Manage Web Parts (SharePoint Server 2010)
Applies to: SharePoint Foundation 2010, SharePoint Server 2010
The Sandbox Solution framework provides a mechanism for executing user-provided code outside of the IIS worker process. The Sandbox Solution framework should not be used as a mechanism for enforcing security boundaries when executing user code. Sandbox Solutions are not supported as a security boundary with user code, especially code of unknown origin. We advise against executing Sandbox Solutions of unknown origins.
Web Parts are modular elements that present information on pages of SharePoint sites. For more information, see Web Parts in Windows SharePoint Services (https://go.microsoft.com/fwlink/p/?LinkId=184240) section of the SharePoint Foundation 2010 SDK.
This article helps you prepare to manage security for Web Parts pages and controls that are used with SharePoint Server 2010.
In Microsoft SharePoint Server, a Web Parts page is a collection of Web Parts that combines list data, timely information, or useful graphics into a dynamic Web page. The layout and content of a Web Parts page can be set for all users and optionally personalized for individual users. A site owner or a site member with the appropriate permissions can create and customize Web Parts pages by using a browser to add, reconfigure, or remove Web Parts.
Web Parts are not restricted to use only on Web Parts pages. They can be added directly to wiki pages, content pages, and publishing pages.
Web Parts in SharePoint Server can be configured to run in sandboxed solutions. Sandboxed solutions prevent the Web Part from accessing certain local or network resources, which protects other content and solutions on the SharePoint Server farm. By implementing sandboxed solutions, users can add their own Web Parts in a hosted environment, and developers can add Web Parts that have not yet been thoroughly tested for production use.
For more information about sandboxed solutions, see Sandboxed solutions planning (SharePoint Server 2010).
The Web Parts infrastructure in SharePoint Server exists on a layer above the ASP.NET Web Parts infrastructure. To effectively protect SharePoint sites, server administrators must be familiar with security guidelines and best practices for ASP.NET. For more information, see Security Guidelines: ASP.NET 2.0 (https://go.microsoft.com/fwlink/p/?LinkId=103423) in the MSDN Library Online.
Security for Web Parts pages and controls
Protecting Web Parts pages and controls is a collaborative effort. Developers, site administrators, and server administrators must work together to improve security for Web Parts and Web Parts pages. Developers should validate Web Part input to prevent server attacks. Server administrators must configure Internet Information Services (IIS) to use an appropriate authentication method.
Server administrators also configure and deploy Web Parts solutions to a Web server or Web farm. After the solution is deployed, site administrators or server administrators define the permission levels and permissions that allow access to Web Parts pages.
The following table shows the security roles responsible for configuring permissions on Web Parts pages and Web Parts.
| Role | Category | Applies to | Description | Recommended guidelines |
|---|---|---|---|---|
Developer |
Input Validation |
Web Part code |
Input validation refers to how your application filters, scrubs, or rejects input before additional processing. This includes verification that the input that your application receives is valid and safe. |
Building Secure ASP.NET Pages and Controls (https://go.microsoft.com/fwlink/p/?LinkId=103424) (MSDN Library Online) Walkthrough: Creating a Basic SharePoint Web Part (https://go.microsoft.com/fwlink/p/?LinkId=103425) (MSDN Library Online) |
Server administrator |
Authentication |
IIS |
Authentication is the process where an entity validates the identity of another entity, typically through credentials such as a user name and password. |
|
Site administrator/ Server administrator |
Authorization |
Site collections |
Authorization is the process that provides access controls for Web sites, lists, folders, or items by determining which users can perform specific actions on a given object. The authorization process assumes that the user has already been authenticated. |
Authorization and Authentication (https://go.microsoft.com/fwlink/p/?LinkId=103428) (MSDN Library Online) |
Server administrator |
Configuration Management |
.NET Framework configuration |
Configuration management encompasses a broad range of settings that allow an administrator to manage the Web application and its environment. These settings are stored in XML configuration files, some of which control computer-wide settings, while others control application-specific configurations. You can define special security constraints in configuration files and computer-level code access security permissions. |
"Code Access Security" in "Securing Your Web Server" (https://go.microsoft.com/fwlink/p/?LinkId=103431) (MSDN Library Online) Microsoft Windows SharePoint Services and Code Access Security (https://go.microsoft.com/fwlink/p/?LinkId=103436) (MSDN Library Online) Using Code Access Security with ASP.NET (https://go.microsoft.com/fwlink/p/?LinkId=103438) (MSDN Library Online) |