Tips and Known Issues
Published: May 2010
This topic provides tips and information about known issues related to security and claims.
How to Lock Down the Use of ASP.NET Expressions on a SharePoint Site
Designers can upload .aspx pages to a document library that can access data in a web.config file. If you store sensitive data in web.config, you should disable the ASP.NET expression builders or consider moving the data to another location.
Security Token Service Application Pool Account and Custom Claims Provider Calls
Application services that connect directly to a database might require a security token service (STS) application pool account to be granted database access if a custom claims provider calls the application services object model.
The FillClaimsForEntity() method always runs as one of the following identities:
STS application pool identity
Thread identity (Which is the user who is logged in to the site collection. For example, contoso\user1.)
If your custom code for the FillClaimsForEntity() method accesses the object model of a service application that connects directly to a database (for example, a user profile application connects to a database), the object model calls fail if the STS application pool identity account or the thread identity account does not have permissions to connect to the service application database.
If your custom implementation of a claims provider accesses the object model of a service application that also connects directly to a database, you must ensure that the STS application pool account also has permissions to the database of the service application. (And the service application pool account must have the same permissions.)
Claims Provider Name to Appear in Web Page Dialog
You use the CreatePickerEntity() method to create a picker entity. It is a helper function used in search and resolve methods.
If you want your claims provider name to appear in the Select people and groups – Webpage Dialog in the People Picker control, you must use the CreateClaim() helper method when setting the Claim property for the PickerEntity instance. The dialog will then display the value of the provider display name property of your custom claims provider Otherwise, the claims provider name does not appear in the Web page dialog and you see only the entity group name and a colon (that is, your claims provider name is not displayed after the colon). To show a custom entity group name in the dialog, set the EntityGroupName property on the PickerEntity instance.
For more information about the entity group name, see the EntityGroupName property.
Security Token Service Validate and Cancel Methods
Microsoft SharePoint Foundation inherits the Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService base class from Windows Identity Foundation (WIF). SharePoint Foundation overrides the WIF security token service (STS) APIs to issue its own SharePoint STS security tokens. However, note that the Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Validate method and the Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.Cancel method are not implemented in SharePoint Foundation. These two methods may be supported in the future.