Web Parts, Impersonate and Security Policy, Part 3

Web Parts, Impersonate and Security Policy

Part 3

 

Written by: Rickie Lee (rickieleemail at yahoo.com)

继续前面的posting《Web Parts, Impersonate and Security Policy, Part 1》《Web Parts, Impersonate and Security Policy, Part 2》，阐明如何解决SharePoint Web Parts开发过程中访问权限的问题。Part 1与Part 2分别以C#和VB.Net示例代码演示了impersonate（角色扮演）的应用。

仅仅上述代码还不能解决问题，还需要配置SPS的代码访问安全（Code Access Security）。为了让managed code通过P/Invoke调用unmanaged code，并操纵ASP.NET内的安全对象。正如Impersonator类做的那样，SharePoint的安全策略必须进行调整。

在上述Web Parts开发完成，部署在\BIN目录后，下一步需要调整SPS缺省的安全策略文件。这里以wss_mediumtrust.config配置文件为例，并假设SPS Web.config文件的Security Level为WSS_Medium：

<trust level="WSS_Medium" originUrl="" />

 

 为了方便，可以先备份wss_mediumtrust.config文件，然后在上面修改。

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\config\wss_mediumtrust.config

前面运行在ASP.NET下Impersonator示例代码需要的安全权限类为：EnvironmentPermission和SecurityPermission。缺省情况下，wss_mediumtrust.config文件中<SecurityClasses>已经引用上述安全类：

<SecurityClass Name="EnvironmentPermission" Description="System.Security.Permissions.EnvironmentPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

<SecurityClass Name="SecurityPermission" Description="System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

 

wss_mediumtrust.config文件中需要修改的地方是<NamedPermissionSets> section中PermissionSet包括子元素：

<PermissionSet

        class="NamedPermissionSet"

        version="1"

        Name="ASP.Net">

默认设置：

<IPermission

       class="SecurityPermission"

       version="1"

       Flags="Assertion, Execution, ControlThread, ControlPrincipal, RemotingConfiguration"

/>

更改后（增加UnmanagedCode）：

<IPermission

       class="SecurityPermission"

       version="1"

       Flags="Assertion, Execution, UnmanagedCode, ControlThread, ControlPrincipal, RemotingConfiguration"

/>

这样，允许Web Parts代码执行COM互操作，调用Unmanaged代码。

Reference:

1. Rickie Lee, Web Parts, Impersonate and Security Policy, Part 1

2. Rickie Lee, Web Parts, Impersonate and Security Policy, Part 2

3. Jay Nathan, SharePoint Security and .NET Impersonation, http://www.15seconds.com/issue/040511.htm

you can reach Rickie Lee at rickieleemail (at) yahoo.com.