resources and operations. In SharePoint you can have the two level i.e “WSS_Medium” and “WSS_Minimal”.
1: <securityPolicy>
2: <trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_mediumtrust.config" />
3: <trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_minimaltrust.config" />
4: </securityPolicy>
By default in SharePoint, you have the “WSS_Minimal”, in web.config file.
1: <trust level="WSS_Minimal" originUrl="" />
If don’t want to provide your assembly “Full” trust because it will get the full access to your resources.
1) Check the required permission using Permission Calculator Tool (Permcalc.exe)
2) Design the custom policy file [Microsoft Windows SharePoint Services and Code Access Security].SharePoint has provided two security permission class :-
1) Microsoft.SharePoint.Security.SharePointPermission
2) Microsoft.SharePoint.Security.WebPartPermission
3) Copied at “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\CONFIG\wss_custom_wss_minimaltrust.config”.
1: <configuration>
2: <mscorlib>
3: <security>
4: <policy>
5: <PolicyLevel version="1">
6: <SecurityClasses>
7: <SecurityClass Name="AllMembershipCondition" Description="System.Security.Policy.AllMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
8: <SecurityClass Name="AspNetHostingPermission" Description="System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
9: <SecurityClass Name="ConfigurationPermission" Description="System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
10: <SecurityClass Name="DnsPermission" Description="System.Net.DnsPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
11: <SecurityClass Name="EnvironmentPermission" Description="System.Security.Permissions.EnvironmentPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
12: <SecurityClass Name="FileIOPermission" Description="System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
13: <SecurityClass Name="FirstMatchCodeGroup" Description="System.Security.Policy.FirstMatchCodeGroup, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
14: <SecurityClass Name="IsolatedStorageFilePermission" Description="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
15: <SecurityClass Name="NamedPermissionSet" Description="System.Security.NamedPermissionSet"/>
16: <SecurityClass Name="PrintingPermission" Description="System.Drawing.Printing.PrintingPermission, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
17: <SecurityClass Name="ReflectionPermission" Description="System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
18: <SecurityClass Name="RegistryPermission" Description="System.Security.Permissions.RegistryPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
19: <SecurityClass Name="SecurityPermission" Description="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
20: <SecurityClass Name="SmtpPermission" Description="System.Net.Mail.SmtpPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
21: <SecurityClass Name="SocketPermission" Description="System.Net.SocketPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
22: <SecurityClass Name="SqlClientPermission" Description="System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
23: <SecurityClass Name="StrongNameMembershipCondition" Description="System.Security.Policy.StrongNameMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
24: <SecurityClass Name="UnionCodeGroup" Description="System.Security.Policy.UnionCodeGroup, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
25: <SecurityClass Name="UrlMembershipCondition" Description="System.Security.Policy.UrlMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
26: <SecurityClass Name="WebPermission" Description="System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
27: <SecurityClass Name="ZoneMembershipCondition" Description="System.Security.Policy.ZoneMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
28: <SecurityClass Name="SharePointPermission" Description="Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"/>
29: <SecurityClass Name="WebPartPermission" Description="Microsoft.SharePoint.Security.WebPartPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"/>
30: </SecurityClasses>
31: <NamedPermissionSets>
32: <PermissionSet class="NamedPermissionSet" version="1" Description="Permissions for IBM FileNet Web Parts" Name="fnspwebparts.wsp-ab39a08f-52d9-49c7-a608-f797f52fafb6-1" >
