Sunday, 28 August 2011

How to create new custom Trust Level and Code Access Security inSharePoint

Step 1: Create a custom policy file wss_custom.config by copying the out-of-box policy file
  •  Open directory “C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\CONFIG”. The directory contains the out-of-box policy files defining Wss_Medium and Wss_Minimal trust levels of SharePoint.
  • Make a copy wss_minimaltrust.config in the same directory and rename it to wss_custom.config.

Step 2: Refer to the “wss_custom.config” policy file from the web.config
  • Add a new trustLevel entry to the web.config. The trustLevel points to the new policy file  wss_custom.config your created in step 1.

    <securityPolicy>
    ......
    <trustLevel name="WSS_Custom" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_custom.config" />
    </securityPolicy>

  • Change <trust level="WSS_Minimal" originUrl="" /> to <trust level="WSS_Custom" originUrl="" />
    <trust level="WSS_Custom" originUrl="" />

    After the first two steps, your sharepoint web application starts to use the custom poplicy file, wss_custom.config. Rememeber the “wss_custom.config” is just a copy of the out-of-box “wss_minimaltrust.config”. Now, we need to modify the file.

Step 3: Modify the “wss_custom.config” policy file so the Dlls in bin directory of the sharepoint web application have CAS SharepointPermission. You just need to add one IPermission element to an existing permissionset element as the follows:
<PermissionSet  class="NamedPermissionSet"  version="1" Name="SPRestricted">
<!-- add the following element -->
<IPermission
class="Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"
version="1"
ObjectModel="True"
/>
<!-- end of the element -->
</PermissionSet>

How did I figure out to add the SharePointPermission to the SPRestricted permissionset? First, the exception message already tells you that we need to add SharePointPermission. So, you need to add IPermission element with SharePointPermission as its class.You can just use Version=”1”. The real catch is how to figure out adding ObjectModel=”true”. Go to http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.security.sharepointpermission_properties.aspx. You notice the SharePointPermission is a .NET class with three public properties. ObjectModel is one of them. What I did was to try each property and assign them to true. After a few tries, ObjectModel=”True” is the only one that really matters.
 Why I choose to add it to SPRestricted PermissionSet?. This requires a basic understanding of the structure of the CAS Policy file. Do a search for “SPRestricted” in the WSS_custom.config file. You will find the following element:
<CodeGroup class="UnionCodeGroup"  version="1" PermissionSetName="SPRestricted">
<IMembershipCondition
class="UrlMembershipCondition"
version="1"
Url="$AppDirUrl$/*"
/>
</CodeGroup>

This is the code group that dictates the CAS permission for all the Dlls under "$AppDirUrl$ directory, which includes the bin directory. This code group uses “SPRestricted” permission set. That is why to add the IPermission element to the “SPRestricted” permissionset.

1 comment:

  1. [...] or create a custom trust level. To create custom trust level see the post How to create cutom trust level in sharepoint Advertisement GA_googleAddAttr("AdOpt", "0"); GA_googleAddAttr("Origin", "other"); [...]

    ReplyDelete