Transcript Security for the SharePoint Developer

PCT401 – Security for the
SharePoint Developer
Eugene Rosenfeld
Black Blade Associates
[email protected]
Overview
•
•
•
•
•
•
•
What does security refer to?
Code access security
User authentication
User authorization
Changes in SP2 for WSS and SPS
The SharePoint authorization model
Robust authentication code
Why worry about security?
• Why worry about security? If the code or
the user cannot do something, there will
be an exception.
●
●
●
Cryptic or vague error messages lead to more
helpdesk calls.
Bad way to do things, especially with a multistep process. Can lead to data loss or
inconsistent data.
Don’t show options users don’t have rights to.
Types of security
• Code Access Security
●
Security for executing code
• User security – comes in two flavors
●
Authentication – proving that a user is who
he/she says he/she is
• Actual credentials
• Mapping credentials – think SSO
●
Authorization – making sure that a user has
access to the resources he/she should and
nothing else
Code Access Security
• Why have CAS?
●
●
●
ASP.Net and SharePoint allow administrators
to install black-box software that run in
process with other components
Lack of CAS would allow unproven code to
access any resource on the network without
administrator knowledge
One component could access private fields,
properties, and methods from another
component
Working with Code Access Security
• SharePoint trust modes affect what
resources assemblies can access
• Use demand statements to check for code
permissions before collecting data from
users or beginning implicit transactions
• Provide administrators with informative
error messages to configure systems to
give your code correct access security
User Authentication
• Accessing remote resources with Default
Credentials - the double hop
●
●
●
●
Pre SP2 this may fail
SP2 supports Kerberos
Can’t rely on a Kerberos enabled site
Steps to enable Kerberos on a site
SharePoint Trust Modes
• Located in:
C:\Program Files\Common Files\Microsoft Shared\Web
Server Extensions\60\CONFIG
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CO
NFIG
• WSS_Minimal – wss_minimaltrust.config
• WSS_Medium – wss_mediumtrust.config
• Full
• High – web_hightrust.config
• Medium – web_mediumtrust.config
• Low – web_lowtrust.config
• Minimal – web_minimaltrust.config
User Authentication Issues
• What happens when users authenticate
with PKI certificates?
●
●
●
Remote web resources cannot be accessed
using Default Credentials
The remote web request does not have
access to the private key that was used to
authenticate to the portal site
Server side code (ASPX pages and web
parts) can detect PKI certificates and make
alternate access provisions
Changes with WSS and SPS SP2
• Strongly signed assemblies must be in the GAC
●
●
The error SharePoint reports is “The assembly is not
registered as safe”
This is a requirement even if the site is configured to
run in Full trust mode
• Kerberos is now a selectable security mode for
IIS sites
●
Allows default credentials to work properly in web
parts and ASP.Net applications that access remote
resources
The SharePoint authorization model
• Authorization is stored at three levels –
Area, Site, List
• Any object (area, site, list) may contain a
reference to another object for
authorization inheritance
• The SiteData web service returns a
_sWebMetadata structure that contains
the ACLs list for sites and areas
The _sWebMetadata structure
• Relevant items:
●
InheritedSecurity
• The Permissions member will contain a URL to the
site or area from which permissions are inherited
●
Permissions
• If InheritedSecurity is false, an XML document that
contains the site groups and Windows users and
groups with authorizations to the site or area, as
well as their permissions
Permissions XML
<?xml version="1.0" encoding="utf-8" ?>
<GetPermissionCollection xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">
<Permissions>
<Permission MemberID="1073741829" Mask="-1" MemberIsUser="False"
MemberGlobal="False" RoleName="Administrator" />
<Permission MemberID="1073741828" Mask="1029638927" MemberIsUser="False"
MemberGlobal="False"
RoleName="Web Designer" />
<Permission MemberID="1073741827" Mask="1027801615" MemberIsUser="False"
MemberGlobal="False"
RoleName="Contributor" />
<Permission MemberID="1073741826" Mask="138608641" MemberIsUser="False"
MemberGlobal="False"
RoleName="Reader" />
<Permission MemberID="1073741825" Mask="134283264" MemberIsUser="False"
MemberGlobal="False"
RoleName="Guest" />
</Permissions>
</GetPermissionCollection>
Parsing the Permission XML
• MemberIsUser indicates whether the Permission element is a role,
or a Windows user or group
• Mask is a bit mask that corresponds to values in the SPRights
enumeration.
Example: To check for AddListItems (0x00000002) permission, use:
(Mask & 0x00000002) == 0x00000002
• For Windows users or groups, the Permission element may contain
these attributes:
IsDomainGroup, IsSiteAdmin, LoginName, Name, SID, UserLogin
• If the Permission element is not a Role but the IsDomainGroup
attribute is not present, we can look up the user information by
using:
UserGroupService.GetUserInfo(permission.UserLogin)
• If the Permission element is a Role, we can resolve the user
membership for role by using:
UserGroupService.GetUserCollectionFromRole(perm.RoleName)
GetAllUserCollectionFromWeb sample
return
<?xml version="1.0" encoding="utf-8" ?>
<GetAllUserCollectionFromWeb
xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">
<Users>
<User ID="1" Sid="S-1-5-21-1935655697-287218729682003330-1934" Name="Eugene Rosenfeld"
LoginName=“meanwesel\erosen03"
Email=“[email protected]" Notes="" IsSiteAdmin="True"
IsDomainGroup="False" />
</Users>
</GetAllUserCollectionFromWeb>
Robust Authentication Code
• Request use SP 2 Kerberos so default
credentials can be passed to remote resources
• Support multiple authentication models to
access remote resources
●
●
●
Encapsulate login process in code
Passing default credentials
Using SSO to map credentials when site is not
running in Kerberos or when user is authenticating
with PKI – Storing credentials as web part properties
is not secure!
Questions
Eugene Rosenfeld
Black Blade Associates
[email protected]
http://www.blackbladeinc.com