Search This Blog

Friday, November 28, 2014

Code Access Security in SharePoint(CAS)-IN HCL

Code access security is a mechanism to limit the access of the code to protect the resources and operations. In SharePoint you can have the two level i.e “WSS_Medium” and “WSS_Minimal”.
   1: <securityPolicy>
   2:      <trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_mediumtrust.config" />
   3:      <trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_minimaltrust.config" />
   4:    </securityPolicy>
By default in SharePoint, you have the “WSS_Minimal”, in web.config file.
   1: <trust level="WSS_Minimal" originUrl="" />
If don’t want to provide your assembly “Full” trust because it will get the full access to your resources.
1) Check the required permission using Permission Calculator Tool (Permcalc.exe)
2) Design the custom policy file [Microsoft Windows SharePoint Services and Code Access Security].SharePoint has provided two security permission class :-
    1) Microsoft.SharePoint.Security.SharePointPermission
     2) Microsoft.SharePoint.Security.WebPartPermission
3) Copied at “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\CONFIG\wss_custom_wss_minimaltrust.config”.
 
   1: <configuration>
   2:   <mscorlib>
   3:     <security>
   4:       <policy>
   5:         <PolicyLevel version="1">
   6:           <SecurityClasses>
   7:               <SecurityClass Name="AllMembershipCondition" Description="System.Security.Policy.AllMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   8:               <SecurityClass Name="AspNetHostingPermission" Description="System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
   9:               <SecurityClass Name="ConfigurationPermission" Description="System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
  10:               <SecurityClass Name="DnsPermission" Description="System.Net.DnsPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  11:               <SecurityClass Name="EnvironmentPermission" Description="System.Security.Permissions.EnvironmentPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  12:               <SecurityClass Name="FileIOPermission" Description="System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  13:               <SecurityClass Name="FirstMatchCodeGroup" Description="System.Security.Policy.FirstMatchCodeGroup, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  14:               <SecurityClass Name="IsolatedStorageFilePermission" Description="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  15:               <SecurityClass Name="NamedPermissionSet" Description="System.Security.NamedPermissionSet"/>
  16:               <SecurityClass Name="PrintingPermission" Description="System.Drawing.Printing.PrintingPermission, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
  17:               <SecurityClass Name="ReflectionPermission" Description="System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  18:               <SecurityClass Name="RegistryPermission" Description="System.Security.Permissions.RegistryPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  19:               <SecurityClass Name="SecurityPermission" Description="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  20:               <SecurityClass Name="SmtpPermission" Description="System.Net.Mail.SmtpPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  21:               <SecurityClass Name="SocketPermission" Description="System.Net.SocketPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  22:               <SecurityClass Name="SqlClientPermission" Description="System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  23:               <SecurityClass Name="StrongNameMembershipCondition" Description="System.Security.Policy.StrongNameMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  24:               <SecurityClass Name="UnionCodeGroup" Description="System.Security.Policy.UnionCodeGroup, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  25:               <SecurityClass Name="UrlMembershipCondition" Description="System.Security.Policy.UrlMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  26:               <SecurityClass Name="WebPermission" Description="System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  27:               <SecurityClass Name="ZoneMembershipCondition" Description="System.Security.Policy.ZoneMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  28:               <SecurityClass Name="SharePointPermission" Description="Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"/>
  29:               <SecurityClass Name="WebPartPermission" Description="Microsoft.SharePoint.Security.WebPartPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"/>
  30:           </SecurityClasses>
  31:           <NamedPermissionSets>
  32:             <PermissionSet class="NamedPermissionSet" version="1" Description="Permissions for IBM FileNet Web Parts" Name="fnspwebparts.wsp-ab39a08f-52d9-49c7-a608-f797f52fafb6-1" >
  33:                 <IPermission class="EnvironmentPermission"
  34: version="1"
  35: Unrestricted="true"/>
  36:                 <IPermission class="FileDialogPermission"
  37:                 version="1"
  38:                 Unrestricted="true"/>
  39:                 <IPermission class="FileIOPermission"
  40:                 version="1"
  41:                 Unrestricted="true"/>
  42:                 <IPermission class="IsolatedStorageFilePermission"
  43:                 version="1"
  44:                 Unrestricted="true"/>
  45:                 <IPermission class="ReflectionPermission"
  46:                 version="1"
  47:                 Unrestricted="true"/>
  48:                 <IPermission class="RegistryPermission"
