ADVISOR Home Boomer Advisor DataBased Advisor FileMaker Advisor Advisor Basics of FileMaker Pro How-To CDs Advisor Store: Subscriptions & CDs Help
My.ADVISOR.com Sign-In
ID
Password

Member Center / Sign-Up
Go to Article
Advanced Search 
Link to DataBased Advisor 
Submit your How To tips and advice 

SECURITY

Understand Microsoft SharePoint Code Access Security and Web Parts

Use Code Access Security (CAS), the security model that's part of the .NET Framework, to secure your SharePoint Portal site.

By Wes Bryan

PAGE 1 of 1 - 2 - 3 - 4 - » Next

Code Access Security (CAS), the security model that's part of the .NET Framework, has been around for a while, but it is often dismissed by ASP.NET developers. ??why is this??-cca However, it is an important technology that both SharePoint administrators and Web Part developers should strive to understand. If you want to deploy Web Parts in your Microsoft SharePoint environment, CAS can help you maintain a secure SharePoint portal. This is true whether you've developed the components to be deployed internally or whether you've purchased them from a third party.

This article is for IT administrators, SharePoint site architects, and Web Part developers who want to better understand how to use CAS in their environments to ensure Web Part security. You'll get the basics of CAS technology, Web Part installation options, and the low-down on some real-world deployment issues.

While CAS has been around since ASP.NET 1.0, it meant very little to developers and administrators until the release of ASP.NET 1.1. This is because, prior to the later version, everything ran with unrestricted permissions under what is known as “full trust.” The concept of role-based security was essentially in play only in that code permissions would defer to the permissions of the user running the program.

CAS became truly useful with the advent of ASP.NET 1.1 due to the ability to configure an application to run in a partially trusted environment. Developers could then give code specific permissions to control what type of actions it was able to perform and what resources it could access. This was enforced irrespective of the permissions of the user running the program.

Why should I care about this?

The ability to limit the reach of applications through the concept of CAS is a powerful tool for both administrators and developers. You are probably asking yourself, did he really say “developers”? Isn't this just the kind of thing that system administrators love so they can pile requirements on developers in order to bend them to their twisted bidding? Well, no. In fact, meeting the demands of defining the appropriate CAS level for an application should originate from the developer -- not system or site administrators. Developers are in the best position to identify the minimum set of permissions their code will need.

Turning code loose on a server and letting it run with full trust is not only bad practice, it also robs a developer of some important benefits. Let's say an issue arises indicating a corrupt system registry on a server that your Web Part was deployed to earlier in the week. You can tell by reading the e-mail chain being sent around that IT is starting to point the finger your way for scant evidence other than the unfortunate timing of your installation. With a custom CAS policy in place, you can quickly point out that your Web Part is configured to run without permissions to access to the system registry or write to the file system, thus sending them on their way to look for other possible culprits.

Developers can also benefit from CAS by using it as a mechanism to find bugs. Turning on or off specific permissions can help identify where a problem is occurring. Internal developers can also do strange things in their code too, and although malicious intent may not be there, buggy code can create problems. CAS ensures that code can only do certain things and can prevent a process from being usurped by another that may have a more wicked intent.

References
Microsoft Windows SharePoint Services and Code Access Security:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/odc_sp2003_ta/html/sharepoint_wsscodeaccesssecurity.asp

Using Wppackager to Package and Deploy Web Parts for Microsoft SharePoint Products and Technologies:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/odc_SP2003_ta/html/sharepoint_deployingwebparts_msi.asp

Code Access Security policies within SharePoint V3:
http://www.bluedoglimited.com/SharePointThoughts/ViewPost.aspx?ID=249

Code Access Security (CAS) and Design Patterns:
http://www.codeproject.com/gen/design/CASDesignPatterns.asp

Why is Code Access Security important?
http://www.bluedoglimited.com/SharePointThoughts/ViewPost.aspx?id=99

Code Access Security: When Role-based Security Isn't Enough
http://www.devx.com/security/Article/31259/0/page/1
PAGE 1 of 1 - 2 - 3 - 4 - » Next

Understand Code Access Security and SharePoint Web Parts

No reader comments ... yet.

    What do YOU think about this topic? Share your advice and thoughts using this form.

    Your Name

    REQUIRED : PUBLIC

    Your E-Mail

    REQUIRED : PRIVATE

    Job, Company

    OPTIONAL : PUBLIC

    City, State, Country

    OPTIONAL : PUBLIC

    Your Web Site

    OPTIONAL : PUBLIC

    Your Comment

    Please help everyone by keeping your comments on-topic, using clean language, and not defaming or making personal attacks.


    Your e-mail address is required, but it will not be displayed to the public or given to anyone. See our Privacy Policy. Comments become visible after they pass our spam filter, and spammers and abusers are permanently blocked. Please report spam or abuse.

