It’s common when doing custom development in SharePoint to quickly change the trust level to Full at the first sign of trouble and then tell ourselves that we’ll work on writing a custom code access security policy later. Most of the time we make this change from WSS_Minimal to Full because creating a custom one seems overly complicated. Unfortunately, it’s easy to forget to come back to it. Below I show a quick way to get back to using a custom locked-down CAS policy file in your SharePoint environment, while still allowing your custom assemblies to run. The following steps show how to enhance the WSS_Minimal policy to permit full trust to a specified assembly in the application bin directory (MyCustomAssembly1.dll), and one unsigned assembly in a very specific location on the file system (C:<custom assembly path>MyCustomUnsignedAssembly.dll)
- Copy the WSS_Minimal policy file stored at “C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions12configwss_minimaltrust.config”
- Rename to MyCustomPolicy_Minimal.config
- Open and added the following entries under the code group section: <!– give explicit full trust to custom assembly in bin –> <CodeGroup class=”UnionCodeGroup” version=”1″ PermissionSetName=”FullTrust”> <IMembershipCondition class=”UrlMembershipCondition” version=”1″ Url=”$AppDirUrl$/bin/MyCustomAssembly1.dll” /> </CodeGroup> <!– give explicit full trust to shared unsigned custom assembly –> <CodeGroup class=”UnionCodeGroup” version=”1″ PermissionSetName=”FullTrust”> <IMembershipCondition class=”UrlMembershipCondition” version=”1″ Url=”file://C:/<custom assembly path> /MyCustomUnsignedAssembly.dll” /> </CodeGroup>
- In the web.config, add ><trustLevel name=”MyCustomPolicy_Minimal” policyFile=” C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions12config MyCustomPolicy_Minimal.config” /> to the securityPolicy section ad change <trust level=”Full” originUrl=”” /> to <trust level=”MyCustomPolicy_Minimal” originUrl=”” /> Testing confirms that $AppDirUrl$/bin/MyCustomAssembly1.dll and C:/<custom assembly path>/MyCustomUnsignedAssembly.dll load properly, but other assemblies do not. In my case, I set these assemblies to full trust because we trust everything that they will do, but we trust nothing else the WSS_Minimal policy doesn’t trust.