When, why and how to deal with Custom Security Trimmer in Enterprise Search? - Part II
In part II we will go through the code a little deeper.
Check permission against different systems
Please open this page,
https://msdn2.microsoft.com/en-us/library/aa981173.aspx
Look at this part of the code.
for (int x = 0; x < crawlURLs.Count; x++)
{
/*
To fully implement the security trimmer, add code to perform the security check and determine if strUser can access crawlURLs[x].
If strUser can access crawlURL[x], then:
*/
retArray[x] = true;
//If not:
retArray[x] = false;
}
Quite simple explanation. But how can you ?
1. Use WindowsIdentity.GetCurrent().Name to get current username, or if you are using FBA, that is HttpContext.Current.User.Identity.Name.
2. Then use this username to check with the target system, if he has the permission to crawlURL[x], then return a True.
Different system has different security checking method. Here' re some suggested ways to check security:
Content source | Method |
Web Sites, with SQL Server in backend | Directly use System.Data.Sqlclient to deal with the database and get the permission |
Web Sites, with Oracle in backend | System.Data.OracleClient. You must install Oracle Client first. |
Web Sites, with DB2 in backend | DB2 .Net Data ProviderODBC |
Web Sites, with MySQL in backend | MySQLDriverCShttps://sourceforge.net/projects/mysqldrivercs/or MySQL connector/NEThttps://www.mysql.com/products/connector/net/ |
File Share | File.GetAccessControlSharePoint already has security trimming function built-in for file shares. It would be very uncommon that you need to deal with CST in this scenario.But be aware, if you want extra security trimming with file shares, the built-in security trimmer(the one applied in query time we talked in part I) will applied first. There's no way to get it replaced. And if you are using FBA, which means your current identity is changed from windows user to a httpcontext user, you will get nothing in your search result if the file share is not a public one. |
Lotus Notes | Lotus Domino Objects, a COM object to be used in other languages |
If you want to have a better performance when a CST is applied...
I suggest that you cache the permission settings to your own box and check it in CST. Remote calls may have huge impact on the performance, especially Lotus Notes. Meanwhile, check security with remote machine also means an impact to the target system. If that system is critical, this will affect customer's business.
The cache thing can be done with some small tools, of course you can write a small application by using Lotus Domino Objects and grab all the notes ACL back to a SQL table, that depends on your own opinion.
Another important thing is to set a CheckLimit in your CST. If CheckLimit is reached, CST will report something back to user, or do something you defined, and stop the check. This message can be something like "too many results pls refine your keywords", "Please try keyword1+keyword2+keyword3"....That will help.
Register a custom security trimmer
The trimmer must be compiled with strong name. You must first install it to the assembly by the following command(There're some errors in SDK):
C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>gacutil.exe /i c:\Trimmer\CustomSecurityTrimmerSample.dll /f
C:\Trimmer\CustomSecurityTrimmerSample.dll is my trimmer's path, change it with your own one.
A very important step: Create an "include" crawl rule with the URL you want to bind this CST with. If you don't create it, you cannot deploy the trimmer. In this sample, the path is https://localhost:8100/* .
Then you should deploy it with stsadm:
C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN>stsadm -o registersecuritytrimmer -ssp SharedServices1 -id 2 -typeName "CustomSecurityTrimmerSample.CustomSecurityTrimmer, CustomSecurityTrimmerSample, Version=1.0.0.0, Culture=neutral, PublicKeyToken=b6c7fa67516b1230" -rulepath https://localhost:8100/*
PublicKeyToken is the token you can see in windows\assembly directory. rulepath is the crawl rule path you just created.
And don't forget iisrset. Then, if any search result matches the crawl rule, CST will be launched to check the permission.