33: <IPermission class="EnvironmentPermission"
34: version="1"
35: Unrestricted="true"/>
36: <IPermission class="FileDialogPermission"
37: version="1"
38: Unrestricted="true"/>
39: <IPermission class="FileIOPermission"
40: version="1"
41: Unrestricted="true"/>
42: <IPermission class="IsolatedStorageFilePermission"
43: version="1"
44: Unrestricted="true"/>
45: <IPermission class="ReflectionPermission"
46: version="1"
47: Unrestricted="true"/>
48: <IPermission class="RegistryPermission"
49: version="1"
50: Unrestricted="true"/>
51: <IPermission class="SecurityPermission"
52: version="1"
53: Unrestricted="true"/>
54: <IPermission class="UIPermission"
55: version="1"
56: Unrestricted="true"/>
57: <IPermission class="KeyContainerPermission"
58: version="1"
59: Unrestricted="true"/>
60: <IPermission class="DnsPermission"
61: version="1"
62: Unrestricted="true"/>
63: <IPermission class="PrintingPermission"
64: version="1"
65: Unrestricted="true"/>
66: <IPermission class="SocketPermission"
67: version="1"
68: Unrestricted="true"/>
69: <IPermission class="WebPermission"
70: version="1"
71: Unrestricted="true"/>
72: <IPermission class="EventLogPermission"
73: version="1"
74: Unrestricted="true"/>
75: <IPermission class="StorePermission"
76: version="1"
77: Unrestricted="true"/>
78: <IPermission class="PerformanceCounterPermission"
79: version="1"
80: Unrestricted="true"/>
81: <IPermission class="OleDbPermission"
82: version="1"
83: Unrestricted="true"/>
84: <IPermission class="SqlClientPermission"
85: version="1"
86: Unrestricted="true"/>
87: <IPermission class="DataProtectionPermission"
88: version="1"
89: Unrestricted="true"/>
90: <IPermission
91: class="AspNetHostingPermission"
92: version="1"
93: Level="Medium"
94: />
95: <IPermission
96: class="DnsPermission"
97: version="1"
98: Unrestricted="True"
99: />
100: <IPermission class="WebPartPermission"
101: version="1"
102: Connections="True"
103: Unrestricted="True" />
104: <IPermission class="SharePointPermission"
105: version="1"
106: ObjectModel="True" Unrestricted="True" />
107:
108: </PermissionSet>
109: <PermissionSet class="NamedPermissionSet"
110: version="1"
111: Unrestricted="true"
112: Name="FullTrust"
113: Description="Allows full access to all resources" />
114:
115: <PermissionSet class="NamedPermissionSet" version="1" Name="Nothing" Description="Denies all resources, including the right to execute" />
116: <PermissionSet
117: class="NamedPermissionSet"
118: version="1"
119: Name="SPRestricted">
120: <IPermission
121: class="AspNetHostingPermission"
122: version="1"
123: Level="Medium"
124: />
125: <IPermission
126: class="DnsPermission"
127: version="1"
128: Unrestricted="true"
129: />
130: <IPermission
131: class="EnvironmentPermission"
132: version="1"
133: Read="TEMP;TMP;USERNAME;OS;COMPUTERNAME"
134: />
135: <IPermission
136: class="FileIOPermission"
137: version="1"
138: Read="$AppDir$"
139: Write="$AppDir$"
140: Append="$AppDir$"
141: PathDiscovery="$AppDir$"
142: />
143: <IPermission
144: class="IsolatedStorageFilePermission"
145: version="1"
146: Allowed="AssemblyIsolationByUser"
147: UserQuota="9223372036854775807"
148: />
149: <IPermission
150: class="PrintingPermission"
151: version="1"
152: Level="DefaultPrinting"
153: />
154: <IPermission
155: class="SecurityPermission"
156: version="1"
157: Flags="Assertion, Execution, ControlThread, ControlPrincipal, RemotingConfiguration"
158: />
159: <IPermission class="SharePointPermission"
160: version="1"
161: ObjectModel="True"
162: />
163: <IPermission
164: class="SmtpPermission"
165: version="1"
166: Access="Connect"
167: />
168: <IPermission
169: class="SqlClientPermission"
170: version="1"
171: Unrestricted="true"
172: />
173: <IPermission class="WebPartPermission"
174: version="1"
175: Connections="True"
176: />
177: <IPermission
178: class="WebPermission"
179: version="1">
180: <ConnectAccess>
181: <URI uri="$OriginHost$"/>
182: </ConnectAccess>
183: </IPermission>
184: </PermissionSet>
185: </NamedPermissionSets>
186: <CodeGroup class="FirstMatchCodeGroup" version="1" PermissionSetName="Nothing">
187: <IMembershipCondition class="AllMembershipCondition" version="1" />
188: <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="fnspwebparts.wsp-ab39a08f-52d9-49c7-a608-f797f52fafb6-1">
