Adding custom Code Access Security (CAS) policy in SharePoint

While writing some code behind (aside) for our custom SharePoint pages, we often run into the Security Exception error after placing the dlls in the bin folder in the site’s virtual directory. This is because of the trust level provided to the dlls and we fix it by simply changing the trust level to full in the web.config file. Even though it fixes the issue it opens up a security whole in your application by providing access to all the dlls to execute. The best way is to create our own custom policy file and hooking it up in the web.config file. Follow the below steps to create you own CAS policy.

1. Open the 12 hive and navigate to the config folder.

2. Copy the contents of the wss_mediumtrus.config to another file with your custom name custom_policy.config.

3. Now create your code group and add your dll with PermissionSetName set to FullTrust. Add all your dlls in the same way in the file. Below is a part of my custom policy file with codegroups defined for the dlls.

<CodeGroup version="1" PermissionSetName="FullTrust">
<IMembershipCondition version="1" Url="$AppDirUrl$/bin/App_Web_activation.aspx.cdcab7d2.dll"/>
</CodeGroup>

<CodeGroup version="1" PermissionSetName="FullTrust">
<IMembershipCondition version="1" Url="$AppDirUrl$/bin/App_Web_registration.aspx.cdcab7d2.dll"/>
</CodeGroup>

<CodeGroup version="1" PermissionSetName="FullTrust">
<IMembershipCondition version="1" Url="$AppDirUrl$/bin/App_Web_fpassword.aspx.cdcab7d2.dll"/>
</CodeGroup>

<CodeGroup version="1" PermissionSetName="FullTrust">
<IMembershipCondition version="1" Url="$AppDirUrl$/bin/App_Web_myaccount.aspx.cdcab7d2.dll"/>
</CodeGroup>

<CodeGroup version="1" PermissionSetName="FullTrust">
<IMembershipCondition version="1" Url="$AppDirUrl$/bin/App_Web_myprofile.aspx.cdcab7d2.dll"/>
</CodeGroup>

<CodeGroup version="1" PermissionSetName="FullTrust">
<IMembershipCondition version="1" Url="$AppDirUrl$/bin/App_Web_purchasehistory.aspx.cdcab7d2.dll"/>
</CodeGroup>

<CodeGroup version="1" PermissionSetName="FullTrust">
<IMembershipCondition version="1" Url="$AppDirUrl$/_app_bin/*">
</CodeGroup>

4. Navigate to your site’s virtual directory and open the web.config file.

5. Add the custom policy file as follows.

<securityPolicy>
<trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_mediumtrust.config" />
<trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_minimaltrust.config" />
<trustLevel name="Custom_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\Custom_minimal.config" />
</securityPolicy>

6. Set the trustlevel to point to your custom policy.

<trust level="Custom_Minimal" originUrl="" />

7. Do an IISRESET.

As simple as that :). Note that i’ve specified each and every dll separately in the policy file. If you want all the dlls in the bin folder to be added in the policy simply give it as bin/* in the code group.

Advertisements

Access denied error during login in IE after migrating a SharePoint Publishing Portal

Recently i faced this problem while trying to migrate a publishing portal using stsadm backup and restore commands. I was hit by a strange problem where i wasn’t able to login into the site even with the administrative account. But i was able to login when i opened the site in Google Chrome and Firefox (?!). Finally after googling it out and going through the MSDN forums i found that it was due to some Windows Server Security patch.

You can find the fix for the issue here – http://support.microsoft.com/default.aspx/kb/896861.

The MSDN discussion link about the issue – http://social.technet.microsoft.com/Forums/en-US/sharepointadmin/thread/e044ed41-2be8-4e1c-8bcf-6460c0f0c777.