Code Access Security and Sharepoint WebParts
- by Gordon Carpenter-Thompson
I've got a vague handle on how Code Access Security works in Sharepoint.
I have developed a custom webpart and setup a CAS policy in my Manifest
<CodeAccessSecurity>
<PolicyItem>
<PermissionSet class="NamedPermissionSet" version="1" Description="Permission set for Okana">
<IPermission class="Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" version="1" ObjectModel="True" Impersonate="True" />
<IPermission class="SecurityPermission" version="1" Flags="Assertion, Execution, ControlThread, ControlPrincipal, RemotingConfiguration" />
<IPermission class="AspNetHostingPermission" version="1" Level="Medium" />
<IPermission class="DnsPermission" version="1" Unrestricted="true" />
<IPermission class="EventLogPermission" version="1" Unrestricted="true">
<Machine name="localhost" access="Administer" />
</IPermission>
<IPermission class="EnvironmentPermission" version="1" Unrestricted="true" />
<IPermission class="System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" version="1" Unrestricted="true"/>
<IPermission class="System.Net.WebPermission, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Unrestricted="true" />
<IPermission class="System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" Unrestricted="true" />
<IPermission class="System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Unrestricted="true" PathDiscovery="*AllFiles*" />
<IPermission class="IsolatedStorageFilePermission" version="1" Allowed="AssemblyIsolationByUser" UserQuota="9223372036854775807" />
<IPermission class="PrintingPermission" version="1" Level="DefaultPrinting" />
<IPermission class="PerformanceCounterPermission" version="1">
<Machine name="localhost">
<Category name="Enterprise Library Caching Counters" access="Write"/>
<Category name="Enterprise Library Cryptography Counters" access="Write"/>
<Category name="Enterprise Library Data Counters" access="Write"/>
<Category name="Enterprise Library Exception Handling Counters" access="Write"/>
<Category name="Enterprise Library Logging Counters" access="Write"/>
<Category name="Enterprise Library Security Counters" access="Write"/>
</Machine>
</IPermission>
<IPermission class="ReflectionPermission" version="1" Unrestricted="true"/>
<IPermission class="SecurityPermission" version="1" Flags="SerializationFormatter, UnmanagedCode, Infrastructure, Assertion, Execution, ControlThread, ControlPrincipal, RemotingConfiguration, ControlAppDomain,ControlDomainPolicy" />
<IPermission class="SharePointPermission" version="1" ObjectModel="True" />
<IPermission class="SmtpPermission" version="1" Access="Connect" />
<IPermission class="SqlClientPermission" version="1" Unrestricted="true"/>
<IPermission class="WebPartPermission" version="1" Connections="True" />
<IPermission class="WebPermission" version="1">
<ConnectAccess>
<URI uri="$OriginHost$"/>
</ConnectAccess>
</IPermission>
</PermissionSet>
<Assemblies>
....
</Assemblies>
This is correctly converted into a wss_custom_wss_minimaltrust.config when it is deployed onto the Sharepoint server and mostly works.
To get the WebPart working fully, however I find that I need to modify the wss_custom_wss_minimaltrust.config by hand after deployment and set Unrestricted="true" on the permissions set
<PermissionSet class="NamedPermissionSet" version="1" Description="Permission set for MyApp" Name="mywebparts.wsp-86d8cae1-7db2-4057-8c17-dc551adb17a2-1">
to
<PermissionSet class="NamedPermissionSet" version="1" Description="Permission set for MyApp" Name="mywebparts.wsp-86d8cae1-7db2-4057-8c17-dc551adb17a2-1" Unrestricted="true">
It's all because I'm loading a User Control from the webpart. I don't believe there is a way to enable that using CAS but am willing to be proven wrong.
Is there a way to set something in the manifest so I don't need to make this fix by hand?
Thanks