189: <IMembershipCondition version="1" class="StrongNameMembershipCondition" PublicKeyBlob="00240000048000009400000006020000002400005253413100040000010001009f190b7fe605e7f7ed48417c133425cdd523804bb7c3a7dc12f7dc97ebc1fc804a54d14e30a647e8341b32afcd08adb85d9c23df869bc50ab0d77c8dcbbd4db760f0b6fa69eb2ec6e615d37bfcc2e661e750f378a757de3bbf1cdf6b22ddf4e1a62dae6d2d45d3e2213cc04d65ae7a1f4746fed02248293265be01f7d43dd7c5"/>
190: </CodeGroup>
191: <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust">
192: <IMembershipCondition class="UrlMembershipCondition" version="1" Url="$AppDirUrl$/_app_bin/*" />
193: </CodeGroup>
194: <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="SPRestricted">
195: <IMembershipCondition class="UrlMembershipCondition" version="1" Url="$AppDirUrl$/*" />
196: </CodeGroup>
197: <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust">
198: <IMembershipCondition class="UrlMembershipCondition" version="1" Url="$CodeGen$/*" />
199: </CodeGroup>
200: <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="Nothing">
201: <IMembershipCondition class="ZoneMembershipCondition" version="1" Zone="MyComputer" />
202: <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust" Name="Microsoft_Strong_Name" Description="This code group grants code signed with the Microsoft strong name full trust. ">
203: <IMembershipCondition class="StrongNameMembershipCondition" version="1" PublicKeyBlob="002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293" />
204: </CodeGroup>
205: <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust" Name="Ecma_Strong_Name" Description="This code group grants code signed with the ECMA strong name full trust. ">
206: <IMembershipCondition class="StrongNameMembershipCondition" version="1" PublicKeyBlob="00000000000000000400000000000000" />
207: </CodeGroup>
208: </CodeGroup>
209: </CodeGroup>
210: </PolicyLevel>
211: </policy>
212: </security>
213: </mscorlib>
214: </configuration>
Here is the glimpse of type of permission which may help to design the file:-
<IPermissionclass="EnvironmentPermission"version="1"Unrestricted="true"/>
<IPermissionclass="FileDialogPermission"version="1"Unrestricted="true"/>
<IPermissionclass="FileIOPermission"version="1"Unrestricted="true"/>
<IPermissionclass="IsolatedStorageFilePermission"version="1"Unrestricted="true"/>
<IPermissionclass="ReflectionPermission"version="1"Unrestricted="true"/>
<IPermissionclass="RegistryPermission"version="1"Unrestricted="true"/>
<IPermissionclass="SecurityPermission"version="1"Unrestricted="true"/>
<IPermissionclass="UIPermission"version="1"Unrestricted="true"/>
<IPermissionclass="KeyContainerPermission"version="1"Unrestricted="true"/>
<IPermissionclass="DnsPermission"version="1"Unrestricted="true"/>
<IPermissionclass="PrintingPermission"version="1"Unrestricted="true"/>
<IPermissionclass="SocketPermission"version="1"Unrestricted="true"/>
<IPermissionclass="WebPermission"version="1"Unrestricted="true"/>
<IPermissionclass="EventLogPermission"version="1"Unrestricted="true"/>
<IPermissionclass="StorePermission"version="1"Unrestricted="true"/>
<IPermissionclass="PerformanceCounterPermission"version="1"Unrestricted="true"/>
<IPermissionclass="OleDbPermission"version="1"Unrestricted="true"/>
<IPermissionclass="SqlClientPermission"version="1"Unrestricted="true"/>
<IPermissionclass="DataProtectionPermission"version="1"Unrestricted="true"/>
<IPermissionclass="AspNetHostingPermission"version="1"Level="Medium" />
<IPermissionclass="DnsPermission"version="1"Unrestricted="True" />
<IPermissionclass="WebPartPermission"version="1"Connections="True"Unrestricted="True" />
<IPermissionclass="SharePointPermission"version="1"ObjectModel="True"Unrestricted="True" />
And articles:-
4) You have to modify you web.config file and its looks like this:-
1: <securityPolicy>
2: <trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_mediumtrust.config" />
3: <trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_minimaltrust.config" />
4: <trustLevel name="WSS_Custom" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_custom_wss_minimaltrust.config" />
5: </securityPolicy>
5) Modify the trust’s level attribute with you custom trust level name.
1: <trust level="WSS_Custom" originUrl="" />