Understanding securing sharepoint application pages
1 / 30

Understanding Securing - PowerPoint PPT Presentation

  • Updated On :

Oguz Demirel. Understanding & Securing SharePoint Application Pages. Session Materials. In this session, we will have: Presentation Demo Sample Code (Visual Studio Solution). About This Session. Description Securing SharePoint Application Pages Audience Primary : Developers

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Understanding Securing' - Roberta

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Understanding securing sharepoint application pages l.jpg

Oguz Demirel

Understanding & SecuringSharePoint Application Pages

Session materials l.jpg
Session Materials

In this session, we will have:

  • Presentation

  • Demo

  • Sample Code (Visual Studio Solution)

About this session l.jpg
About This Session

  • Description

    • Securing SharePoint Application Pages

  • Audience

    • Primary: Developers

    • Secondary: Support

  • Session Prerequisites

    • SharePoint Development or Support experience

  • Session Objectives

    • Understanding different SP App Page types and usage

    • Securing application pages

Session outline l.jpg
Session Outline

  • Module 1: Introduction to Application Pages

  • Module 2: UnsecuredLayoutsPageBase

    • Demo: UnsecureAppPage.aspx

  • Module 3: LayoutsPageBase

    • Demo: SecureAppPage.aspx

  • Module 4: WebAdminPageBase

    • Demo: AdminAppPage.aspx

  • Q & A (at the end – please note your questions)

Module 1 introduction to sharepoint application pages l.jpg

Module 1:Introduction toSharePoint Application Pages

Intro l.jpg

  • There are 3 types of SharePoint Application Pages:

    • UnsecuredLayoutsPageBase

    • LayoutsPageBase

    • WebAdminPageBase

Intro cont d l.jpg
Intro (cont’d)

  • This actually means there are 3 base classes for you to drive your custom application page from. (Note above class names)

    • UnsecuredLayouts & Layouts pages under namespace: Microsoft.SharePoint.WebControls

    • WebAdmin page under namespace: Microsoft.SharePoint.ApplicationPages*

* Reference Microsoft.SharePoint.ApplicationPages.dll to use it!

Module 2 unsecuredlayoutspagebase l.jpg

Module 2: UnsecuredLayoutsPageBase

Description l.jpg

  • Represents an application page, sometimes called a layouts page, that canrequest certain resources and verify that the client has not been disconnected.

  • In general, use UnsecuredLayoutsPageBase as a base class for pages to which even unauthenticated users must have access; such as a login page.

Samples login page l.jpg
Samples – Login Page

  • Login.aspx

    • Display a login page allowing users to enter forms authentication credentials.

Samples access denied page l.jpg
Samples – Access Denied Page

  • AccessDenied.aspx

    • Displays a notice that you have been denied access to the requested resource. Shows the name of the currently logged-in user and a link to sign-in as a different user.

Samples confirmation page l.jpg
Samples – Confirmation Page

  • Confirmation.aspx

    • Displays a message indicating that the requested operation succeeded.

Samples request access page l.jpg
Samples – Request Access Page

  • ReqAcc.aspx

    • Displays a notice that you have been denied access to the requested resource.

Samples sign out page l.jpg
Samples – Sign Out Page

  • Signout.aspx

    • Responsible for logging a user out of the site.

Demonstration unsecureapppage aspx l.jpg
Demonstration: UnsecureAppPage.aspx

In this demonstration, you will see how to:

  • Develop a sample “UnsecureAppPage.aspx” inheriting from UnsecuredLayoutsPageBase

  • Override AllowAnonymousAccess property

Module 3 layoutspagebase l.jpg

Module 3: LayoutsPageBase

Description18 l.jpg

  • Represents an application page (sometimes called a"_layouts" page) to which access can be limited to users that possess certain rights.

  • The LayoutsPageBase (in Microsoft.SharePoint.WebControls) class is the most common class to derive application pages from.

  • The advantages with using the LayoutsPageBase as your base class is that you can easily access the current SharePoint Site or Site Collection with the built-in properties and control the security of the application page.

Access the sharepoint objects l.jpg
Access the SharePoint objects

  • With the LayoutsPageBase class you can use the built-in properties for the Site and Webto access the current Site Collection or Site (both these properties are derived from the UnsecuredLayoutsPageBase class) or use the SPContext class to access the current site and web.

Stop long running operations l.jpg
Stop long running operations

  • If you create some pages that creates reports or similar that may take a long time to generate and consumes server resources, you should use the StopRequestIfClientIsNotValid method.

  • This method ends the request if the client is no longer connected to the page and saves you of some CPU cycles.

  • If you have these kind of pages - think over and use the SPLongOperation class to inform the user that it will take a while.

Exit from the application page l.jpg
Exit from the Application Page

  • If you are creating an application page that uses the ButtonSection control template you will have a Cancel button.

  • The target of this Cancel button is controlled using the PageToRedirectOnCancel property.

  • Just override the property and return a string containing the target of your cancel page.

Security in the application page l.jpg
Security in the Application Page

  • The LayoutsPageBase class contains a virtual property called RightsRequired, this property can be used to programatically set which rights (on the current Site) that are required to use the application page.

  • By default the rights are checked at the end of the OnLoadComplete, but using the RightsCheckModes property you can disable the check or perform it in OnPreInit instead.

  • There are also a property called RequireSiteAdministrator that can be overridden to make sure that the user is site administrator.

Demonstration secureapppage aspx l.jpg
Demonstration: SecureAppPage.aspx

In this demonstration, you will see how to:

  • Develop a sample “SecureAppPage.aspx” inheriting from LayoutsPageBase

  • Override RightsRequired property

  • Use RightsCheckModes property

  • Override RequireSiteAdministrator property

Custom security check 1 l.jpg
Custom Security Check - 1

  • What if you wanted to check if a user belongs to a certain security group in Active Directory or check if user belongs to a SharePoint Group before granting access?

  • There is no SharePoint permission (SPBasePermission) that directly corresponds to that.

  • We need to implement our custom logic.

Custom security check 2 l.jpg
Custom Security Check - 2

  • How do we implement our custom security check?

    • Set RightsCheckModes to OnPreInit in page constructor

    • Call CheckCustomRights method on OnLoad event

Custom security check 3 l.jpg
Custom Security Check - 3

  • Implement your custom logic in CheckCustomRights.

Example l.jpg

  • Super user – this application page can only be accessed by only Super User

Module 4 webadminpagebase l.jpg

Module 4:WebAdminPageBase

Description29 l.jpg

  • WebAdminPageBase is inheriting from LayoutsPageBase.

  • Use WebAdminPageBase when you want to create application pages for Central Admin or Site Settings.

  • Override RequireSiteAdministrator and set it to true.

  • This will allow only Site Administrators to access your application page.

Demonstration adminapppage aspx l.jpg
Demonstration: AdminAppPage.aspx

In this demonstration, you will see how to:

  • Develop a sample “AdminAppPage.aspx” inheriting from WebAdminPageBase

  • Override RequireSiteAdministrator property