Sunday, January 26, 2014

Code Access Security in SharePoint web parts

Installing SharePoint web part dll files in GAC can cause some security implications. By default all the web parts will be installed in the GAC with full trusts. We can install web parts in web application dedicated bin folder. Web parts in bin folder will run in partial trust and will have only limited access to the bin folder.

If web part needs additional permission levels, we need to create custom CAS policies with permissions. By adding custom policies we can make the code to run in full trust and all the code will run with full trust without depending on the location where it installed.

Code accessibility Security (CAS) is a policy that limits the access to an assembly, System resources and operations. By default SharePoint will have built-in policies from ASP.NET, it will use minimal set of permissions to protect the server and infrastructure from vulnerable code. If web part needs greater access will have minimal settings and there are number of  ways that we can increase the permissions of the web part by creating custom CAS policy and increasing the overall trust level for the server farm in the web.config.

We can have WSS_UserCode, WSS_Minimal, WSS_Medium Built-In security settings in SharePoint foundation inheriting from ASP.NET trust levels. By default this built-in SharePoint Foundation policy files located in %ProgramFiles%\Common Files\Microsoft Shared\web server extensions\14\CONFIG directory named wss_usercode.config, wss_minimaltrust.config and wss_mediumtrust.config.

By default SharePoint foundation will have WSS_Minimal trust level. This will supports all the permissions in the ASP.NET minimal trust. WSS_Minimal policy will restrict accessing all the web parts from advanced operations.  WSS_Medium level allows accesing SharePoin object model and file operations. This will also allows to access to environment variables.
We can check security policies in web.config file as

<securityPolicy>
<trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\config\wss_mediumtrust.config" />
<trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\config\wss_minimaltrust.config" />
</securityPolicy>

We can add custom files to SharePoint and add the tag to in Security policy tag as

<trustLevel name="WSS_Custom" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\config\wss_custom_wss_minimaltrust.config" />

Share this