Deployment and security options of custom code in SharePoint 2010

In SharePoint 2010 there are more ways to deploy custom code than in its predecessors, the reason is the introduction of the Sandboxed solutions. There are basically now three different ways to deploy custom assemblies:

• Full trust solutions/ Farm solutions - The assemblies are registered in the GAC and runs under full trust
• Partial trust solutions/ Web Application solutions - The assemblies are deployed to the bin folder of a specific Web Application
• Sandboxed solutions/ User code solutions - The assemblies (solutions) are deployed to the Site Collection gallery

These are the basic variants of how to deploy custom assemblies. There are actually a few variants of them, but more about them later. So which one should I use and when? Let's go through them all and look at the pros and cons.

Sandboxed Solutions

The Sandboxed Solutions runs inside the a special service, called Microsoft SharePoint Foundation Sandboxed Code Service, which is a completely and separate application domain than the SharePoint application pools. The Sandboxed solutions are monitored and if they consume to much resources or fails to many times SharePoint automatically shuts the solution down. The code running in a Sandboxed assembly does not have access to the full SharePoint API, basically it's just the classes from Site Collection level and below. The sandbox is also protected with a very minimal CAS policy which for example prohibits the user code solutions from calling web services, making database calls or accessing the file system.

Sandboxed solutions are deployed into the Solution gallery of a Site Collection and only access that Site Collection. They can be deployed without having any downtime of the farm or web application. Anyone within the Site Collection Administrators group can upload solutions to the gallery and activate them. Farm administrators controls how much resources each Sandbox can use and can also block specific solutions from running at all.

Pros	Cons
Can easily be deployed by Site Collection Administrators	Very limited CAS policy
Resource usage is monitored	* Current uncertainty about the monitoring stability
Secure	Hard to deploy in a farm
Great support in Visual Studio 2010
Only crashes the Sandbox if it blows

Farm Solutions

The Farm solutions or full trust solutions adds the assembly to the Global Assembly Cache, GAC, which means that they can run without any CAS policies, i.e. under full trust. The assemblies can be accessed from any application in the farm. Full-trust solutions are (was?) the most common way to install solutions since it is easy and requires no knowledge of for instance CAS policies. The code running in a full trust solution has the same access as the application pool account to the local server and can do almost what it want with the server. Deploying Farm solutions should only be done with code that you really trust.

Only farm administrators can upload new farm solutions to the configuration database and most often an application pool recycle is needed, especially when updating solutions.

Pros	Cons
Easy to implement	Only Farm Administrators can add new solutions (can be a pro also :-)
Great support in Visual Studio 2010	Downtime when updating
Runs in full trust	Have to much privileges
	Can crash the whole server

Web Application Solutions

Solutions deployed to the web application bin directory was the way to go in SharePoint 2007 when you wanted/needed to secure you application using CAS. This partial trust option is still valid in SharePoint 2010. Web application deployed solutions by default only have a very minimal CAS policy applied. Using custom CAS policies it is easy to give more privileges to assembly. Installing these solutions also requires a Farm Administrator but they are only applied to specific Web Applications. Updating the assembly does not require an application pool recycle.

Visual Studio 2010 have support for Web Application deployment but not for custom CAS policies. If you need custom CAS policies you need to hack some XML and you cannot use the F5-debugging experience in Visual Studio. Instead you have to install the solution using PowerShell or create your own Visual Studio SharePoint Deployment Steps.

Pros	Cons
Security policies can be configured and kept minimal	Only Farm Administrators can add new solutions (can be a pro also :-)
Minimal downtime when upgrading	No support OOB for custom CAS policies in Visual Studio 2010
Only crashes the web application

Sandboxed Solutions with User Code Proxies

There is actually a fourth option of deployment. And that is to use Sandboxed Solutions in combination with a full-trust User Code Proxy. A User Code Proxy is a special assembly and class that is registered in the GAC and running under full trust. This class exposes an operation that can be called by the Sandboxed code. Since it runs under full trust we can easily create a Proxy Operation that calls a web service or access other protected (from the Sandbox) sources. The proxy has to be registered by a farm administrator and is accessible to the whole farm, which means that all developers who knows about the assembly, class and operation can use the operation.

Since the User Code Proxy runs under full trust you need to be careful about that one. But if you design your application carefully the proxy operations should be kept to a minimum and quite small. This allows you to make the thorough code review on only a fraction of the whole application.

Tip: Make the User Code Proxies as Farm solutions which are registered using Feature activation and unregistered using deactivation of the Feature. Then your farm administrators can enable and disable them easy!

