Web Parts, Impersonate and Security Policy, Part 3

Web Parts, Impersonate and Security Policy

Part 3

 

Written by: Rickie Lee (rickieleemail at yahoo.com)

继续前面的postingWeb Parts, Impersonate and Security Policy, Part 1》《Web Parts, Impersonate and Security Policy, Part 2》,阐明如何解决SharePoint Web Parts开发过程中访问权限的问题。Part 1Part 2分别以C#VB.Net示例代码演示了impersonate(角色扮演)的应用。

仅仅上述代码还不能解决问题,还需要配置SPS的代码访问安全(Code Access Security)。为了让managed code通过P/Invoke调用unmanaged code,并操纵ASP.NET内的安全对象。正如Impersonator类做的那样,SharePoint的安全策略必须进行调整。

在上述Web Parts开发完成,部署在\BIN目录后,下一步需要调整SPS缺省的安全策略文件。这里以wss_mediumtrust.config配置文件为例,并假设SPS Web.config文件的Security LevelWSS_Medium

<trust level="WSS_Medium" originUrl="" />

 

 为了方便,可以先备份wss_mediumtrust.config文件,然后在上面修改。

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\config\wss_mediumtrust.config

前面运行在ASP.NETImpersonator示例代码需要的安全权限类为:EnvironmentPermissionSecurityPermission。缺省情况下,wss_mediumtrust.config文件中<SecurityClasses>已经引用上述安全类:

<SecurityClass Name="EnvironmentPermission" Description="System.Security.Permissions.EnvironmentPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

<SecurityClass Name="SecurityPermission" Description="System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>

 

wss_mediumtrust.config文件中需要修改的地方是<NamedPermissionSets> sectionPermissionSet包括子元素:

<PermissionSet

        class="NamedPermissionSet"

        version="1"

        Name="ASP.Net">

默认设置:

<IPermission

       class="SecurityPermission"

       version="1"

       Flags="Assertion, Execution, ControlThread, ControlPrincipal, RemotingConfiguration"

/>

更改后(增加UnmanagedCode):

<IPermission

       class="SecurityPermission"

       version="1"

       Flags="Assertion, Execution, UnmanagedCode, ControlThread, ControlPrincipal, RemotingConfiguration"

/>

这样,允许Web Parts代码执行COM互操作,调用Unmanaged代码。

Reference:

1. Rickie Lee, Web Parts, Impersonate and Security Policy, Part 1

2. Rickie Lee, Web Parts, Impersonate and Security Policy, Part 2

3. Jay Nathan, SharePoint Security and .NET Impersonation, http://www.15seconds.com/issue/040511.htm

you can reach Rickie Lee at rickieleemail (at) yahoo.com.

 

你可能感兴趣的:(Security)