Security Validation and Making Posts to Update Data

  • Article

For reasons of security, Microsoft Windows SharePoint Services by default does not allow you to make posts from a Web application to modify the contents of the database unless you include security validation on the page making the request. Two kinds of security validation can be used, depending on whether the code on the page applies globally to a virtual server or Windows SharePoint Services deployment, or to a single site or site collection within the deployment.

Updating data for a site or site collection

Add a page directive and a FormDigest control to the page making the request. The following directive registers the Microsoft.SharePoint.WebControls namespace:

<%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls"
   Assembly="Microsoft.SharePoint, Version=11.0.0.0, Culture=neutral,
   PublicKeyToken=71e9bce111e9429c" %>

Note  You can obtain the PublicKeyToken value for the current Windows SharePoint Services deployment from the default.aspx file in the Local_Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\TEMPLATE\LCID(1033 in English)\STS folder, or from information provided for the Microsoft.SharePoint assembly at Local_Drive:\WINDOWS|WINNT\assembly in Windows Explorer.

Include a FormDigest control within the form as follows:

<form id="Form1" method="post" >
   <SharePoint:FormDigest />
   <asp:Button id="Button1" style="Z-INDEX: 101; LEFT: 282px; POSITION: absolute;
      TOP: 282px"  Text="Button"></asp:Button>
</form>

Inserting this control on an ASPX page generates a security validation, or message digest, to help prevent the type of attack wherein a user is tricked into posting data to the server without knowing it. The security validation is specific to a user, site, and time period and expires after a configurable amount of time. When the user requests a page, the server returns the page with security validation inserted. When the user then submits the form, the server verifies that the security validation has not changed. For more information about this control, see the FormDigest class.

Updating global data

Web applications that use methods of the Microsoft.SharePoint.Administration namespace, such as for creating or deleting sites and for global administrative customizations involving multiple virtual servers, require a different security validation. Add the following code to the .vb or .cs file in an application:

[Visual Basic .NET]

Dim globalAdmin As New SPGlobalAdmin()
Context.Items(SPGlobalAdmin.RequestFromAdminPort) = True
Page.RegisterHiddenField("__REQUESTDIGEST", globalAdmin.AdminFormDigest)

[C#]

SPGlobalAdmin globalAdmin = new SPGlobalAdmin();
Context.Items[SPGlobalAdmin.RequestFromAdminPort] = true;
Page.RegisterHiddenField("__REQUESTDIGEST", globalAdmin.AdminFormDigest);

This security validation uses the AdminFormDigest property of the SPGlobalAdmin class to insert a message digest on the page in the browser, registering the digest as a hidden field through the RegisterHiddenField method of the System.Web.UI.Page class. In addition, the RequestFromAdminPort field specifies that the context of the request is through the administrative port.

For an example that shows how to set properties for administrative security validation, see the Properties property.

To run custom code that uses types and members in the Windows SharePoint Services object model, users and groups must have the appropriate permissions assigned to them, just as when they interact with a site or list through the user interface. For more information on permissions, see Security, Users, and Groups Overview.