Custom Code Access Security

Feb 19, 2009 at 2:38 PM
Edited Feb 21, 2009 at 2:12 AM
I have been struggling for 4 days to get custom code access security working. Really Microsoft need to improve their game with this, documentation is severely lacking, error messages unhelpful, shocking from Microsoft. Many years ago I gave up on Java development because of this kind of poor, incomplete product. From reading resources on the web, many well-seasoned SharePoint developers have given up on CAS and deploy to the GAC or elevate the trust level to full control.

My very simple webpart fails on the SPSecurity.RunWithElevatedPrivileges line. Please I would appreciate any pointers but I am sure further CAS errors will appear as soon as I add more logic to this web part.

In my WSPBuilder.exe.config I have added the key <add key="BuildCAS" value="true" />

In my createWSP.bat I added the switch -BuildCas true





[Microsoft.SharePoint.Security.SharePointPermission(SecurityAction.Demand, ObjectModel = true)]
[Microsoft.SharePoint.Security.SharePointPermission(SecurityAction.Demand, Impersonate = true)]
protected override void RenderContents(System.Web.UI.HtmlTextWriter writer)
 {
                SPUser user = SPContext.Current.Web.CurrentUser;
                SPSecurity.RunWithElevatedPrivileges(
                delegate()
                    {
                        writer.Write(user.Name.ToString());
                    }
                );
  }


System.Security.SecurityException: Request for the permission of type 'Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c' failed. at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode) at Hickley.WebParts.Hello.WebPart.RenderContents(HtmlTextWriter writer) The action that failed was: Demand The type of the first permission that failed was: Microsoft.SharePoint.Security.SharePointPermission The Zone of the assembly that failed was: MyComputer



Feb 21, 2009 at 12:46 AM
Edited Feb 21, 2009 at 1:03 PM
I have read various comments on this forum to say "put the dll in the 80\bin folder" and it will update the manifest. Well a bit more meat needs to be put on this comment but I take it as meaning "in Visual Studio add on existing item to the 80\bin folder in the Solution Explorer".

I see a custom permission set in the manifest.
I see <trust level="wss_custom" originUrl="" /> in the web.config.
I see a wss_custom_wss_minimaltrust.config created.
I see a permission set and code group in the wss_custom_wss_minimaltrust.config

My code still fails at SPSecurity.RunWithElevatedPrivileges().

System.Security.SecurityException: Request for the permission of type 'Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c' failed. at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode) at Hickley.WebParts.Hello.WebPart.RenderContents(HtmlTextWriter writer) The action that failed was: Demand The type of the first permission that failed was: Microsoft.SharePoint.Security.SharePointPermission The Zone of the assembly that failed was: MyComputer

Where are the documentation, FAQs and troubleshooting guide for WSPBuilder?
Feb 24, 2009 at 4:43 PM
Even though you have permission set defined you may not be having the security class related to the permission set.

Since the base config for your custom file is wss_minimal, it doesnt have the security class for type 'Microsoft.SharePoint.Security.SharePointPermission'.
You add the security class for this on top of the wss_custom_wss_minimaltrust.config file and it should solve your problem.

Thanks
Feb 25, 2009 at 5:13 AM

Thank you for your reply.

I need to add this permission manually to the wss_custom_wss_minimaltrust.config? But I really hoped using WSPBuilder would eliminate any need to manually edit config files. I want my web part to be re-deployable to another environment without need to give instructions to manually edit config files.

Over one week I have spent on this with no resolution. I think maybe WSPBuilder is not ready.
Jun 1, 2009 at 10:41 AM

Hi,

I am facing the same issue? Is there any resolution to this?

Regards,

Ravi

Jun 3, 2009 at 5:02 PM

Yes, I'm stuck with this too - and I'm afraid I don't understand the instructions here. And I do need the web.config to be configured automatically - manual editting of config files is not allowed.

Jun 4, 2009 at 11:31 AM

Made some progress. My automatically generated CAS policy in the manifest.xml contained:

  <IPermission class="SecurityPermission" version="1" Flags="Assertion, Execution, ControlThread, ControlPrincipal, RemotingConfiguration" />
  <IPermission class="SqlClientPermission" version="1" Unrestricted="true" />
  <IPermission class="FileIOPermission" version="1" Read="$AppDir$" Write="$AppDir$" Append="$AppDir$" PathDiscovery="$AppDir$" />
  <IPermission class="WebPartPermission" version="1" Connections="True" />
  <IPermission class="EnvironmentPermission" version="1" Read="TEMP;TMP;USERNAME;OS;COMPUTERNAME" />
  <IPermission class="SharePointPermission" version="1" ObjectModel="True" />
  <IPermission class="SmtpPermission" version="1" Access="Connect" />
  <IPermission class="AspNetHostingPermission" version="1" Level="Medium" />
  <IPermission class="IsolatedStorageFilePermission" version="1" Allowed="AssemblyIsolationByUser" UserQuota="9223372036854775807" />
  <IPermission class="WebPermission" version="1">
  <ConnectAccess>
  <URI uri="$OriginHost$" />
  </ConnectAccess>
  </IPermission>
  <IPermission class="DnsPermission" version="1" Unrestricted="true" />
  <IPermission class="PrintingPermission" version="1" Level="DefaultPrinting" />

This seemed a bit much - all I was doing was reading some information about a list, so SQL, FileIO, Smtp - all seemed a bit much. So I wrote my own CAS Policy file, and included it using -CustomCAS. My file contained:

<IPermission class="AspNetHostingPermission" version="1" Level="Minimal" />
<IPermission class="SecurityPermission" version="1" Flags="Execution" />
<IPermission class="Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" version="1" ObjectModel="True" UnsafeSaveOnGet="True" Unrestricted="True" />

This worked. I notice that instead of the 'SharePointPermission' IPermission it was suggested that I tried the fully qualified name. Hopefully that might help someone.