.NET Support and Security in Microsoft Windows SharePoint Services
Microsoft Windows SharePoint Services provides support for .NET Web development. The .NET-managed object models serve as a platform for customizing SharePoint sites and for integrating custom Web applications developed upon the .NET Framework.
Windows SharePoint Services supports .NET development in the following ways:
- Uses ASP.NET, instead of ISAPI, for base page execution.
- Includes the Web Part infrastructure, which provides not only the views of list data used on every page of a SharePoint site, but also a dynamic means for customizing a site through Web Parts and Web Part Pages.
- Provides a server-side, managed-code object model for code that is executed on the server running Windows SharePoint Services and allows for programmatic access to site and list data. This object model is accessible via ASP.NET or any other server process.
- Offers XML Web services for access from remote computers and applications, including SOAP interfaces with methods for accessing data on a SharePoint site.
Security
The following precautions improve security on servers running Windows SharePoint Services. These precautions affect where or how code is executed on a SharePoint site:
For content stored in Windows SharePoint Services, only a registered set of custom server controls operates on a Web page.
Inline script is not executed in a default page, such as for working with lists or managing a site, although you can implement code-behind pages in which script will run.
You must install all executable code, including custom server controls, Web Parts, and code-behind classes, physically on the front-end Web server or, in the case of a server farm, on each of the front-end Web servers.
In an ASP.NET context, you must perform updates to the database as part of a POST request. Windows SharePoint Services throws an exception if you use a GET to make the request, which would otherwise open security risks.
By default, Windows SharePoint Services requires that you include security validation on any ASPX page that submits a request to modify the contents of the database. For information on the two kinds of security validation that can be used, see Security Validation and Making Posts to Update Data.
Code running on one virtual server cannot reference another virtual server unless the first server is the administrative virtual server. If the code needs to operate in relation to more than one virtual server, create the application on the administrative port (in other words, within the Local_Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\60\TEMPLATE\ADMIN\1033 folder) or set the RequestFromAdminPort field of the SPGlobalAdmin class to true.
The Microsoft.SharePoint.Utilities namespace provides methods for encoding strings that can be used to improve security in a Windows SharePoint Services deployment. As an example, suppose someone enters the following code as a value for the title of a list —
<script>alert();</script>— and you are running code like the following to display the title of every list within a site collection:SPSite site = SPControl.GetContextSite(Context); SPWebCollection allSites = site.AllWebs; foreach (SPWeb subSite in allSites) { SPListCollection allSiteLists = subSite.Lists; foreach (SPList subSiteList in allSiteLists) { Response.Write(subSiteList.Title + "<BR>"); } }When you run your code, the script block in the title of the list runs and a message box is displayed. To prevent this from happening, you can use the HtmlEncode method of the SPEncode class to convert angle brackets ("<" or ">") to HTML entities so that, as a result, the script block does not run and "<script>alert();</script>" is harmlessly displayed.
To run custom code that uses types and members in the Microsoft.SharePoint namespaces, users and groups must be assigned the appropriate permissions, just as when interacting with a site or list by using the user interface. For more information on permissions, see Security, Users, and Groups Overview.