Friday, May 04, 2007

Securing Application Pages in SharePoint 2007

Anonymous security in SharePoint 2007 is more of an art than an exact science, it seems. Although drastically improved from 2003, there are still some gaps in the security model which need to be plugged (and some that need to be opened) for public-facing SharePoint sites. One of the most glaring examples is the List View application page (12\TEMPLATE\LAYOUTS\viewlsts.aspx) which is accessible by every user with read permissions. While not technically a security risk - there isn't much a user can do from this page without sufficient access rights - it may expose more information to anonymous users than is acceptable.

To work around this issue, add code to the individual application page(s) to check if the user is authenticated and, if not, redirect the user to the Access Denied page. Insert the following script at the top of the page (before or after the page declarations and registrations):

< runat="server">
protected void Page_PreInit(object sender, EventArgs e)
{
try
{ string sUserName = SPContext.Current.Web.CurrentUser.LoginName; }
catch
{ this.Response.Redirect("/_layouts/accessdenied.aspx"); }
}
< / script >

The above code attempts to assign the user login name to a string variable. If the operation fails, which it will if the user is not authenticated, the catch statement redirects the user to the default access denied page. Once the code is placed on a page in the /_layouts directory, it will effectively be hidden from anonymous users.

Anonymous Search Results in WSS v3

When configuring WSS v3 (2007) for a public facing web site there are a number of steps to take to insure anonymous users don't have access to areas they shouldn't - removing default lists, modifying application pages to hide pulic views, locking down mysites, etc. - but there is one page that is absolutely necessary for everyone to access: osssearchresults.aspx. This page presents the list of search results and is the de facto target location for WSS search controls.

By default, viewing this page requires a user to be authenticated to the server. This can create a problem when your site definition includes the basic search control as it will attempt to render all search results on this page. To remedy this situation, locate the following text at the top of the file (inside the < % @ Page ... /> declaration) and remove it:

Inherits="Microsoft.SharePoint.WebControls.LayoutsPageBase"

This setting determines the inheritance of the page from the generic application page base class; however, it is not required for the page to function. Anonymous uers will be able to view the page without having to login and search results will continue to be security trimmed so users without proper permissions will be unable to view restricted items.

Thursday, May 03, 2007

SharePoint 2007 RSS Aggregator Web Part

One of the most common requirements we have these days is to display RSS feeds on WSS/MOSS sites inside of a web part. Most users want the ability to see just a list of article links, sorted by date, from multiple feed sources - a collection of technology blogs or all the official SharePoint blogs, for example.

There are several free utilities for performing RSS aggregation in SharePoint - inlcuding those that come out of the box with 2007 - but none of them work the way that I needed them to (in fact, I couldn't get the included web parts to work at all in WSS). So I put together a basic RSS Aggregation web part that fits the bill.

The functionality is really quite simple - supply the web part with a semi-colon delimited list of feed URL's, set a few parameters (like number of listings per feed, total number of listings, alternate stylesheet, etc.) and drop it onto a page. The web part will display a list of links from each feed source sorted by publish date in descending order. The formatting is controlled by a set of base and alternate styles that can be included in custom stylesheet or integrated with your base site definition styles.

You can download the RssAggregator web part here: http://www.binarywave.com/products/downloads/Free%20Utilities/BinaryWave.RssAggregator.zip. The zip file contains the Visual Studio 2005 solution with full source code (written in C#) and a readme file with setup and configuration instructions. Post any issues or questions as comments to http://www.binarywave.com/blogs/eshupps/Lists/Posts/Post.aspx?ID=3.

Note: I discovered while putting this together that there are quite a few differing feed formats depending on which source you are trying to access. Most RSS 2.0 and ATOM feeds should work but you may need to tweak the XML parsing methods in the source code if you are referencing a feed that uses non-standard or custom formatting in the source XML. If you do make modifications, please post them so everyone can benefit from your changes.

The SharingPoint Has A New Home!

Now that we've completed the changeover from The eGroup to BinaryWave, this blog will be moving onto our new SharePoint 2007 servers. The new url will be http://www.binarywave.com/blogs/eshupps. For the near future, I will continue to cross-post as I move old content over and get the archives up to snuff (is there anyone out there who has written a utility to move Blogger content to SharePoint? I REALLY don't want to write that myself...).

For those of you that use the FeedBurner RSS link that will be redirected to the new blog address. Any troubles, post a comment and we'll figure it out.