Application Page Security for SharePoint
This post describes how to implement request validation and permission based security in SharePoint Application pages.
Validate a Request sent from a form page in SharePoint
Application Pages that accept and process requests from a form page should be validated using the ValidateFormDigest() method, which uses a security validation passed to the page from the form page that the request was submitted from to prevent a malicious request from being sent from another page. The following FormDigest tag should be included on the form page to generate the security validation:
<SharePoint:FormDigest runat="server"/>
On the page the processes the request, you should call the SPUtility.ValidateFormDigest() method before executing code with elevated priveliges even though this method is called by SharePoint before completing most write requests.
protected override void OnLoad(EventArgs e) {
SPUtility.ValidateFormDigest();
SPSecurity.RunWithElevatedPrivileges(delegate()
{
//Page logic
});
}
Layout Page Base Classes with Security
There are two base classes that a custom Application Page should inherit from to allow the page to be secured based on user permissions.
The LayoutBageBase class should be used when you need to restrict a page to users with specific permission levels.
The UnsecuredLayoutPageBase class should be used when you are creating an Application page that needs to be accessible to anonymous users, or users with minimal permission to a SharePoint site.
When a page inherits from the LayoutPageBase class, there are a number of properties that can be overridden to implement security based on user permissions:
The RightsRequired property can be overridden to specify one or more SPBasePermissions that correspond to various built-in permissions on an object in SharePoint.
protected override SPBasePermissions RightsRequired {
get {
return SPBasePermissions.ManageLists |
SPBasePermissions.ManageSubwebs;
}
}
The RequireSiteAdministrator property can be overridden to restrict a page to only site collection administrators.
protected override bool RequireSiteAdministrator {
get {
return true;
}
}
References:
- For information about implementing security in a SharePoint Application Page, the article SharePoint Application Page Security provides more detail on the layout page base classes, examples for restricting an Application page to only users with specific permissions on the site and information about CAS (Code Access Security) Policies.
- Securing Application Pages in Windows SharePoint Services 3.0
- SPBasePermissions Enumeration
- Complete list of SPBasePermissions (MSDN)
Submit a review:
Login required.