Changing Code Access Security (CAS)

You must change the Code Access Security (CAS) to access certain application files and features deployed into the Layouts folder.  For example, the PDF and Microsoft Word reporting feature needs permission to read report schema files.

Modify the trust configuration file used by the hosting web application:

Step 1:  Locate the ‘trust level’ in the hosting application’s Web.config, e.g.:

<trust level="WSS_Medium" originUrl="" />

See Locating application files on the SharePoint server for details.

Step 2:  Locate the configuration file reference in the <system.web> node matching the “trust level” from Step 1, e.g.:

<system.web>

     <securityPolicy>

          <trustLevel name="WSS_Medium" policyFile="C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\config\wss_mediumtrust.config" />

Step 3:  Open the policy configuration file for editing, e.g., “wss_mediumtrust.config”.

Step 4:  Locate the ‘CodeGroup’ section after ‘Named Permission Sets’:

<CodeGroup   class="FirstMatchCodeGroup"   version="1"  PermissionSetName="Nothing">

     <IMembershipCondition   class="AllMembershipCondition"   version="1"  />)

Step 5:  Paste the following new entry below the <iMembershipCondition> tag.

<CodeGroup  class="UnionCodeGroup"  version="1"  PermissionSetName="FullTrust">

     <IMembershipCondition class="UrlMembershipCondition"  version="1"   Url="$AppDirUrl$/bin/*" />

 </CodeGroup>

After making this addition, the first part of the CodeGroup section should look like:

<CodeGroup  class="FirstMatchCodeGroup"  version="1"  PermissionSetName="Nothing">

     <IMembershipCondition  class="AllMembershipCondition" version="1" />

     <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust">

          <IMembershipCondition class="UrlMembershipCondition"  version="1" Url="$AppDirUrl$/bin/*" />

     </CodeGroup>

     <CodeGroup   class="UnionCodeGroup"  version="1"  PermissionSetName="FullTrust">

          <IMembershipCondition class="UrlMembershipCondition" version="1"  Url="$AppDirUrl$/_app_bin/*"  />

     </CodeGroup>

The hosting application’s /bin folder is where your deployed application’s DLLs are placed.  This modification allows deployed application DLLs to run with full trust and thus resolve all possible partial trust conflicts with other controls and providers declared in the hosting application’s Web.config file.

Step 6:  Locate the “SPRestricted” permission set in the policy configuration file, e.g.:

<PermissionSet class="NamedPermissionSet" version="1" Name="SPRestricted">;

Step 7:  Configure Code Access Security.  There are two ways to configure Code Access Security:

  1. Configure a common permission set for all DLLs in the hosting application’s \bin folder, allowing them to navigate the \Layouts sub-folder.  All deployed applications will then work properly.

  2. Configure custom permission sets for individual applications.

Configuring a common permission set

Inside the “SPRestricted” permission set, locate the “IPermission” node for the “FileIOPermission” class, e.g.:

<IPermission class="FileIOPermission" version="1" Read="$AppDir$" Write="$AppDir$" Append="$AppDir$" PathDiscovery="$AppDir$" />

Add a path pointing to the \Layouts folder, e.g.:

<IPermission class="FileIOPermission" version="1" Read="$AppDir$" Write="$AppDir$" Append="$AppDir$" PathDiscovery="$AppDir$;C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS" />

Configuring a permission set for an individual application

First create a new Code Group and place it BEFORE the SPRestricted Code Group, e.g.:

<CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="MyApp3">

<IMembershipCondition version="1" class="UrlMembershipCondition" Url="$AppDirUrl$/bin/MyApp3.dll" /> </CodeGroup>;

Next, copy the entire “SPRestricted” permission set and paste it in the <NamedPermissionSets> section.  Change its name to your application, e.g., “MyApp3”.

Finally modify the FileIOPermission class so the PathDiscovery points to your application, e.g.:

<IPermission class="FileIOPermission" version="1" Read="$AppDir$" Write="$AppDir$" Append="$AppDir$" PathDiscovery="$AppDir$;C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\MyApp3" />

Step 8:  Run your application in Microsoft SharePoint.

See Also

Locating application files on the SharePoint server

Changing Code Access Security (CAS)

Adding navigation to your application

Uninstalling (retracting) a SharePoint solution

Using Microsoft Access databases in SharePoint applications

SharePoint master page options