170 likes | 387 Views
PCT401 – Security for the SharePoint Developer. Eugene Rosenfeld Black Blade Associates erosenfeld@blackbladeinc.com. Overview. What does security refer to? Code access security User authentication User authorization Changes in SP2 for WSS and SPS The SharePoint authorization model
E N D
PCT401 – Security for the SharePoint Developer Eugene Rosenfeld Black Blade Associates erosenfeld@blackbladeinc.com
Overview • What does security refer to? • Code access security • User authentication • User authorization • Changes in SP2 for WSS and SPS • The SharePoint authorization model • Robust authentication code
Why worry about security? • Why worry about security? If the code or the user cannot do something, there will be an exception. • Cryptic or vague error messages lead to more helpdesk calls. • Bad way to do things, especially with a multi-step process. Can lead to data loss or inconsistent data. • Don’t show options users don’t have rights to.
Types of security • Code Access Security • Security for executing code • User security – comes in two flavors • Authentication – proving that a user is who he/she says he/she is • Actual credentials • Mapping credentials – think SSO • Authorization – making sure that a user has access to the resources he/she should and nothing else
Code Access Security • Why have CAS? • ASP.Net and SharePoint allow administrators to install black-box software that run in process with other components • Lack of CAS would allow unproven code to access any resource on the network without administrator knowledge • One component could access private fields, properties, and methods from another component
Working with Code Access Security • SharePoint trust modes affect what resources assemblies can access • Use demand statements to check for code permissions before collecting data from users or beginning implicit transactions • Provide administrators with informative error messages to configure systems to give your code correct access security
User Authentication • Accessing remote resources with Default Credentials - the double hop • Pre SP2 this may fail • SP2 supports Kerberos • Can’t rely on a Kerberos enabled site • Steps to enable Kerberos on a site
SharePoint Trust Modes • Located in:C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\CONFIGC:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG • WSS_Minimal – wss_minimaltrust.config • WSS_Medium – wss_mediumtrust.config • Full • High – web_hightrust.config • Medium – web_mediumtrust.config • Low – web_lowtrust.config • Minimal – web_minimaltrust.config
User Authentication Issues • What happens when users authenticate with PKI certificates? • Remote web resources cannot be accessed using Default Credentials • The remote web request does not have access to the private key that was used to authenticate to the portal site • Server side code (ASPX pages and web parts) can detect PKI certificates and make alternate access provisions
Changes with WSS and SPS SP2 • Strongly signed assemblies must be in the GAC • The error SharePoint reports is “The assembly is not registered as safe” • This is a requirement even if the site is configured to run in Full trust mode • Kerberos is now a selectable security mode for IIS sites • Allows default credentials to work properly in web parts and ASP.Net applications that access remote resources
The SharePoint authorization model • Authorization is stored at three levels –Area, Site, List • Any object (area, site, list) may contain a reference to another object for authorization inheritance • The SiteData web service returns a _sWebMetadata structure that contains the ACLs list for sites and areas
The _sWebMetadata structure • Relevant items: • InheritedSecurity • The Permissions member will contain a URL to the site or area from which permissions are inherited • Permissions • If InheritedSecurity is false, an XML document that contains the site groups and Windows users and groups with authorizations to the site or area, as well as their permissions
Permissions XML <?xml version="1.0" encoding="utf-8" ?> <GetPermissionCollection xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/"> <Permissions> <Permission MemberID="1073741829" Mask="-1" MemberIsUser="False" MemberGlobal="False" RoleName="Administrator" /> <Permission MemberID="1073741828" Mask="1029638927" MemberIsUser="False" MemberGlobal="False" RoleName="Web Designer" /> <Permission MemberID="1073741827" Mask="1027801615" MemberIsUser="False" MemberGlobal="False" RoleName="Contributor" /> <Permission MemberID="1073741826" Mask="138608641" MemberIsUser="False" MemberGlobal="False" RoleName="Reader" /> <Permission MemberID="1073741825" Mask="134283264" MemberIsUser="False" MemberGlobal="False" RoleName="Guest" /> </Permissions> </GetPermissionCollection>
Parsing the Permission XML • MemberIsUser indicates whether the Permission element is a role, or a Windows user or group • Mask is a bit mask that corresponds to values in the SPRights enumeration. Example: To check for AddListItems (0x00000002) permission, use:(Mask & 0x00000002) == 0x00000002 • For Windows users or groups, the Permission element may contain these attributes:IsDomainGroup, IsSiteAdmin, LoginName, Name, SID, UserLogin • If the Permission element is not a Role but the IsDomainGroup attribute is not present, we can look up the user information by using:UserGroupService.GetUserInfo(permission.UserLogin) • If the Permission element is a Role, we can resolve the user membership for role by using:UserGroupService.GetUserCollectionFromRole(perm.RoleName)
GetAllUserCollectionFromWeb sample return <?xml version="1.0" encoding="utf-8" ?> <GetAllUserCollectionFromWeb xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/"> <Users> <User ID="1" Sid="S-1-5-21-1935655697-287218729-682003330-1934" Name="Eugene Rosenfeld" LoginName=“meanwesel\erosen03" Email=“erosen03@hotmail.com" Notes="" IsSiteAdmin="True" IsDomainGroup="False" /> </Users> </GetAllUserCollectionFromWeb>
Robust Authentication Code • Request use SP 2 Kerberos so default credentials can be passed to remote resources • Support multiple authentication models to access remote resources • Encapsulate login process in code • Passing default credentials • Using SSO to map credentials when site is not running in Kerberos or when user is authenticating with PKI – Storing credentials as web part properties is not secure!
Questions Eugene Rosenfeld Black Blade Associates erosenfeld@blackbladeinc.com http://www.blackbladeinc.com