Code Access Security policy template for Visual Studio 2010 SharePoint Developer Tools
Development, Productivity, SharePoint 2010, Tips & Tricks, Visual Studio 2010SharePoint 2010 ships with the Sandbox: a new concept that allows you to deploy solutions with limited trust. Still there are many scenarios to think of when you might need to deploy your work to the Web Application’s BIN directory. When doing that, you need to define for your assembly a CAS policy, which specifies what your code should and should not be allowed to do. While the contents of the policy always depend on your code, I have noticed that there are a few entries that are common for almost every solution deployed to the BIN directory.
Adding a new CAS policy to your SharePoint Solution is extremely easy when working with the new Visual Studio 2010 SharePoint Developer Tools. All you have to do is to open the Package Designer (1), choose Manifest from the sections at the bottom (2) and open the Edit Options section (3).
The next step is to insert the contents of your CAS policy.
<CodeAccessSecurity>
<PolicyItem>
<PermissionSet class="NamedPermissionSet" version="1">
<IPermission class="SecurityPermission" version="1" Flags="Execution" />
<IPermission class="AspNetHostingPermission" version="1" Level="Minimal" />
<IPermission class="Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" version="1" ObjectModel="True" />
</PermissionSet>
<Assemblies>
<Assembly Name="$SharePoint.Project.AssemblyName$" Version="$SharePoint.Project.AssemblyVersion$" PublicKeyBlob="$SharePoint.Project.AssemblyPublicKeyBlob$"/>
</Assemblies>
</PolicyItem>
</CodeAccessSecurity>
The above policy contains the minimal set of permissions plus it allows your code to use the SharePoint Object Model. Although it looks like an ordinary CAS policy, notice the tokens in the Assembly entry. These tokens will be replaced by the Visual Studio 2010 SharePoint Developer Tools during the packaging process by the real values.
The above template contains the most common entries and is a good starting point when working with SharePoint Solutions deployed to the Web Application’s BIN directory. Depending on your code you might need to add additional SharePoint permissions or some other permissions as required by your code.
May 24th, 2010 at 11:48 am
[...] Dit blogartikel was vermeld op Twitter door Waldek Mastykarz, Saed Shela. Saed Shela heeft gezegd: "Code Access Security policy template for Visual Studio 2010 SharePoint Developer Tools" http://bit.ly/cP02Bg #Sp2010 #VS2010 #CAS [...]
May 24th, 2010 at 9:22 pm
Of course, the trick is figuring out just which CAS policies your solution's assemblies need.
May 24th, 2010 at 9:35 pm
@Eugene: exactly. Somehow I find using Reflector for that purpose just great. Wish there was an easier approach though.
May 26th, 2010 at 10:51 am
Waldek,
First of all, I think that the permissionset is quite helpful, if you really want to have bin-deployment. We decided that, when possible, we want every dll to be deployed to the bin, for our own reasons (when possible!)
But at the moment, we have a mossrap at our (Enterprise)company. For every trustlevel that is not minimal, Microsoft says it`s a potential security issue.
Is this still the way in SP2010?
May 26th, 2010 at 11:37 am
@Bas: that's the whole trick with CAS, isn't it: to allow code to do more than default? I think every time you open something introduces a possible threat: no matter if it's SharePoint or just an ordinary ASP.NET app.