I saw quite a few times that while seeing security exception thrown from SharePoint, the first reaction is to add a SafeControl entry. SharePoint will tell you very clearly if you need to add any SafeControl entry in your Web.Config. Typically, you should see the error message similar to the following:
Parser Error
Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.
Parser Error Message: The control type 'Dummy.DummyUnsafeWebPart' is not allowed on this page. The type is not registered as safe.
If you have not seen the message, do not try to add any SafeControl. SafeControl is a SharePoint-special security mechanism. A common MISTAKE is to assume a Dll will have full trust if the Dll is added to the SafeControl list.
The SafeContol entries are checked by SharePoint parser to make sure Controls are “safe” to be placed in a page declaratively. It is important to know that only SharePoint Parser honors SafeControl. After parsing stage, SafeControl is out of Picture. This can be explained by the following sample code:
[ToolboxData("<{0}:DummySPWebPart runat=server></{0}:DummySPWebPart>")]public class DummySafeWebPart : WebPart
{protected override void CreateChildControls()
{this.Controls.Clear();
this.Controls.Add(new Dummy.DummyUnsafeWebPart());
}
}
[ToolboxData("<{0}:DummyWebPart runat=server></{0}:DummyWebPart>")]public class DummyUnsafeWebPart : WebPart
{protected override void RenderContents(HtmlTextWriter output)
{ output.Write("Hello World");}
}
The code shows the implementation of two web parts, DummySafeWebPart and DummyUnsafeWebPart. DummySafeWebPart just creates and adds an DummyUnsafeWebPart to its Children’s collection. Add an SafeControl entry to Web.Config for DummySafeWebPart. Now, testing the following two scenarios:
Scenario 1: A sharepoint page containing DummySafeWebPart only
<%@ Page Language="C#" %><%@ Register assembly="SPDummy" namespace="SPDummy" tagprefix="SPDummy" %><html dir="ltr">
<head>
<META name="WebPartPageExpansion" content="full">
</head>
<body>
<head>
<META name="WebPartPageExpansion" content="full">
</head>
<form id="form1" runat="server">
<SPDummy:DummySafeWebPart runat="server" />
</form>
</body>
</html>
Open the page in a Brower, it works fine.
Scenario 2. A sharepoint page containing DummyUnsafeWebpart only:
<%@ Page Language="C#" %><%@ Register assembly="Dummy" namespace="Dummy" tagprefix="Dummy" %><html dir="ltr">
<head>
<META name="WebPartPageExpansion" content="full">
</head>
<body>
<head>
<META name="WebPartPageExpansion" content="full">
</head>
<form id="form1" runat="server">
<Dummy:DummyUnsafeWebPart runat="server" />
</form>
</body>
</html>
Open the page in a Brower, it throws exception:
The two testing scenarios show that an “unsafe” control can be loaded by a “safe” control in sharepoint. However, if you place the “unsafe” control declaratively in a sharepoint content page, sharepoint will complain. This is becanse SharePoint Parser can not see the loading of unsafe control inside safecontrol. Parser can only see whatever controls your place declaratively in a page.
No comments:
Post a Comment