  49:                 version="1"
  50:                 Unrestricted="true"/>
  51:                 <IPermission class="SecurityPermission"
  52:                 version="1"
  53:                 Unrestricted="true"/>
  54:                 <IPermission class="UIPermission"
  55:                 version="1"
  56:                 Unrestricted="true"/>
  57:                 <IPermission class="KeyContainerPermission"
  58:                 version="1"
  59:                 Unrestricted="true"/>
  60:                 <IPermission class="DnsPermission"
  61:                 version="1"
  62:                 Unrestricted="true"/>
  63:                 <IPermission class="PrintingPermission"
  64:                 version="1"
  65:                 Unrestricted="true"/>
  66:                 <IPermission class="SocketPermission"
  67:                 version="1"
  68:                 Unrestricted="true"/>
  69:                 <IPermission class="WebPermission"
  70:                 version="1"
  71:                 Unrestricted="true"/>
  72:                 <IPermission class="EventLogPermission"
  73:                 version="1"
  74:                 Unrestricted="true"/>
  75:                 <IPermission class="StorePermission"
  76:                 version="1"
  77:                 Unrestricted="true"/>
  78:                 <IPermission class="PerformanceCounterPermission"
  79:                 version="1"
  80:                 Unrestricted="true"/>
  81:                 <IPermission class="OleDbPermission"
  82:                 version="1"
  83:                 Unrestricted="true"/>
  84:                 <IPermission class="SqlClientPermission"
  85:                 version="1"
  86:                 Unrestricted="true"/>
  87:                 <IPermission class="DataProtectionPermission"
  88:                 version="1"
  89:                 Unrestricted="true"/>
  90:                 <IPermission
  91:                           class="AspNetHostingPermission"
  92:                           version="1"
  93:                           Level="Medium"
  94:                             />
  95:                 <IPermission
  96:                           class="DnsPermission"
  97:                           version="1"
  98:                           Unrestricted="True"
  99:                             />
 100:                 <IPermission class="WebPartPermission"
 101:                          version="1"
 102:                          Connections="True"
 103:                           Unrestricted="True"  />
 104:                 <IPermission class="SharePointPermission"
 105:              version="1"
 106:              ObjectModel="True" Unrestricted="True" />
 107:  
 108:             </PermissionSet>
 109:             <PermissionSet class="NamedPermissionSet" 
 110:                            version="1" 
 111:                            Unrestricted="true" 
 112:                            Name="FullTrust" 
 113:                            Description="Allows full access to all resources" />
 114:               
 115:             <PermissionSet class="NamedPermissionSet" version="1" Name="Nothing" Description="Denies all resources, including the right to execute" />
 116:               <PermissionSet
 117:                                  class="NamedPermissionSet"
 118:                                  version="1"
 119:                                  Name="SPRestricted">
 120:                   <IPermission
 121:                           class="AspNetHostingPermission"
 122:                           version="1"
 123:                           Level="Medium"
 124:                             />
 125:                   <IPermission
 126:                           class="DnsPermission"
 127:                           version="1"
 128:                           Unrestricted="true"
 129:                             />
 130:                   <IPermission
 131:                           class="EnvironmentPermission"
 132:                           version="1"
 133:                           Read="TEMP;TMP;USERNAME;OS;COMPUTERNAME"
 134:                             />
 135:                   <IPermission
 136:                           class="FileIOPermission"
 137:                           version="1"
 138:                           Read="$AppDir$"
 139:                           Write="$AppDir$"
 140:                           Append="$AppDir$"
 141:                           PathDiscovery="$AppDir$"
 142:                             />
 143:                   <IPermission
 144:                           class="IsolatedStorageFilePermission"
 145:                           version="1"
 146:                           Allowed="AssemblyIsolationByUser"
 147:                           UserQuota="9223372036854775807"
 148:                             />
 149:                   <IPermission
 150:                           class="PrintingPermission"
 151:                           version="1"
 152:                           Level="DefaultPrinting"
 153:                             />
 154:                   <IPermission
 155:                           class="SecurityPermission"
 156:                           version="1"
 157:                           Flags="Assertion, Execution, ControlThread, ControlPrincipal, RemotingConfiguration"
 158:                             />
 159:                   <IPermission class="SharePointPermission"
 160:                           version="1"
 161:                           ObjectModel="True"
 162:                             />
 163:                   <IPermission
 164:                           class="SmtpPermission"
 165:                           version="1"
 166:                           Access="Connect"
 167:                             />
