Friday, May 04, 2007

Securing Application Pages in SharePoint 2007

Anonymous security in SharePoint 2007 is more of an art than an exact science, it seems. Although drastically improved from 2003, there are still some gaps in the security model which need to be plugged (and some that need to be opened) for public-facing SharePoint sites. One of the most glaring examples is the List View application page (12\TEMPLATE\LAYOUTS\viewlsts.aspx) which is accessible by every user with read permissions. While not technically a security risk - there isn't much a user can do from this page without sufficient access rights - it may expose more information to anonymous users than is acceptable.

To work around this issue, add code to the individual application page(s) to check if the user is authenticated and, if not, redirect the user to the Access Denied page. Insert the following script at the top of the page (before or after the page declarations and registrations):

< runat="server">
protected void Page_PreInit(object sender, EventArgs e)
{
try
{ string sUserName = SPContext.Current.Web.CurrentUser.LoginName; }
catch
{ this.Response.Redirect("/_layouts/accessdenied.aspx"); }
}
< / script >

The above code attempts to assign the user login name to a string variable. If the operation fails, which it will if the user is not authenticated, the catch statement redirects the user to the default access denied page. Once the code is placed on a page in the /_layouts directory, it will effectively be hidden from anonymous users.