MOSS Code Access Security and Web Parts

Congratulations! You've built a web part and successfully deployed to your MOSS server. Access Denied! What?! (*&*^%

Well, that's what I said when I deployed my MOSS Web Part. Join the club. It turns out that we were blocked by the Code Access Security.

As with any security token changes, you will need to get the Public Key Token as well as your Public Key Blob from your dll assembly. You can do this by running sn.exe –Tp [pathToAssembly]\[assemblyFileName]". There are some nifty things you can do by adding this as a button in your VS IDE as well, but that would be a topic for a later post.

You can find sn.exe in "[Drive]:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\sn.exe"

***Please note you would replace the purple sections with your own key tokens

Approaches

There are quite a few approaches to this problem but as with most things technical, there are best practice approaches.

First – GAC It

Of course the first thing a developer would do would be to throw the DLL into the GAC. This does give full trust and will solve the problem; however, full trust is not always the best thing and is not best practice.

Second - _App_Bin

The second thing you may try to do is throw the DLL into the _app_bin folder. Poof! That worked but some other stuff doesn't work quite right? That is correct ladies and gentlemen because this location is meant for dll's supporting the MOSS _layout applications and is not meant for you.

Third – Medium/Full Trust

While you may read on some posts, just to switch your trust level in web.config to medium or full trust, this will not give you the control you may want and may in fact give too much access.

Fourth – Custom Policy File

What now? Custom Policies are the answer. If you opened the web.config file for the application you are looking to deploy to, you will see a trust level. By default, the trust level for MOSS Apps is WSS_Minimal and for a decent reason. What does this mean? Well, the trust levels are configured in another section of the document and pointed to files in the config section of your MOSS installation.

File Sections

First Section

These are your permission classes pointing to public key tokens. Basically a listing of all possible permissions

Second Section

These are permission groups that will group above sets of permissions and sets the level of permission

Third Section

These code groups for associating what assemblies go to what permission sets

This file is essentially a hierarchal flow of permissions to dll's.

Important:

It is important to note that it is not only best practice but most certainly recommended that you sign your assembly and give it a strong name.

What we are going to do:

• Copy the WSS_Minimaltrust.config to WSS_Custom_Minimaltrust.config
  (drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config).
• You are then going to Add a new key to the Trust levels that will look like:

• Let's also make sure to rename the trust level in the web.config of your application to your newly created file.

Currently it probably looks like:

We are then going to add the Sharepoint Permission to be able to read the Sharepoint Object Model

• • Do this by copying the medium trust Sharepoint Permission into the second section of the minimum trust file
    
    

    <SecurityClass
    Name="SharePointPermission" Description="Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c"/>
    

• Create a new Permission Set called SPObjectModelRead:
  
  

  <PermissionSet
  class="NamedPermissionSet" version="1" Name="SPObjectModelRead">
  

  <IPermission
  class="SharePointPermission" version="1" ObjectModel="True" />
  

  <IPermission
  class="AspNetHostingPermission" version="1" Level="Minimal" />
  

  <IPermission
  class="SecurityPermission" version="1" Flags="Execution" />
  

  <IPermission
  class="WebPartPermission" version="1" Connections="True" />
  

  </PermissionSet>
  

• Create a new Code Group to map your newly created Permission set to your Assembly:
  
  

  <CodeGroup
  

  class="UnionCodeGroup"
  

  
  version="1"
  

  
  PermissionSetName="SPObjectModelRead"
  

  
  Name="Rotating Image Web Part"
  

  
  Description="This
  code group grants the Rotating Image Web Part SPObjectModelRead permissions.">
  

  
  <IMembershipCondition
  

  class="StrongNameMembershipCondition"
  

  
  version="1"
  

  PublicKeyBlob="0024000004800000940000000602000000240000525341310004000001000100af8c04c7f1100d8af5aa7792388fee59f8e07dba7ff313d5fc9cf694aa8dcc394e0db13f96d699c8f6c5a6fe155a0123d817a1363f4cc2fa1ea90ea4c7971bee26717b116d68346efdea6011baa994aced602761da653781b5eece7045b916d4e82431ef4467599c5425194bb564664d83a08d269ec6c38031460e0b0047f4d3" />
  

  
  </CodeGroup>