1 / 17

PCT401 – Security for the SharePoint Developer

PCT401 – Security for the SharePoint Developer. Eugene Rosenfeld Black Blade Associates erosenfeld@blackbladeinc.com. Overview. What does security refer to? Code access security User authentication User authorization Changes in SP2 for WSS and SPS The SharePoint authorization model

roz
Download Presentation

PCT401 – Security for the SharePoint Developer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCT401 – Security for the SharePoint Developer Eugene Rosenfeld Black Blade Associates erosenfeld@blackbladeinc.com

  2. Overview • What does security refer to? • Code access security • User authentication • User authorization • Changes in SP2 for WSS and SPS • The SharePoint authorization model • Robust authentication code

  3. Why worry about security? • Why worry about security? If the code or the user cannot do something, there will be an exception. • Cryptic or vague error messages lead to more helpdesk calls. • Bad way to do things, especially with a multi-step process. Can lead to data loss or inconsistent data. • Don’t show options users don’t have rights to.

  4. Types of security • Code Access Security • Security for executing code • User security – comes in two flavors • Authentication – proving that a user is who he/she says he/she is • Actual credentials • Mapping credentials – think SSO • Authorization – making sure that a user has access to the resources he/she should and nothing else

  5. Code Access Security • Why have CAS? • ASP.Net and SharePoint allow administrators to install black-box software that run in process with other components • Lack of CAS would allow unproven code to access any resource on the network without administrator knowledge • One component could access private fields, properties, and methods from another component

  6. Working with Code Access Security • SharePoint trust modes affect what resources assemblies can access • Use demand statements to check for code permissions before collecting data from users or beginning implicit transactions • Provide administrators with informative error messages to configure systems to give your code correct access security

  7. User Authentication • Accessing remote resources with Default Credentials - the double hop • Pre SP2 this may fail • SP2 supports Kerberos • Can’t rely on a Kerberos enabled site • Steps to enable Kerberos on a site

  8. SharePoint Trust Modes • Located in:C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\CONFIGC:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG • WSS_Minimal – wss_minimaltrust.config • WSS_Medium – wss_mediumtrust.config • Full • High – web_hightrust.config • Medium – web_mediumtrust.config • Low – web_lowtrust.config • Minimal – web_minimaltrust.config

  9. User Authentication Issues • What happens when users authenticate with PKI certificates? • Remote web resources cannot be accessed using Default Credentials • The remote web request does not have access to the private key that was used to authenticate to the portal site • Server side code (ASPX pages and web parts) can detect PKI certificates and make alternate access provisions

  10. Changes with WSS and SPS SP2 • Strongly signed assemblies must be in the GAC • The error SharePoint reports is “The assembly is not registered as safe” • This is a requirement even if the site is configured to run in Full trust mode • Kerberos is now a selectable security mode for IIS sites • Allows default credentials to work properly in web parts and ASP.Net applications that access remote resources

  11. The SharePoint authorization model • Authorization is stored at three levels –Area, Site, List • Any object (area, site, list) may contain a reference to another object for authorization inheritance • The SiteData web service returns a _sWebMetadata structure that contains the ACLs list for sites and areas

  12. The _sWebMetadata structure • Relevant items: • InheritedSecurity • The Permissions member will contain a URL to the site or area from which permissions are inherited • Permissions • If InheritedSecurity is false, an XML document that contains the site groups and Windows users and groups with authorizations to the site or area, as well as their permissions

  13. Permissions XML <?xml version="1.0" encoding="utf-8" ?> <GetPermissionCollection xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/"> <Permissions> <Permission MemberID="1073741829" Mask="-1" MemberIsUser="False" MemberGlobal="False" RoleName="Administrator" /> <Permission MemberID="1073741828" Mask="1029638927" MemberIsUser="False" MemberGlobal="False" RoleName="Web Designer" /> <Permission MemberID="1073741827" Mask="1027801615" MemberIsUser="False" MemberGlobal="False" RoleName="Contributor" /> <Permission MemberID="1073741826" Mask="138608641" MemberIsUser="False" MemberGlobal="False" RoleName="Reader" /> <Permission MemberID="1073741825" Mask="134283264" MemberIsUser="False" MemberGlobal="False" RoleName="Guest" /> </Permissions> </GetPermissionCollection>

  14. Parsing the Permission XML • MemberIsUser indicates whether the Permission element is a role, or a Windows user or group • Mask is a bit mask that corresponds to values in the SPRights enumeration. Example: To check for AddListItems (0x00000002) permission, use:(Mask & 0x00000002) == 0x00000002 • For Windows users or groups, the Permission element may contain these attributes:IsDomainGroup, IsSiteAdmin, LoginName, Name, SID, UserLogin • If the Permission element is not a Role but the IsDomainGroup attribute is not present, we can look up the user information by using:UserGroupService.GetUserInfo(permission.UserLogin) • If the Permission element is a Role, we can resolve the user membership for role by using:UserGroupService.GetUserCollectionFromRole(perm.RoleName)

  15. GetAllUserCollectionFromWeb sample return <?xml version="1.0" encoding="utf-8" ?> <GetAllUserCollectionFromWeb xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/"> <Users> <User ID="1" Sid="S-1-5-21-1935655697-287218729-682003330-1934" Name="Eugene Rosenfeld" LoginName=“meanwesel\erosen03" Email=“erosen03@hotmail.com" Notes="" IsSiteAdmin="True" IsDomainGroup="False" /> </Users> </GetAllUserCollectionFromWeb>

  16. Robust Authentication Code • Request use SP 2 Kerberos so default credentials can be passed to remote resources • Support multiple authentication models to access remote resources • Encapsulate login process in code • Passing default credentials • Using SSO to map credentials when site is not running in Kerberos or when user is authenticating with PKI – Storing credentials as web part properties is not secure!

  17. Questions Eugene Rosenfeld Black Blade Associates erosenfeld@blackbladeinc.com http://www.blackbladeinc.com

More Related