Wednesday, June 11, 2008

SharePoint MOSS 2007: Request for the permission of type 'System.Data.SqlClient.SqlClientPermission, ...' failed - Part II

in my previous post SharePoint MOSS 2007: Request for the permission of type 'System.Data.SqlClient.SqlClientPermission, System.Data...' failed I show a way to work around the security issues of using the SqlClient object in a web part (or server side control) by editing the wss_minimaltrust.config. But when I started digging deeper into custom code, I needed to access more objects currently restricted by the wss_minimaltrust policy, like SMTPServer and ConfigurationManager.

I suddenly realized I should just be using the medium policy rather than the minimal policy for all my web applications using custom Web Parts. It just so happens you can indeed change the policy used by the entire web application right in the web.config using the following element:


<trust level="WSS_Medium" originUrl="" />

...where the trust level is one already defined in the <securityPolicy> section of your web.config file.

You'll find that a web application created by sharepoint defines two policies for you by default in the web.config file:


<securityPolicy>
<trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_mediumtrust.config" />
<trustLevel name="WSS_Minimal" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_minimaltrust.config" />
</securityPolicy>

I assume they did this specifically for custom development (thank god!). In a standard sharepoint install without any custom development work, the minimal policy is perfect (and probably much more secure). If youre doing any custom webparts or server side controls though, do yourself a favor and switch to the medium policy right from the start.

No comments: