Code Access Security

  • Article

Code Access Security

The Microsoft® SharePoint™ Products and Technologies 2003 class libraries use code access security to help protect certain resources and operations by specifying the permissions they require in order to run. The members of the SharePoint class libraries demand SharePointPermission with the ObjectModel property set to true. You should make sure that assemblies you create that are clients of the classes in the SharePoint class libraries have this permission.

There are several ways to make sure your code has the required permissions to access the SharePoint class libraries. Options include the following:

  • Install the assembly in the Global Assembly Cache (GAC), because code in the GAC always has Full trust.
  • Raise the trust level for the virtual server extended with Microsoft Windows® SharePoint™ Services.
  • Create a custom security policy and assign the SharePointPermission with the ObjectModel property set to true to the specific assembly or set of assemblies.

Whatever option you choose, make sure that you fully understand the security implications so that you do not expose a security weakness. For more information, see Code Access Security for Administrators.

If your code is granted the permissions demanded by the SharePoint class library, your code will be allowed to access the library. Note that any assembly that calls your assembly that calls one or more of the SharePoint assemblies will also need to be granted the same permission. All clients in the chain of callers leading up to SharePoint class libraries need the SharePointPermission set as explained earlier; if your code does not have the appropriate permissions, it will not be allowed to access the class library. If other code uses your code to indirectly access the resource, it too must have the appropriate permissions to access the class library, or your code will not be allowed to run. This helps prevent malicious code from trying to use your code to access the resource without permission.

If your code tries to write data to a database on an HTTP Get or if the code needs to enable Web Part-to-Web Part connections, your code might also need two other permissions specific to Microsoft Office SharePoint Products and Technologies. They are: SharePointPermission.UnsafeSaveOnGet and WebPartPermission.Connections.

Important  For Microsoft Office SharePoint Portal Server only, if you want to use the classes and members in the Microsoft.SharePoint.Portal.SingleSignon namespace, your code will need an additional permission called SingleSignonPermission.Access.

Your code might also need one or more of the default ASP.NET permissions if it tries to perform an action or access a resource that is protected by the common language runtime.

Code access security does not eliminate the possibility of human error in writing code; however, if applications use secure class libraries to access protected resources, the security risk for application code can be decreased because class libraries are closely scrutinized for potential security problems.

For a complete understanding of code access security and how it is used in SharePoint Products and Technologies, see Code Access Security for Developers.