understanding & securing sharepoint application pages oguz demirel
Post on 05-Jan-2016
248 Views
Preview:
TRANSCRIPT
Understanding & SecuringSharePoint Application Pages
Oguz Demirel
Session Materials
In this session, we will have:
Presentation
Demo
Sample Code (Visual Studio Solution)
About This Session
Description
Securing SharePoint Application Pages
Audience
Primary: Developers Secondary: Support
Session Prerequisites
SharePoint Development or Support experience
Session Objectives
Understanding different SP App Page types and usage Securing application pages
Session Outline
Module 1: Introduction to Application Pages
Module 2: UnsecuredLayoutsPageBase
Demo: UnsecureAppPage.aspx
Module 3: LayoutsPageBase
Demo: SecureAppPage.aspx
Module 4: WebAdminPageBase
Demo: AdminAppPage.aspx
Q & A (at the end – please note your questions)
Session Setup
Virtual machine Description
Demo Environment
Windows Server 2003 SP1SharePoint Server 2007 Standard (or Enterprise)
Demo solution deployed (TestApplicationPages.wsp)
Module 1:Introduction to
SharePoint Application Pages
Intro
There are 3 types of SharePoint Application Pages:
UnsecuredLayoutsPageBase
LayoutsPageBase
WebAdminPageBase
Intro (cont’d)
This actually means there are 3 base classes for you to drive your custom application page from. (Note above class names)
UnsecuredLayouts & Layouts pages under namespace: Microsoft.SharePoint.WebControls
WebAdmin page under namespace: Microsoft.SharePoint.ApplicationPages *
* Reference Microsoft.SharePoint.ApplicationPages.dll to use it!
Module 2: UnsecuredLayoutsPageBase
Represents an application page, sometimes called a layouts page, that can request certain resources and verify that the client has not been disconnected.
In general, use UnsecuredLayoutsPageBase as a base class for pages to which even unauthenticated users must have access; such as a login page.
Description
Login.aspx
Display a login page allowing users to enter forms authentication credentials.
Samples – Login Page
AccessDenied.aspx
Displays a notice that you have been denied access to the requested resource. Shows the name of the currently logged-in user and a link to sign-in as a different user.
Samples – Access Denied Page
Confirmation.aspx
Displays a message indicating that the requested operation succeeded.
Samples – Confirmation Page
ReqAcc.aspx
Displays a notice that you have been denied access to the requested resource.
Samples – Request Access Page
Signout.aspx
Responsible for logging a user out of the site.
Samples – Sign Out Page
Demonstration: UnsecureAppPage.aspx
In this demonstration, you will see how to:
Develop a sample “UnsecureAppPage.aspx” inheriting from UnsecuredLayoutsPageBase
Override AllowAnonymousAccess property
Module 3: LayoutsPageBase
Represents an application page (sometimes called a "_layouts" page) to which access can be limited to users that possess certain rights.
The LayoutsPageBase (in Microsoft.SharePoint.WebControls) class is the most common class to derive application pages from.
The advantages with using the LayoutsPageBase as your base class is that you can easily access the current SharePoint Site or Site Collection with the built-in properties and control the security of the application page.
Description
With the LayoutsPageBase class you can use the built-in properties for the Site and Web to access the current Site Collection or Site (both these properties are derived from the UnsecuredLayoutsPageBase class) or use the SPContext class to access the current site and web.
Access the SharePoint objects
If you create some pages that creates reports or similar that may take a long time to generate and consumes server resources, you should use the StopRequestIfClientIsNotValid method.
This method ends the request if the client is no longer connected to the page and saves you of some CPU cycles.
If you have these kind of pages - think over and use the SPLongOperation class to inform the user that it will take a while.
Stop long running operations
Exit from the Application Page
If you are creating an application page that uses the ButtonSection control template you will have a Cancel button.
The target of this Cancel button is controlled using the PageToRedirectOnCancel property.
Just override the property and return a string containing the target of your cancel page.
Security in the Application Page
The LayoutsPageBase class contains a virtual property called RightsRequired, this property can be used to programatically set which rights (on the current Site) that are required to use the application page.
By default the rights are checked at the end of the OnLoadComplete, but using the RightsCheckModes property you can disable the check or perform it in OnPreInit instead.
There are also a property called RequireSiteAdministrator that can be overridden to make sure that the user is site administrator.
Demonstration: SecureAppPage.aspx
In this demonstration, you will see how to:
Develop a sample “SecureAppPage.aspx” inheriting from LayoutsPageBase
Override RightsRequired property
Use RightsCheckModes property
Override RequireSiteAdministrator property
Custom Security Check - 1
What if you wanted to check if a user belongs to a certain security group in Active Directory or check if user belongs to a SharePoint Group before granting access?
There is no SharePoint permission (SPBasePermission) that directly corresponds to that.
We need to implement our custom logic.
Custom Security Check - 2
How do we implement our custom security check?
Set RightsCheckModes to OnPreInit in page constructor
Call CheckCustomRights method on OnLoad event
Custom Security Check - 3
Implement your custom logic in CheckCustomRights.
Example
Super user – this application page can only be accessed by only Super User
Module 4:WebAdminPageBase
Description
WebAdminPageBase is inheriting from LayoutsPageBase.
Use WebAdminPageBase when you want to create application pages for Central Admin or Site Settings.
Override RequireSiteAdministrator and set it to true.
This will allow only Site Administrators to access your application page.
Demonstration: AdminAppPage.aspx
In this demonstration, you will see how to:
Develop a sample “AdminAppPage.aspx” inheriting from WebAdminPageBase
Override RequireSiteAdministrator property
top related