Access denied within SPSecurity.RunWithElevatedPrivileges

Learned something really interesting (and a few lessons) in the last few days. We were doing an operation within a webpart which required higher level of access. Since this was to be executed irrespective of the access of the user logged in, we had the code enclosed within the SPSecurity.RunWithElevatedPrivileges. Surprisingly the code was failing and showing "Error : Access Denied". I remembered having seen this issue earlier on another project. That time we had a workaround which looked elegant and we didn't need to investigate the root cause. But now things were not as good and made me think this was going to be a bummer. Luckily I was able to figure it out in time. Let me explain this with the below code that throws access denied even though it is wrapped within the SPSecurity.RunWithElevatedPrivileges.

The code is part of a webpart that just displayed all the users in the owners group of the current site. This code runs fine with users having Full control or Contribute access. But fails for users having only Read access.

Label labelUsers;

protected override void CreateChildControls() {

labelUsers = new Label();

this.Controls.Add(labelUsers);

SPSecurity.RunWithElevatedPrivileges(delegate() {

SPSite site = SPContext.Current.Site;

SPWeb web = SPContext.Current.Web;

SPGroup group = web.Groups.GetByID(3);//get the owners group

if (group != null) {

StringBuilder users = new StringBuilder();

for (int cnt = 0; cnt <>

users.AppendFormat("{0},", group.Users[cnt]);

}

labelUsers.Text = users.ToString();//display it on the label

}//End of "If" block

});//Close "SPSecurity.RunWithElevatedPrivileges" block

}

This code throws an exception for Read users at the line "for (int cnt = 0; cnt <>This line fails when the Users collection withing the SPGroup it being accessed.

Looks like the SPSecurity class is not behaving correctly here but lt is working perfectly in the way it is supposed to.Though the entire code is enclosed within SPSecurity.RunWithElevatedPrivileges not all code is able to run with the elevated privileges. So the rule is -- The code will not run within elevated privilege if the object accessed was not created within the SPSecurity.RunWithElevatedPrivileges block. If we take a relook at the code we can see that the instances of SPSite (i.e. site object ) and SPWeb (i.e. web object) are retrieved through the current SPContext. The SPContext is created much before our elevated privilege code runs. Accessing the child objects of the SPWeb instance in form of "web.Groups.GetByID(3)" returns a SPGroup object which will also fail to run within the elevated privilege. And once we (with only read access) try to access the Users collection within the SPGroup object Sharepoint rings the bell indicating the information is classified. It throws you out of execution by rasing an exception.

Now that we know the reason for the error, the problem doesn't look too tough and in reality the solution is simple. To run this code successully we need to create the SPSite and SPWeb instances within the SPSecurity.RunWithElevatedPrivileges. So we have the new code below (the changes are highlighted)

Label labelUsers;

protected override void CreateChildControls(){

labelUsers = new Label();

this.Controls.Add(labelUsers);

SPSecurity.RunWithElevatedPrivileges(delegate(){

SPSite site = SPContext.Current.Site;

SPWeb web = SPContext.Current.Web;

using (SPSite newSite = new SPSite(site.ID)) {

using (SPWeb newWeb = newSite.OpenWeb(web.ID)){ //Do not use the site object to create the SPWeb instance else the code will still fail

SPGroup group = newWeb.Groups.GetByID(3); //get the owners group

if (group != null) {

StringBuilder users = new StringBuilder();

for (int cnt = 0; cnt < style="font-family: Consolas; font-size: x-small; ">

users.AppendFormat("{0},", group.Users[cnt]);

}

labelUsers.Text = users.ToString();

//display it on the label

}// End of "If" block

}// End of using for SPWeb

}// End of Using for SPSite

});//End of SPSecurity.RunWithElevatedPrivileges

}

This code now works beautifully.

With some more space to write let me jot down the lessons learned (little bits of wisdom we cannot afford to ignore ;-) )

Lesson 1 - Just putting your code within SPSecurity.RunWithElevatedPrivileges does not guarantee your code to run successfully irrespective of the access of the user logged in. You may want to look at the code carefully when writing it and look back at it again once you have written thinking that it will work fine no matter what.

Lesson 2 - No matter how confident you are with your code, its always better in sharepoint to unit test your code with all three types of user access (i.e. Owner/Full control access, Members/Contribute access and Read/Visitor access). I have made it a point to write my unit tests with all the three types user access in consideration and hopefully will be able to avoid similar mistakes in future.