Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Here i'm going to explain about using Code Access Security (CAS) policy configuration for locking down a webpart that make a "this.Page.LoadControl()" call to load a user control.
Ø First create a custom web part, in the CreateChildControls() method load a custom user control like
Control control = this.Page.LoadControl("~/usercontrols/MyUserControl.ascx");
Ø Then you copy the two DLLs (TestUserControl.dll and TestWebPart.dll) to the bin (e.g. ..\Inetpub\wwwroot\wss\VirtualDirectories\80\bin).
Ø Now copy the ASCX (TestUserControl.ascx) to the usercontrols directory (e.g. ..\Inetpub\wwwroot\wss\VirtualDirectories\80\usercontrols)
Ø In order to use these controls in our SharePoint site, we need to add appropriate SafeControl entries to the web.config, for these 2 dlls.
Ø Make sure the trust level in the web.config is set to "Full" & save.
Ø In SharePoint go into Site Settings, click on "Web Parts" under "Galleries", click "New" and add the web part to the gallery (e.g. MyWebPart). Edit a page and add the web part. The web part will work as expected !! But remember this uses Full trust policy J
Using Custom CAS Configuration :
Ø Now let’s add our own Configuration file in the 12 hive CONFIG folder. The easiest way is to make a copy of the any of the existing config file, say wss_minimal_trust.config policy file and rename it to custom_trust.config.
a. In the new policy file add the <SecurityClass> declarations under <SecurityClasses>
<SecurityClass Name="SharePointPermission" Description="Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"/>
b. make a copy of the <PermissionSet> with the name "SPRestricted", setting the name for the copy to "SPRestrictedCustom"
c. add the following <IPermission> declaration to the new SPRestrictedCustom <PermissionSet>
<IPermission class="SharePointPermission"
version="1"
ObjectModel="True"/>
d. add <CodeGroup> declarations for the user control assembly and the web part assembly.:
<CodeGroup
class="UnionCodeGroup"
version="1"
PermissionSetName=" SPRestrictedCustom ">
<IMembershipCondition
class="StrongNameMembershipCondition"
version="1"
PublicKeyBlob="0024.."
Name="MyUserControl"/>
</CodeGroup>
<CodeGroup
class="UnionCodeGroup"
version="1"
PermissionSetName=" SPRestrictedCustom ">
<IMembershipCondition
class="StrongNameMembershipCondition"
version="1"
PublicKeyBlob="0024…"
Name="MyWebPart"/>
</CodeGroup>
Ø Modify the web.config for the web application as follows:
a. Add the following <trustLevel> under <system.web><securityPolicy>
<trustLevel name="WSS_Custom" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\custom_trust.config" />
b. Change the trust level from "Full" to " WSS_Custom"
Ø Now try the web part again, and you will end up with this error
The file '/usercontrols/MyUserControl.ascx' does not exist. - StackTrace: at System.Web.UI.Util.CheckVirtualFileExists(VirtualPath virtualPath) at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile) at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile) at System.Web.UI.TemplateControl.LoadControl(VirtualPath virtualPath) at System.Web.UI.TemplateControl.LoadControl(String virtualPath) at TestWebPart.TestWebPart.CreateChildControls()
So where does the problem lie ?
Does the error message mean the file MyUserControl doesn’t exist or is the error message misleading us ? The file does exist in the usercontrols folder. Could the error message be because of security exception ? Possibly could be !
Let’s first make sure that the minimum permission that is required for some of the assemblies is granted. This can be done using Minimum Grant Set Determination tool, PermCalc.exe (https://msdn.microsoft.com/en-us/library/ms165077(VS.80).aspx ). Run this tool with the “-Sandbox” flag and here’s the output we get:
<?xml version="1.0"?>
<Sandbox>
<PermissionSet version="1" class="System.Security.PermissionSet" Unrestricted="true" />
</Sandbox>
So, this means that we need to have full permission on this class (System.Security.PermissionSet). In our config file we have,
<SecurityClass Name="NamedPermissionSet" Description="System.Security.NamedPermissionSet"/>
Inheritance Hierarchy
> System.Object
> System.Security.PermissionSet
> System.Security.NamedPermissionSet
Hence, in our custom Permission Set named SPRestrictedCustom, add unrestricted=”true”, because its pointing to the class "NamedPermissionSet"
<PermissionSet
class="NamedPermissionSet"
version="1"
Name=" SPRestrictedCustom"
Unrestricted="true">
Now, run the SharePoint application with the web part and it should work as expected without any error.
Reference MSDN Article : https://msdn.microsoft.com/en-us/library/aa302425.aspx
Comments
- Anonymous
July 01, 2009
Great post. I have been searching whole day figuring how fix the exact error when partial trusted web part loads a user control..most posts directed me to SmartPart..Thank! - Anonymous
August 17, 2009
Do you know how do set Unrestricted=true to the permissionset in the manifest.xml?thanks for the post, it's very useful!