Synapse india reviews on security for the share point developer

1. Synapse india Reviews on Security for the SharePoint
Developer
Security for the SharePoint Developer

2. Overview
What does security refer to?
Code access security
User authentication
User authorization
Changes in SP2 for WSS and SPS
The SharePoint authorization model
Robust authentication code

3. Why worry about security?
Why worry about security? If the code or the user
cannot do something, there will be an exception.
Cryptic or vague error messages lead to more
helpdesk calls.
Bad way to do things, especially with a multi-step
process. Can lead to data loss or inconsistent
data.
Don’t show options users don’t have rights to.

4. Types of security
Code Access Security
Security for executing code
User security – comes in two flavors
Authentication – proving that a user is who he/she
says he/she is
Actual credentials
Mapping credentials – think SSO
Authorization – making sure that a user has
access to the resources he/she should and
nothing else

5. Code Access Security
Why have CAS?
ASP.Net and SharePoint allow administrators to
install black-box software that run in process with
other components
Lack of CAS would allow unproven code to
access any resource on the network without
administrator knowledge
One component could access private fields,
properties, and methods from another component

6. Working with Code Access Security
SharePoint trust modes affect what resources
assemblies can access
Use demand statements to check for code
permissions before collecting data from users or
beginning implicit transactions
Provide administrators with informative error
messages to configure systems to give your code
correct access security

7. User Authentication
Accessing remote resources with Default
Credentials - the double hop
Pre SP2 this may fail
SP2 supports Kerberos
Can’t rely on a Kerberos enabled site
Steps to enable Kerberos on a site

8. User Authentication Issues
What happens when users authenticate with PKI
certificates?
Remote web resources cannot be accessed using
Default Credentials
The remote web request does not have access to
the private key that was used to authenticate to
the portal site
Server side code (ASPX pages and web parts)
can detect PKI certificates and make alternate
access provisions

9. Changes with WSS and SPS SP2
Strongly signed assemblies must be in the GAC
The error SharePoint reports is “The assembly is not registered as
safe”
This is a requirement even if the site is configured to run in Full
trust mode
Kerberos is now a selectable security mode for IIS sites
Allows default credentials to work properly in web parts and
ASP.Net applications that access remote resources

10. The SharePoint authorization model
Authorization is stored at three levels –Area, Site,
List
Any object (area, site, list) may contain a
reference to another object for authorization
inheritance
The SiteData web service returns a
_sWebMetadata structure that contains the ACLs
list for sites and areas

11. The _sWebMetadata structure
Relevant items:
InheritedSecurity
The Permissions member will contain a URL to
the site or area from which permissions are
inherited
Permissions
If InheritedSecurity is false, an XML document
that contains the site groups and Windows users
and groups with authorizations to the site or area,
as well as their permissions

12. Permissions XML
<?xml version="1.0" encoding="utf-8" ?>
<GetPermissionCollection xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">
<Permissions>
<Permission MemberID="1073741829" Mask="-1" MemberIsUser="False" MemberGlobal="False"
RoleName="Administrator" />
<Permission MemberID="1073741828" Mask="1029638927" MemberIsUser="False" MemberGlobal="False"
RoleName="Web Designer" />
<Permission MemberID="1073741827" Mask="1027801615" MemberIsUser="False" MemberGlobal="False"
RoleName="Contributor" />
<Permission MemberID="1073741826" Mask="138608641" MemberIsUser="False" MemberGlobal="False"
RoleName="Reader" />
<Permission MemberID="1073741825" Mask="134283264" MemberIsUser="False" MemberGlobal="False"
RoleName="Guest" />
</Permissions>
</GetPermissionCollection>

13. Parsing the Permission XML
MemberIsUser indicates whether the Permission element is a role, or a
Windows user or group
Mask is a bit mask that corresponds to values in the SPRights enumeration.
Example: To check for AddListItems (0x00000002) permission, use:
(Mask & 0x00000002) == 0x00000002
For Windows users or groups, the Permission element may contain these
attributes:
IsDomainGroup, IsSiteAdmin, LoginName, Name, SID, UserLogin
If the Permission element is not a Role but the IsDomainGroup attribute is not
present, we can look up the user information by using:
UserGroupService.GetUserInfo(permission.UserLogin)
If the Permission element is a Role, we can resolve the user membership for
role by using:
UserGroupService.GetUserCollectionFromRole(perm.RoleName)

14. Get All User Collection From Web sample return
<?xml version="1.0" encoding="utf-8" ?>
<GetAllUserCollectionFromWeb
xmlns="http://schemas.microsoft.com/sharepoint/soap/directory/">
<Users>
<User ID="1" Sid="S-1-5-21-1935655697-287218729-682003330-1934"
Name="Eugene Rosenfeld"
LoginName=“meanweselerosen03" Email=“erosen03@hotmail.com" Notes=""
IsSiteAdmin="True"
IsDomainGroup="False" />
</Users>
</GetAllUserCollectionFromWeb>

15. Robust Authentication Code
Request use SP 2 Kerberos so default credentials can be
passed to remote resources
Support multiple authentication models to access remote
resources
Encapsulate login process in code
Passing default credentials
Using SSO to map credentials when site is not running in Kerberos
or when user is authenticating with PKI – Storing credentials as
web part properties is not secure!