CAS in SharePoint


Here i’m going to explain about using Code Access Security (CAS) policy configuration for locking down a webpart that make a “this.Page.LoadControl()” call to load a user control.


 


Ø  First create a custom web part, in the CreateChildControls() method load a custom user control like


Control control = this.Page.LoadControl(“~/usercontrols/MyUserControl.ascx”);


 


Ø  Then you copy the two DLLs (TestUserControl.dll and TestWebPart.dll) to the bin (e.g. ..\Inetpub\wwwroot\wss\VirtualDirectories\80\bin). 


 


Ø  Now copy the ASCX (TestUserControl.ascx) to the usercontrols directory (e.g. ..\Inetpub\wwwroot\wss\VirtualDirectories\80\usercontrols)


 


Ø  In order to use these controls in our SharePoint site, we need to add appropriate SafeControl entries to the web.config, for these 2 dlls.


 


Ø  Make sure the trust level in the web.config is set to “Full” & save.


 


Ø  In SharePoint go into Site Settings, click on “Web Parts” under “Galleries”, click “New” and add the web part to the gallery (e.g. MyWebPart).  Edit a page and add the web part.  The web part will work as expected !!  But remember this uses Full trust policy J


 


Using Custom CAS Configuration :


 


Ø  Now let’s add our own Configuration file in the 12 hive CONFIG folder.  The easiest way is to make a copy of the any of the existing config file, say wss_minimal_trust.config policy file and rename it to custom_trust.config.


 


a.     In the new policy file  add the <SecurityClass> declarations under <SecurityClasses>


 


        <SecurityClass Name=SharePointPermission Description=Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c/>


 


        b. make a copy of the <PermissionSet> with the name “SPRestricted“, setting the name for the copy to “SPRestrictedCustom


 


        c. add the following <IPermission> declaration to the new SPRestrictedCustom <PermissionSet>


 


<IPermission class=SharePointPermission


                       version=1


                        ObjectModel=True/> 


 


      d.  add <CodeGroup> declarations for the user control assembly and the web part assembly.:


 


                                                <CodeGroup


                                class=UnionCodeGroup


                                version=1


                                PermissionSetName= SPRestrictedCustom>


                             <IMembershipCondition


                                    class=StrongNameMembershipCondition


                                    version=1


                                    PublicKeyBlob=0024..


                                    Name=MyUserControl/>


                        </CodeGroup>


                        <CodeGroup


                                class=UnionCodeGroup


                                version=1


                                PermissionSetName= SPRestrictedCustom>


                             <IMembershipCondition


                                    class=StrongNameMembershipCondition


                                    version=1


                                    PublicKeyBlob=0024…


                                    Name=MyWebPart/>


               </CodeGroup>


 


Ø  Modify the web.config for the web application as follows:


 


        a. Add the following <trustLevel> under <system.web><securityPolicy>     


 


            <trustLevel name=WSS_Custom policyFile=C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\custom_trust.config />


 


        b. Change the trust level from “Full” to “ WSS_Custom


 


Ø  Now try the web part again, and you will end up with this error


 


The file ‘/usercontrols/MyUserControl.ascx’ does not exist. – StackTrace: at System.Web.UI.Util.CheckVirtualFileExists(VirtualPath virtualPath) at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile) at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile) at System.Web.UI.TemplateControl.LoadControl(VirtualPath virtualPath) at System.Web.UI.TemplateControl.LoadControl(String virtualPath) at TestWebPart.TestWebPart.CreateChildControls()


 


 


So where does the problem lie ?


     


      Does the error message mean the file MyUserControl doesn’t exist or is the error message misleading us ? The file does exist in the usercontrols folder.  Could the error message be because of security exception ? Possibly could be !


 


            Let’s first make sure that the minimum permission that is required for some of the assemblies is granted.  This can be done using Minimum Grant Set Determination tool, PermCalc.exe (http://msdn.microsoft.com/en-us/library/ms165077(VS.80).aspx ).  Run this tool with the “-Sandbox” flag and here’s the output we get:


 


<?xml version=”1.0″?>


<Sandbox>


  <PermissionSet version=”1″ class=”System.Security.PermissionSet” Unrestricted=”true” />


</Sandbox>


 


So, this means that we need to have full permission on this class (System.Security.PermissionSet).  In our config file we have,


 


<SecurityClass Name=NamedPermissionSet Description=System.Security.NamedPermissionSet/>


 


Inheritance Hierarchy


System.Object
   > System.Security.PermissionSet
      > System.Security.NamedPermissionSet


 


Hence, in our custom Permission Set named SPRestrictedCustom, add unrestricted=”true”, because its pointing to the class NamedPermissionSet


 


<PermissionSet


                 class=NamedPermissionSet


                 version=1


                 Name= SPRestrictedCustom


     Unrestricted=true>


 


            Now, run the SharePoint application with the web part and it should work as expected without any error.


 


            Reference  MSDN Article : http://msdn.microsoft.com/en-us/library/aa302425.aspx


Comments (2)

  1. Gordon says:

    Do you know how do set Unrestricted=true to the permissionset in the manifest.xml?

    thanks for the post, it’s very useful!

  2. Lim Eng Lian says:

    Great post. I have been searching whole day figuring how fix the exact error when partial trusted web part loads a user control..most posts directed me to SmartPart..

    Thank!