Jonas Nilsson and I have just returned from a trip to San Diego where we presented a session at the Best Practices SharePoint Conference. Our topic was Code Access Security (CAS) and Web Parts. The session went very well. We had a good audience that was fully engaged and offered some high quality questions. Our presentation covered the basics of CAS and explained why it is an important technology to both developers and administrators. We then discussed a number of Web Part deployment options and the security tradeoffs of each approach. Jonas then led a deep developer discussion of how to best develop with CAS in mind and included some tricks & tips to make it easier. We finished by reviewing the four best practices we had outlined at various points during the session. Our Best Practices recommendations related to CAS and Web Parts are:
- CAS should be driven by Developers and enforced by IT
- Run code with the minimum set of Security Privileges it requires
- Use Custom Policy Files
- Deploy Web Parts with Solution Deployment Packages
I’ve posted the session slide deck as an attachment. If you attended the session and are looking for some of the source code project samples, those will be posted shortly.
One important question we fielded in our session was related to situations where you are trying to deploy a Web Part that requires full trust. Since it is a worst practice to deploy Web Part assemblies to the GAC, the recommended approach is to re-factor out the operations that require full trust into a separate sub-assembly. You can then deploy this sub-assembly to the GAC while keeping the primary Web Part code separate, running under a custom policy with a narrowly defined permission set. The Web Part assembly and its counterpart deployed into the GAC will need to utilize demand/assert calls to enable the operations with the elevated permissions to work.
An attendee came up to me after our session and told me that his company purchased a simple Web Part from a third-party that deployed itself directly to the GAC. While it sometimes surprises me how many SharePoint professionals are largely in the dark when it comes to code access security, it's certainly understandable. There is a vast amount of SharePoint knowledge that needs to be assimilated and no one person can be expected to cover it all. One of the benefits of a conference like this one is that is provides a way to help disseminate some of this specialized knowledge. What I do find unbelievable though, is the number of third-party software vendors that remain clueless when it comes to CAS. Especially since this is supposed to be their “domain of expertise.” I’m not telling you to only purchase Bamboo products, as we certainly don’t have the perfect solution for every requirement, but what I suggest is that you take a close look at a vendor’s CAS policy and carefully consider why they might feel the need to run with broad or unrestricted permissions in your environment.
Looking for more Best Practices? See all posts on the Best Practices SharePoint Conference.
Posted
Feb 09 2009, 12:13 PM
by
WesBryan
Wes Bryan leads the Product Management team at Bamboo Solutions. He has been with Bamboo for over 10 years and has a decade of experience developing enterprise commercial software products. Wes has published numerous technical articles related to SharePoint technologies and has spoken at SharePoint user group events and conferences across the country.