 168:                   <IPermission
 169:                           class="SqlClientPermission"
 170:                           version="1"
 171:                           Unrestricted="true"
 172:                             />
 173:                   <IPermission class="WebPartPermission"
 174:                           version="1"
 175:                           Connections="True"
 176:                             />
 177:                   <IPermission
 178:                           class="WebPermission"
 179:                           version="1">
 180:                       <ConnectAccess>
 181:                           <URI uri="$OriginHost$"/>
 182:                       </ConnectAccess>
 183:                   </IPermission>
 184:               </PermissionSet>
 185:           </NamedPermissionSets>
 186:           <CodeGroup class="FirstMatchCodeGroup" version="1" PermissionSetName="Nothing">
 187:             <IMembershipCondition class="AllMembershipCondition" version="1" />
 188:             <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="fnspwebparts.wsp-ab39a08f-52d9-49c7-a608-f797f52fafb6-1">
 189:               <IMembershipCondition version="1" class="StrongNameMembershipCondition" PublicKeyBlob="00240000048000009400000006020000002400005253413100040000010001009f190b7fe605e7f7ed48417c133425cdd523804bb7c3a7dc12f7dc97ebc1fc804a54d14e30a647e8341b32afcd08adb85d9c23df869bc50ab0d77c8dcbbd4db760f0b6fa69eb2ec6e615d37bfcc2e661e750f378a757de3bbf1cdf6b22ddf4e1a62dae6d2d45d3e2213cc04d65ae7a1f4746fed02248293265be01f7d43dd7c5"/>
 190:             </CodeGroup>
 191:             <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust">
 192:               <IMembershipCondition class="UrlMembershipCondition" version="1" Url="$AppDirUrl$/_app_bin/*" />
 193:             </CodeGroup>
 194:             <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="SPRestricted">
 195:               <IMembershipCondition class="UrlMembershipCondition" version="1" Url="$AppDirUrl$/*" />
 196:             </CodeGroup>
 197:             <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust">
 198:               <IMembershipCondition class="UrlMembershipCondition" version="1" Url="$CodeGen$/*" />
 199:             </CodeGroup>
 200:             <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="Nothing">
 201:               <IMembershipCondition class="ZoneMembershipCondition" version="1" Zone="MyComputer" />
 202:               <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust" Name="Microsoft_Strong_Name" Description="This code group grants code signed with the Microsoft strong name full trust. ">
 203:                 <IMembershipCondition class="StrongNameMembershipCondition" version="1" PublicKeyBlob="002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293" />
 204:               </CodeGroup>
 205:               <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust" Name="Ecma_Strong_Name" Description="This code group grants code signed with the ECMA strong name full trust. ">
 206:                 <IMembershipCondition class="StrongNameMembershipCondition" version="1" PublicKeyBlob="00000000000000000400000000000000" />
 207:               </CodeGroup>
 208:             </CodeGroup>
 209:           </CodeGroup>
 210:         </PolicyLevel>
 211:       </policy>
 212:     </security>
 213:   </mscorlib>
 214: </configuration>
Here is the glimpse of type of permission which may help to design the file:-
<IPermissionclass="EnvironmentPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="FileDialogPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="FileIOPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="IsolatedStorageFilePermission"version="1"Unrestricted="true"/>
<
IPermissionclass="ReflectionPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="RegistryPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="SecurityPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="UIPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="KeyContainerPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="DnsPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="PrintingPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="SocketPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="WebPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="EventLogPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="StorePermission"version="1"Unrestricted="true"/>
<
IPermissionclass="PerformanceCounterPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="OleDbPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="SqlClientPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="DataProtectionPermission"version="1"Unrestricted="true"/>
<
IPermissionclass="AspNetHostingPermission"version="1"Level="Medium" />
<
IPermissionclass="DnsPermission"version="1"Unrestricted="True" />
<
IPermissionclass="WebPartPermission"version="1"Connections="True"Unrestricted="True" />
<
IPermissionclass="SharePointPermission"version="1"ObjectModel="True"Unrestricted="True" /> 
And articles:-
1) How to demand permissions by using Code Access Security
2) ASP.NET Code Access Security

4) You have to modify you web.config file and its looks like this:-
   1: <securityPolicy>
   2:       <trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_mediumtrust.config" />
   3:       <trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_minimaltrust.config" />
   4:       <trustLevel name="WSS_Custom" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_custom_wss_minimaltrust.config" />
   5:     </securityPolicy>



5) Modify the trust’s level attribute  with you custom trust level name.

   1: <trust level="WSS_Custom" originUrl="" />

No comments:

Post a Comment