locked
why use safecontrol in sharepoint? RRS feed

  • Question

  • i want exact information on why use of safe control in sharepoint?
    Tuesday, January 17, 2012 11:16 AM

Answers

  • Here is accurate information from one of the msdn source -

    A fundamental assumption of the Windows SharePoint Services technology is that "untrusted users" can upload and create ASPX pages within the system on which Windows SharePoint Services is running. These users should be prevented from adding server-side code within ASPX pages, but there should be a list of approved controls that those untrusted users can use. One way to provide these controls is to create a Safe Controls list.

    The Safe Controls list is a list of controls and Web Parts specific to your SharePoint site that you have designated as safe for invocation on any ASPX page within your site. You store this list in the web.config file in your Web application root


    Priyanka
    • Marked as answer by Wayne Fan Tuesday, January 24, 2012 9:38 AM
    Tuesday, January 17, 2012 12:57 PM
  • SharePoint typically runs in a lower level of trust than ASP.NET Web sites do. This lower level of trust is managed using code access security (CAS).

    The .NET Framework does not allow an assembly that is not fully trusted to call another assembly that is not fully trusted. This is the case with custom Web Parts    they are not fully trusted and thus cannot be called. To get around this issue, Microsoft provides an assembly attribute that developers can add to their projects to tell the .NET Framework that it is OK for assemblies that are not fully trusted to call their assembly. This attribute,  System . Security . AllowPartiallyTrustedCallers , is typically added to the  AssemblyInfo.cs  code file in a project.

    In addition to decorating the assembly with an attribute so it can be called in a SharePoint site, SharePoint also needs to be explicitly told that the class within the assembly is safe. SharePoint ’ s safe mode parser checks every class loaded in every page to ensure that it has been marked as OK to load in the site. Skipping this verification would open SharePoint sites up to a world of undesirable possibilities, as someone within an organization using SharePoint Designer could add a reference to a user control that has not been approved by the SharePoint farm administrators. 

    Therefore, in order for Web Part to run properly within a SharePoint site, SharePoint needs to be made aware that it is a safe control. This is done by adding a   < SafeControl / >   entry to the site ’ s hosting Web application ’ s  web.config  file.

    • Marked as answer by Wayne Fan Tuesday, January 24, 2012 9:38 AM
    Tuesday, January 17, 2012 4:05 PM

All replies

  • Here is accurate information from one of the msdn source -

    A fundamental assumption of the Windows SharePoint Services technology is that "untrusted users" can upload and create ASPX pages within the system on which Windows SharePoint Services is running. These users should be prevented from adding server-side code within ASPX pages, but there should be a list of approved controls that those untrusted users can use. One way to provide these controls is to create a Safe Controls list.

    The Safe Controls list is a list of controls and Web Parts specific to your SharePoint site that you have designated as safe for invocation on any ASPX page within your site. You store this list in the web.config file in your Web application root


    Priyanka
    • Marked as answer by Wayne Fan Tuesday, January 24, 2012 9:38 AM
    Tuesday, January 17, 2012 12:57 PM
  • SharePoint typically runs in a lower level of trust than ASP.NET Web sites do. This lower level of trust is managed using code access security (CAS).

    The .NET Framework does not allow an assembly that is not fully trusted to call another assembly that is not fully trusted. This is the case with custom Web Parts    they are not fully trusted and thus cannot be called. To get around this issue, Microsoft provides an assembly attribute that developers can add to their projects to tell the .NET Framework that it is OK for assemblies that are not fully trusted to call their assembly. This attribute,  System . Security . AllowPartiallyTrustedCallers , is typically added to the  AssemblyInfo.cs  code file in a project.

    In addition to decorating the assembly with an attribute so it can be called in a SharePoint site, SharePoint also needs to be explicitly told that the class within the assembly is safe. SharePoint ’ s safe mode parser checks every class loaded in every page to ensure that it has been marked as OK to load in the site. Skipping this verification would open SharePoint sites up to a world of undesirable possibilities, as someone within an organization using SharePoint Designer could add a reference to a user control that has not been approved by the SharePoint farm administrators. 

    Therefore, in order for Web Part to run properly within a SharePoint site, SharePoint needs to be made aware that it is a safe control. This is done by adding a   < SafeControl / >   entry to the site ’ s hosting Web application ’ s  web.config  file.

    • Marked as answer by Wayne Fan Tuesday, January 24, 2012 9:38 AM
    Tuesday, January 17, 2012 4:05 PM