    Wes Bryan is the engineering manager for Bamboo Solutions, a provider of SharePoint Web Parts and custom SharePoint development services. He has been with Bamboo for six years and has more than a decade of experience developing commercial software products. Prior to his SharePoint involvement, his past roles included creating an enterprise collaboration and information management application. Much of the SharePoint experience he gathers comes from his team and their shared experiences with customers implementing portal solutions and Web Parts. http://www.bamboosolutions.com

    Printer-friendly
    page layout

    Keyword Tags: Administration, Microsoft, Microsoft SharePoint, Microsoft SharePoint Portal Server, Microsoft .NET Framework, Security, Web Development

    ADVISORAMA
    Your focus determines your reality.
    -- Jason Polm
    Refresh (F5) for more   Contribute

    Advisor Solutions

    ARTICLE INFO

    DataBased Advisor

    Web Edition: 2007 Week 45, Doc #19242

    Print Edition: October 2007, Page 18

    FREE ACCESS FREE ACCESS
    SUBSCRIPTION STATUS
    You are not signed-in. If you are a subscriber to this publication, sign-in above to access locked articles. To subscribe or renew go to www.AdvisorStore.com.

    MORE ADVISOR

    Advisor on Administration

    Advisor on Microsoft

    Advisor on Microsoft SharePoint

    Advisor on Microsoft SharePoint Portal Server

    Advisor on Microsoft .NET Framework

    Advisor on Security

    Advisor on Web Development

    ARTICLE ACCESS
    = free access
    = subscriber-only
    = not online (on CD or in print)
    = has download

    DataBased Advisor How-To Library by Topic Keywords

    Subscribe to DataBased Advisor Magazine

    Get subscriber online access to articles

    DataBased Advisor Forum

    Free enewsletters on business, technology & lifestyle

    Special Offers

    Subscribe to DATABASED.ADVISOR.com

    Get it all -- every current and past ADVISOR tech/business publication, now all-in-one subscription, with new articles and a huge reference library packed with expert advice, how-to and downloads. Subscribe now to get it all.

    DataBased.Advisor.com

    Subscribe to FileMaker Advisor Magazine

    Read the advanced guide to creating custom business database solutions with FileMaker software. Subscribe now to gain access to all the archives and downloads.

    FileMaker.Advisor.com

    Subscribe to Advisor Basics of FileMaker Pro

    Learn the fundamentals of using FileMaker Pro software. Every issue gives you step-by-step instructions on creating the databases you need. Subscribe now!

    FileMaker.AdvisorBasics.com

    Showcase Your Smarts

    Submit your tips, techniques and advice and let Advisor promote your business and build your career. Show the world what you know!

    AdvisorTips.com
    Site Map Advisor Store Privacy Terms of Use Trademarks Advertising About Advisor Media Advisor's San Diego
    ADVISOR NETWORK
    Advisor Basics of FileMaker Pro | Boomer Advisor | Business Advisor | Business Collaboration Advisor | Business Security Advisor | Caregiver Advisor | Community Advisor | Compliance Solutions Advisor | Computer Advisor | DataBased Advisor | DataBased Advisor | Dogs Advisor | E-Discovery Advisor | Entertainment Advisor | Family Advisor | FileMaker Advisor | Food Advisor | Fun Advisor | Generations Advisor | Health Advisor | HomeLiving Advisor | IBM Lotus Advisor | IBM WebSphere Advisor | Law Tech Advisor | Lifestyle Advisor | Microsoft Access Advisor | Microsoft Office Advisor | Microsoft Pro Development Advisor | Microsoft SharePoint Advisor | Microsoft Visual Basic .NET Advisor | Microsoft Visual FoxPro Advisor | Microsoft Visual Studio Advisor | Mobile Business Advisor | Money Advisor | Novell GroupWise Advisor | Pets Advisor | Recreation Advisor | Retirement Advisor | RV Advisor | Senior Solutions Advisor | Travel Advisor | Work Advisor
    Use of this or any other site, content, product or service of Advisor Media constitutes acceptance of Terms of Use.
    Portions copyright ©1983-2008 Advisor Media, Inc. All Rights Reserved.
    Reuse or reproduction of any portion or quantity of Advisor Media's copyrighted content, in any form, for any purpose, requires written permission.
    ADVISOR®, the ADVISOR logo, and other names and logos that incorporate ADVISOR are registered trademarks, trademarks or service marks of Advisor Media, Inc. in the United States and/or other countries.
    Other trademarks are used for identification, editorial or descriptive purposes and are the property of their owners.
    Hosted by Prominic.NET Website powered by
    LOTUS SOFTWARE
    bambo01 posted 11/05/2007 modified 01/09/2009 03:37:50 AM ztdbms/ztdbms
    domino-144.advisor.com my.advisor.com 01/09/2009 03:11:53 PM